Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/jsiwek/plist-and-event-cleanup'

Browse source 
* origin/topic/jsiwek/plist-and-event-cleanup:
  Add comments to QueueEvent() and ConnectionEvent()
  Add methods to queue events without handler existence check
  Cleanup/improve PList usage and Event API
This commit is contained in:
Johanna Amann 2019-05-01 08:28:14 -07:00
commit 29d9b5b554
109 changed files with 2080 additions and 1850 deletions
Download patch file Download diff file Expand all files Collapse all files

34
CHANGES
View file

@ -1,4 +1,38 @@
2.6-255 | 2019-05-01 08:38:49 -0700
* Add methods to queue events without handler existence check
Added ConnectionEventFast() and QueueEventFast() methods to avoid
redundant event handler existence checks.
It's common practice for caller to already check for event handler
existence before doing all the work of constructing the arguments, so
it's desirable to not have to check for existence again.
E.g. going through ConnectionEvent() means 3 existence checks:
one you do yourself before calling it, one in ConnectionEvent(), and then
another in QueueEvent().
The existence check itself can be more than a few operations sometimes
as it needs to check a few flags that determine if it's enabled, has
a local body, or has any remote receivers in the old comm. system or
has been flagged as something to publish in the new comm. system. (Jon Siwek, Corelight)
* Cleanup/improve PList usage and Event API
Majority of PLists are now created as automatic/stack objects,
rather than on heap and initialized either with the known-capacity
reserved upfront or directly from an initializer_list (so there's no
wasted slack in the memory that gets allocated for lists containing
a fixed/known number of elements).
Added versions of the ConnectionEvent/QueueEvent methods that take
a val_list by value.
Added a move ctor/assign-operator to Plists to allow passing them
around without having to copy the underlying array of pointers. (Jon Siwek, Corelight)
2.6-250 | 2019-04-29 18:09:29 -0700 2.6-250 | 2019-04-29 18:09:29 -0700
* Remove 'dns_resolver' option, replace w/ ZEEK_DNS_RESOLVER env. var. (Jon Siwek, Corelight) * Remove 'dns_resolver' option, replace w/ ZEEK_DNS_RESOLVER env. var. (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-250 2.6-255

2
aux/bifcl

@ -1 +1 @@
Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f Subproject commit 7a375f0749f2bc28083863ff7ec44f3fba3510fa

8
src/Anon.cc
View file

@ -415,10 +415,10 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
{ {
if ( anonymization_mapping ) if ( anonymization_mapping )
{ {
val_list* vl = new val_list; mgr.QueueEventFast(anonymization_mapping, {
vl->append(new AddrVal(input)); new AddrVal(input),
vl->append(new AddrVal(output)); new AddrVal(output)
mgr.QueueEvent(anonymization_mapping, vl); });
} }
} }

2
src/Attr.cc
View file

@ -141,7 +141,7 @@ Attributes::~Attributes()
void Attributes::AddAttr(Attr* attr) void Attributes::AddAttr(Attr* attr)
{ {
if ( ! attrs ) if ( ! attrs )
attrs = new attr_list; attrs = new attr_list(1);
if ( ! attr->RedundantAttrOkay() ) if ( ! attr->RedundantAttrOkay() )
// We overwrite old attributes by deleting them first. // We overwrite old attributes by deleting them first.

20
src/BroList.h
View file

@ -13,10 +13,6 @@ class ID;
declare(PList,ID); declare(PList,ID);
typedef PList(ID) id_list; typedef PList(ID) id_list;
class HashKey;
declare(PList,HashKey);
typedef PList(HashKey) hash_key_list;
class Val; class Val;
declare(PList,Val); declare(PList,Val);
typedef PList(Val) val_list; typedef PList(Val) val_list;
@ -29,28 +25,12 @@ class BroType;
declare(PList,BroType); declare(PList,BroType);
typedef PList(BroType) type_list; typedef PList(BroType) type_list;
class TypeDecl;
declare(PList,TypeDecl);
typedef PList(TypeDecl) type_decl_list;
class Case;
declare(PList,Case);
typedef PList(Case) case_list;
class Attr; class Attr;
declare(PList,Attr); declare(PList,Attr);
typedef PList(Attr) attr_list; typedef PList(Attr) attr_list;
class Scope;
declare(PList,Scope);
typedef PList(Scope) scope_list;
class Timer; class Timer;
declare(PList,Timer); declare(PList,Timer);
typedef PList(Timer) timer_list; typedef PList(Timer) timer_list;
class DNS_Mgr_Request;
declare(PList,DNS_Mgr_Request);
typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
#endif #endif

99
src/Conn.cc
View file

@ -325,12 +325,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
// and at this stage it's not a *multiple* instance. // and at this stage it's not a *multiple* instance.
return; return;
val_list* vl = new val_list; ConnectionEventFast(e, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(threshold)); val_mgr->GetCount(threshold)
});
ConnectionEvent(e, 0, vl);
} }
void Connection::DeleteTimer(double /* t */) void Connection::DeleteTimer(double /* t */)
@ -390,9 +389,7 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t) void Connection::StatusUpdateTimer(double t)
{ {
val_list* vl = new val_list(1); ConnectionEventFast(connection_status_update, 0, { BuildConnVal() });
vl->append(BuildConnVal());
ConnectionEvent(connection_status_update, 0, vl);
ADD_TIMER(&Connection::StatusUpdateTimer, ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0, network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE); TIMER_CONN_STATUS_UPDATE);
@ -630,23 +627,23 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
{ {
if ( software_parse_error ) if ( software_parse_error )
{ {
val_list* vl = new val_list; ConnectionEventFast(software_parse_error, analyzer, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(new StringVal(len, s)); new StringVal(len, s),
ConnectionEvent(software_parse_error, analyzer, vl); });
} }
return 0; return 0;
} }
if ( software_version_found ) if ( software_version_found )
{ {
val_list* vl = new val_list; ConnectionEventFast(software_version_found, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(val); val,
vl->append(new StringVal(len, s)); new StringVal(len, s),
ConnectionEvent(software_version_found, 0, vl); });
} }
else else
Unref(val); Unref(val);
@ -669,11 +666,11 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
if ( software_unparsed_version_found ) if ( software_unparsed_version_found )
{ {
val_list* vl = new val_list; ConnectionEventFast(software_unparsed_version_found, analyzer, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(new StringVal(len, full)); new StringVal(len, full),
ConnectionEvent(software_unparsed_version_found, analyzer, vl); });
} }
return 1; return 1;
@ -684,12 +681,11 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list(2);
if ( name ) if ( name )
vl->append(new StringVal(name)); ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()});
vl->append(BuildConnVal()); else
ConnectionEventFast(f, analyzer, {BuildConnVal()});
ConnectionEvent(f, analyzer, vl);
} }
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -701,33 +697,42 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
return; return;
} }
val_list* vl = new val_list(3);
vl->append(BuildConnVal());
vl->append(v1);
if ( v2 ) if ( v2 )
vl->append(v2); ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2});
else
ConnectionEvent(f, analyzer, vl); ConnectionEventFast(f, analyzer, {BuildConnVal(), v1});
} }
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
{ {
if ( ! f ) if ( ! f )
{ {
// This may actually happen if there is no local handler // This may actually happen if there is no local handler
// and a previously existing remote handler went away. // and a previously existing remote handler went away.
loop_over_list(*vl, i) loop_over_list(vl, i)
Unref((*vl)[i]); Unref(vl[i]);
delete vl;
return; return;
} }
// "this" is passed as a cookie for the event // "this" is passed as a cookie for the event
mgr.QueueEvent(f, vl, SOURCE_LOCAL, mgr.QueueEvent(f, std::move(vl), SOURCE_LOCAL,
a ? a->GetID() : 0, GetTimerMgr(), this); a ? a->GetID() : 0, GetTimerMgr(), this);
} }
void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
{
// "this" is passed as a cookie for the event
mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL,
a ? a->GetID() : 0, GetTimerMgr(), this);
}
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
{
ConnectionEvent(f, a, std::move(*vl));
delete vl;
}
void Connection::Weird(const char* name, const char* addl) void Connection::Weird(const char* name, const char* addl)
{ {
weird = 1; weird = 1;
@ -1055,12 +1060,12 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
if ( connection_flow_label_changed && if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) ) (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{ {
val_list* vl = new val_list(4); ConnectionEventFast(connection_flow_label_changed, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(my_flow_label)); val_mgr->GetCount(my_flow_label),
vl->append(val_mgr->GetCount(flow_label)); val_mgr->GetCount(flow_label),
ConnectionEvent(connection_flow_label_changed, 0, vl); });
} }
my_flow_label = flow_label; my_flow_label = flow_label;

31
src/Conn.h
View file

@ -174,11 +174,42 @@ public:
int UnparsedVersionFoundEvent(const IPAddr& addr, int UnparsedVersionFoundEvent(const IPAddr& addr,
const char* full_descr, int len, analyzer::Analyzer* analyzer); const char* full_descr, int len, analyzer::Analyzer* analyzer);
// If a handler exists for 'f', an event will be generated. If 'name' is
// given that event's first argument will be it, and it's second will be
// the connection value. If 'name' is null, then the event's first
// argument is the connection value.
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0); void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0);
// If a handler exists for 'f', an event will be generated. In any case,
// 'v1' and 'v2' reference counts get decremented. The event's first
// argument is the connection value, second argument is 'v1', and if 'v2'
// is given that will be it's third argument.
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0); void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0);
// If a handler exists for 'f', an event will be generated. In any case,
// reference count for each element in the 'vl' list are decremented. The
// arguments used for the event are whatevever is provided in 'vl'.
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list vl);
// Same as ConnectionEvent, except taking the event's argument list via a
// pointer instead of by value. This function takes ownership of the
// memory pointed to by 'vl' and also for decrementing the reference count
// of each of its elements.
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list* vl); val_list* vl);
// Queues an event without first checking if there's any available event
// handlers (or remote consumes). If it turns out there's actually nothing
// that will consume the event, then this may leak memory due to failing to
// decrement the reference count of each element in 'vl'. i.e. use this
// function instead of ConnectionEvent() if you've already guarded against
// the case where there's no handlers (one usually also does that because
// it would be a waste of effort to construct all the event arguments when
// there's no handlers to consume them).
void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list vl);
void Weird(const char* name, const char* addl = ""); void Weird(const char* name, const char* addl = "");
bool DidWeird() const { return weird != 0; } bool DidWeird() const { return weird != 0; }

3
src/DFA.h
View file

@ -111,9 +111,6 @@ private:
PDict(CacheEntry) states; PDict(CacheEntry) states;
}; };
declare(PList,DFA_State);
typedef PList(DFA_State) DFA_state_list;
class DFA_Machine : public BroObj { class DFA_Machine : public BroObj {
public: public:
DFA_Machine(NFA_Machine* n, EquivClass* ec); DFA_Machine(NFA_Machine* n, EquivClass* ec);

36
src/DNS_Mgr.cc
View file

@ -699,25 +699,27 @@ int DNS_Mgr::Save()
return 1; return 1;
} }
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
{
if ( ! e )
return;
mgr.QueueEventFast(e, {BuildMappingVal(dm)});
}
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2) void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2)
{ {
if ( ! e ) if ( ! e )
return; return;
val_list* vl = new val_list; Unref(l1);
vl->append(BuildMappingVal(dm)); Unref(l2);
if ( l1 ) mgr.QueueEventFast(e, {
{ BuildMappingVal(dm),
vl->append(l1->ConvertToSet()); l1->ConvertToSet(),
if ( l2 ) l2->ConvertToSet(),
vl->append(l2->ConvertToSet()); });
Unref(l1);
Unref(l2);
}
mgr.QueueEvent(e, vl);
} }
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm) void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@ -725,10 +727,10 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
if ( ! e ) if ( ! e )
return; return;
val_list* vl = new val_list; mgr.QueueEventFast(e, {
vl->append(BuildMappingVal(old_dm)); BuildMappingVal(old_dm),
vl->append(BuildMappingVal(new_dm)); BuildMappingVal(new_dm),
mgr.QueueEvent(e, vl); });
} }
Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm) Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)

9
src/DNS_Mgr.h
View file

@ -9,7 +9,7 @@
#include <utility> #include <utility>
#include "util.h" #include "util.h"
#include "BroList.h" #include "List.h"
#include "Dict.h" #include "Dict.h"
#include "EventHandler.h" #include "EventHandler.h"
#include "iosource/IOSource.h" #include "iosource/IOSource.h"
@ -23,6 +23,9 @@ class EventHandler;
class RecordType; class RecordType;
class DNS_Mgr_Request; class DNS_Mgr_Request;
declare(PList,DNS_Mgr_Request);
typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
struct nb_dns_info; struct nb_dns_info;
struct nb_dns_result; struct nb_dns_result;
@ -96,8 +99,8 @@ protected:
friend class LookupCallback; friend class LookupCallback;
friend class DNS_Mgr_Request; friend class DNS_Mgr_Request;
void Event(EventHandlerPtr e, DNS_Mapping* dm, void Event(EventHandlerPtr e, DNS_Mapping* dm);
ListVal* l1 = 0, ListVal* l2 = 0); void Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2);
void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm); void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
Val* BuildMappingVal(DNS_Mapping* dm); Val* BuildMappingVal(DNS_Mapping* dm);

36
src/Discard.cc
View file

@ -33,12 +33,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
if ( check_ip ) if ( check_ip )
{ {
val_list* args = new val_list; val_list args{ip->BuildPktHdrVal()};
args->append(ip->BuildPktHdrVal());
try try
{ {
discard_packet = check_ip->Call(args)->AsBool(); discard_packet = check_ip->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
@ -46,8 +45,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
discard_packet = false; discard_packet = false;
} }
delete args;
if ( discard_packet ) if ( discard_packet )
return discard_packet; return discard_packet;
} }
@ -88,21 +85,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct tcphdr* tp = (const struct tcphdr*) data; const struct tcphdr* tp = (const struct tcphdr*) data;
int th_len = tp->th_off * 4; int th_len = tp->th_off * 4;
val_list* args = new val_list; val_list args{
args->append(ip->BuildPktHdrVal()); ip->BuildPktHdrVal(),
args->append(BuildData(data, th_len, len, caplen)); BuildData(data, th_len, len, caplen),
};
try try
{ {
discard_packet = check_tcp->Call(args)->AsBool(); discard_packet = check_tcp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }
@ -113,21 +109,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct udphdr* up = (const struct udphdr*) data; const struct udphdr* up = (const struct udphdr*) data;
int uh_len = sizeof (struct udphdr); int uh_len = sizeof (struct udphdr);
val_list* args = new val_list; val_list args{
args->append(ip->BuildPktHdrVal()); ip->BuildPktHdrVal(),
args->append(BuildData(data, uh_len, len, caplen)); BuildData(data, uh_len, len, caplen),
};
try try
{ {
discard_packet = check_udp->Call(args)->AsBool(); discard_packet = check_udp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }
@ -137,20 +132,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
{ {
const struct icmp* ih = (const struct icmp*) data; const struct icmp* ih = (const struct icmp*) data;
val_list* args = new val_list; val_list args{ip->BuildPktHdrVal()};
args->append(ip->BuildPktHdrVal());
try try
{ {
discard_packet = check_icmp->Call(args)->AsBool(); discard_packet = check_icmp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }

43
src/Event.cc
View file

@ -13,28 +13,27 @@ EventMgr mgr;
uint64 num_events_queued = 0; uint64 num_events_queued = 0;
uint64 num_events_dispatched = 0; uint64 num_events_dispatched = 0;
Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
BroObj* arg_obj)
: handler(arg_handler),
args(std::move(arg_args)),
src(arg_src),
aid(arg_aid),
mgr(arg_mgr ? arg_mgr : timer_mgr),
obj(arg_obj),
next_event(nullptr)
{
if ( obj )
Ref(obj);
}
Event::Event(EventHandlerPtr arg_handler, val_list* arg_args, Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr, SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
BroObj* arg_obj) BroObj* arg_obj)
: Event(arg_handler, std::move(*arg_args), arg_src, arg_aid, arg_mgr, arg_obj)
{ {
handler = arg_handler; delete arg_args;
args = arg_args;
src = arg_src;
mgr = arg_mgr ? arg_mgr : timer_mgr; // default is global
aid = arg_aid;
obj = arg_obj;
if ( obj )
Ref(obj);
next_event = 0;
}
Event::~Event()
{
// We don't Unref() the individual arguments by using delete_vals()
// here, because Func::Call already did that.
delete args;
} }
void Event::Describe(ODesc* d) const void Event::Describe(ODesc* d) const
@ -49,7 +48,7 @@ void Event::Describe(ODesc* d) const
if ( ! d->IsBinary() ) if ( ! d->IsBinary() )
d->Add("("); d->Add("(");
describe_vals(args, d); describe_vals(&args, d);
if ( ! d->IsBinary() ) if ( ! d->IsBinary() )
d->Add("("); d->Add("(");
} }
@ -62,7 +61,7 @@ void Event::Dispatch(bool no_remote)
if ( event_serializer ) if ( event_serializer )
{ {
SerialInfo info(event_serializer); SerialInfo info(event_serializer);
event_serializer->Serialize(&info, handler->Name(), args); event_serializer->Serialize(&info, handler->Name(), &args);
} }
if ( handler->ErrorHandler() ) if ( handler->ErrorHandler() )
@ -70,7 +69,7 @@ void Event::Dispatch(bool no_remote)
try try
{ {
handler->Call(args, no_remote); handler->Call(&args, no_remote);
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
@ -129,7 +128,7 @@ void EventMgr::QueueEvent(Event* event)
void EventMgr::Drain() void EventMgr::Drain()
{ {
if ( event_queue_flush_point ) if ( event_queue_flush_point )
QueueEvent(event_queue_flush_point, new val_list()); QueueEventFast(event_queue_flush_point, val_list{});
SegmentProfiler(segment_logger, "draining-events"); SegmentProfiler(segment_logger, "draining-events");

53
src/Event.h
View file

@ -11,12 +11,17 @@
class EventMgr; class EventMgr;
// We don't Unref() the individual arguments by using delete_vals()
// in a dtor because Func::Call already does that.
class Event : public BroObj { class Event : public BroObj {
public: public:
Event(EventHandlerPtr handler, val_list args,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0);
Event(EventHandlerPtr handler, val_list* args, Event(EventHandlerPtr handler, val_list* args,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0); TimerMgr* mgr = 0, BroObj* obj = 0);
~Event() override;
void SetNext(Event* n) { next_event = n; } void SetNext(Event* n) { next_event = n; }
Event* NextEvent() const { return next_event; } Event* NextEvent() const { return next_event; }
@ -25,7 +30,7 @@ public:
analyzer::ID Analyzer() const { return aid; } analyzer::ID Analyzer() const { return aid; }
TimerMgr* Mgr() const { return mgr; } TimerMgr* Mgr() const { return mgr; }
EventHandlerPtr Handler() const { return handler; } EventHandlerPtr Handler() const { return handler; }
val_list* Args() const { return args; } const val_list* Args() const { return &args; }
void Describe(ODesc* d) const override; void Describe(ODesc* d) const override;
@ -37,7 +42,7 @@ protected:
void Dispatch(bool no_remote = false); void Dispatch(bool no_remote = false);
EventHandlerPtr handler; EventHandlerPtr handler;
val_list* args; val_list args;
SourceID src; SourceID src;
analyzer::ID aid; analyzer::ID aid;
TimerMgr* mgr; TimerMgr* mgr;
@ -53,14 +58,50 @@ public:
EventMgr(); EventMgr();
~EventMgr() override; ~EventMgr() override;
void QueueEvent(const EventHandlerPtr &h, val_list* vl, // Queues an event without first checking if there's any available event
// handlers (or remote consumers). If it turns out there's actually
// nothing that will consume the event, then this may leak memory due to
// failing to decrement the reference count of each element in 'vl'. i.e.
// use this function instead of QueueEvent() if you've already guarded
// against the case where there's no handlers (one usually also does that
// because it would be a waste of effort to construct all the event
// arguments when there's no handlers to consume them).
void QueueEventFast(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)
{
QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
}
// Queues an event if there's an event handler (or remote consumer). This
// function always takes ownership of decrementing the reference count of
// each element of 'vl', even if there's no event handler. If you've
// checked for event handler existence, you may wish to call
// QueueEventFast() instead of this function to prevent the redundant
// existence check.
void QueueEvent(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0) TimerMgr* mgr = 0, BroObj* obj = 0)
{ {
if ( h ) if ( h )
QueueEvent(new Event(h, vl, src, aid, mgr, obj)); QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
else else
delete_vals(vl); {
loop_over_list(vl, i)
Unref(vl[i]);
}
}
// Same as QueueEvent, except taking the event's argument list via a
// pointer instead of by value. This function takes ownership of the
// memory pointed to by 'vl' as well as decrementing the reference count of
// each of its elements.
void QueueEvent(const EventHandlerPtr &h, val_list* vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)
{
QueueEvent(h, std::move(*vl), src, aid, mgr, obj);
delete vl;
} }
void Dispatch(Event* event, bool no_remote = false) void Dispatch(Event* event, bool no_remote = false)

9
src/EventHandler.cc
View file

@ -172,11 +172,10 @@ void EventHandler::NewEvent(val_list* vl)
vargs->Assign(i, rec); vargs->Assign(i, rec);
} }
val_list* mvl = new val_list(2); Event* ev = new Event(new_event, {
mvl->append(new StringVal(name)); new StringVal(name),
mvl->append(vargs); vargs,
});
Event* ev = new Event(new_event, mvl);
mgr.Dispatch(ev); mgr.Dispatch(ev);
} }

2
src/EventRegistry.cc
View file

@ -73,7 +73,7 @@ EventRegistry::string_list* EventRegistry::UsedHandlers()
EventRegistry::string_list* EventRegistry::AllHandlers() EventRegistry::string_list* EventRegistry::AllHandlers()
{ {
string_list* names = new string_list; string_list* names = new string_list(handlers.Length());
IterCookie* c = handlers.InitForIteration(); IterCookie* c = handlers.InitForIteration();

24
src/Expr.cc
View file

@ -2565,7 +2565,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( attrs ) if ( attrs )
{ {
attr_copy = new attr_list; attr_copy = new attr_list(attrs->length());
loop_over_list(*attrs, i) loop_over_list(*attrs, i)
attr_copy->append((*attrs)[i]); attr_copy->append((*attrs)[i]);
} }
@ -2634,7 +2634,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( sce->Attrs() ) if ( sce->Attrs() )
{ {
attr_list* a = sce->Attrs()->Attrs(); attr_list* a = sce->Attrs()->Attrs();
attrs = new attr_list; attrs = new attr_list(a->length());
loop_over_list(*a, i) loop_over_list(*a, i)
attrs->append((*a)[i]); attrs->append((*a)[i]);
} }
@ -3467,9 +3467,9 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
// Spin through the list, which should be comprised only of // Spin through the list, which should be comprised only of
// record-field-assign expressions, and build up a // record-field-assign expressions, and build up a
// record type to associate with this constructor. // record type to associate with this constructor.
type_decl_list* record_types = new type_decl_list;
const expr_list& exprs = constructor_list->Exprs(); const expr_list& exprs = constructor_list->Exprs();
type_decl_list* record_types = new type_decl_list(exprs.length());
loop_over_list(exprs, i) loop_over_list(exprs, i)
{ {
Expr* e = exprs[i]; Expr* e = exprs[i];
@ -4469,11 +4469,12 @@ bool FlattenExpr::DoUnserialize(UnserialInfo* info)
ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args, ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
double t, TimerMgr* arg_tmgr) double t, TimerMgr* arg_tmgr)
: Timer(t, TIMER_SCHEDULE) : Timer(t, TIMER_SCHEDULE),
event(arg_event),
args(std::move(*arg_args)),
tmgr(arg_tmgr)
{ {
event = arg_event; delete arg_args;
args = arg_args;
tmgr = arg_tmgr;
} }
ScheduleTimer::~ScheduleTimer() ScheduleTimer::~ScheduleTimer()
@ -4482,7 +4483,7 @@ ScheduleTimer::~ScheduleTimer()
void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */) void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
{ {
mgr.QueueEvent(event, args, SOURCE_LOCAL, 0, tmgr); mgr.QueueEvent(event, std::move(args), SOURCE_LOCAL, 0, tmgr);
} }
ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event) ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event)
@ -4998,7 +4999,8 @@ Val* EventExpr::Eval(Frame* f) const
return 0; return 0;
val_list* v = eval_list(f, args); val_list* v = eval_list(f, args);
mgr.QueueEvent(handler, v); mgr.QueueEvent(handler, std::move(*v));
delete v;
return 0; return 0;
} }
@ -5128,7 +5130,7 @@ BroType* ListExpr::InitType() const
if ( exprs[0]->IsRecordElement(0) ) if ( exprs[0]->IsRecordElement(0) )
{ {
type_decl_list* types = new type_decl_list; type_decl_list* types = new type_decl_list(exprs.length());
loop_over_list(exprs, i) loop_over_list(exprs, i)
{ {
TypeDecl* td = new TypeDecl(0, 0); TypeDecl* td = new TypeDecl(0, 0);

2
src/Expr.h
View file

@ -937,7 +937,7 @@ public:
protected: protected:
EventHandlerPtr event; EventHandlerPtr event;
val_list* args; val_list args;
TimerMgr* tmgr; TimerMgr* tmgr;
}; };

20
src/File.cc
View file

@ -65,10 +65,8 @@ void RotateTimer::Dispatch(double t, int is_expire)
{ {
if ( raise ) if ( raise )
{ {
val_list* vl = new val_list;
Ref(file); Ref(file);
vl->append(new Val(file)); mgr.QueueEvent(rotate_interval, {new Val(file)});
mgr.QueueEvent(rotate_interval, vl);
} }
file->InstallRotateTimer(); file->InstallRotateTimer();
@ -641,19 +639,15 @@ void BroFile::CloseCachedFiles()
// Send final rotate events (immediately). // Send final rotate events (immediately).
if ( f->rotate_interval ) if ( f->rotate_interval )
{ {
val_list* vl = new val_list;
Ref(f); Ref(f);
vl->append(new Val(f)); Event* event = new Event(::rotate_interval, {new Val(f)});
Event* event = new Event(::rotate_interval, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }
if ( f->rotate_size ) if ( f->rotate_size )
{ {
val_list* vl = new val_list;
Ref(f); Ref(f);
vl->append(new Val(f)); Event* event = new ::Event(::rotate_size, {new Val(f)});
Event* event = new ::Event(::rotate_size, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }
@ -801,9 +795,7 @@ int BroFile::Write(const char* data, int len)
if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size ) if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )
{ {
val_list* vl = new val_list; mgr.QueueEvent(::rotate_size, {new Val(this)});
vl->append(new Val(this));
mgr.QueueEvent(::rotate_size, vl);
} }
// This does not work if we seek around. But none of the logs does that // This does not work if we seek around. But none of the logs does that
@ -818,10 +810,8 @@ void BroFile::RaiseOpenEvent()
if ( ! ::file_opened ) if ( ! ::file_opened )
return; return;
val_list* vl = new val_list;
Ref(this); Ref(this);
vl->append(new Val(this)); Event* event = new ::Event(::file_opened, {new Val(this)});
Event* event = new ::Event(::file_opened, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }

6
src/ID.cc
View file

@ -258,8 +258,7 @@ void ID::MakeDeprecated()
if ( IsDeprecated() ) if ( IsDeprecated() )
return; return;
attr_list* attr = new attr_list; attr_list* attr = new attr_list{new Attr(ATTR_DEPRECATED)};
attr->append(new Attr(ATTR_DEPRECATED));
AddAttrs(new Attributes(attr, Type(), false)); AddAttrs(new Attributes(attr, Type(), false));
} }
@ -305,8 +304,7 @@ void ID::SetOption()
// option implied redefinable // option implied redefinable
if ( ! IsRedefinable() ) if ( ! IsRedefinable() )
{ {
attr_list* attr = new attr_list; attr_list* attr = new attr_list{new Attr(ATTR_REDEF)};
attr->append(new Attr(ATTR_REDEF));
AddAttrs(new Attributes(attr, Type(), false)); AddAttrs(new Attributes(attr, Type(), false));
} }
} }

57
src/List.cc
View file

@ -12,11 +12,13 @@
BaseList::BaseList(int size) BaseList::BaseList(int size)
{ {
num_entries = 0; num_entries = 0;
max_entries = 0;
entry = 0;
if ( size <= 0 ) if ( size <= 0 )
{
max_entries = 0;
entry = 0;
return; return;
}
max_entries = size; max_entries = size;
@ -24,7 +26,7 @@ BaseList::BaseList(int size)
} }
BaseList::BaseList(BaseList& b) BaseList::BaseList(const BaseList& b)
{ {
max_entries = b.max_entries; max_entries = b.max_entries;
num_entries = b.num_entries; num_entries = b.num_entries;
@ -38,18 +40,34 @@ BaseList::BaseList(BaseList& b)
entry[i] = b.entry[i]; entry[i] = b.entry[i];
} }
BaseList::BaseList(BaseList&& b)
{
entry = b.entry;
num_entries = b.num_entries;
max_entries = b.max_entries;
b.entry = 0;
b.num_entries = b.max_entries = 0;
}
BaseList::BaseList(const ent* arr, int n)
{
num_entries = max_entries = n;
entry = (ent*) safe_malloc(max_entries * sizeof(ent));
memcpy(entry, arr, n * sizeof(ent));
}
void BaseList::sort(list_cmp_func cmp_func) void BaseList::sort(list_cmp_func cmp_func)
{ {
qsort(entry, num_entries, sizeof(ent), cmp_func); qsort(entry, num_entries, sizeof(ent), cmp_func);
} }
void BaseList::operator=(BaseList& b) BaseList& BaseList::operator=(const BaseList& b)
{ {
if ( this == &b ) if ( this == &b )
return; // i.e., this already equals itself return *this;
if ( entry ) free(entry);
free(entry);
max_entries = b.max_entries; max_entries = b.max_entries;
num_entries = b.num_entries; num_entries = b.num_entries;
@ -61,6 +79,23 @@ void BaseList::operator=(BaseList& b)
for ( int i = 0; i < num_entries; ++i ) for ( int i = 0; i < num_entries; ++i )
entry[i] = b.entry[i]; entry[i] = b.entry[i];
return *this;
}
BaseList& BaseList::operator=(BaseList&& b)
{
if ( this == &b )
return *this;
free(entry);
entry = b.entry;
num_entries = b.num_entries;
max_entries = b.max_entries;
b.entry = 0;
b.num_entries = b.max_entries = 0;
return *this;
} }
void BaseList::insert(ent a) void BaseList::insert(ent a)
@ -145,12 +180,8 @@ ent BaseList::get()
void BaseList::clear() void BaseList::clear()
{ {
if ( entry ) free(entry);
{ entry = 0;
free(entry);
entry = 0;
}
num_entries = max_entries = 0; num_entries = max_entries = 0;
} }

55
src/List.h
View file

@ -20,6 +20,8 @@
// Entries must be either a pointer to the data or nonzero data with // Entries must be either a pointer to the data or nonzero data with
// sizeof(data) <= sizeof(void*). // sizeof(data) <= sizeof(void*).
#include <initializer_list>
#include <utility>
#include <stdarg.h> #include <stdarg.h>
#include "util.h" #include "util.h"
@ -28,8 +30,6 @@ typedef int (*list_cmp_func)(const void* v1, const void* v2);
class BaseList { class BaseList {
public: public:
~BaseList() { clear(); }
void clear(); // remove all entries void clear(); // remove all entries
int length() const { return num_entries; } int length() const { return num_entries; }
int max() const { return max_entries; } int max() const { return max_entries; }
@ -41,8 +41,14 @@ public:
{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); } { return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
protected: protected:
~BaseList() { free(entry); }
explicit BaseList(int = 0); explicit BaseList(int = 0);
BaseList(BaseList&); BaseList(const BaseList&);
BaseList(BaseList&&);
BaseList(const ent* arr, int n);
BaseList& operator=(const BaseList&);
BaseList& operator=(BaseList&&);
void insert(ent); // add at head of list void insert(ent); // add at head of list
@ -75,7 +81,29 @@ protected:
return entry[i]; return entry[i];
} }
void operator=(BaseList&); // This could essentially be an std::vector if we wanted. Some
// reasons to maybe not refactor to use std::vector ?
//
// - Harder to use a custom growth factor. Also, the growth
// factor would be implementation-specific, taking some control over
// performance out of our hands.
//
// - It won't ever take advantage of realloc's occasional ability to
// grow in-place.
//
// - Combine above point this with lack of control of growth
// factor means the common choice of 2x growth factor causes
// a growth pattern that crawls forward in memory with no possible
// re-use of previous chunks (the new capacity is always larger than
// all previously allocated chunks combined). This point and
// whether 2x is empirically an issue still seems debated (at least
// GCC seems to stand by 2x as empirically better).
//
// - Sketchy shrinking behavior: standard says that requests to
// shrink are non-binding (it's expected implementations heed, but
// still not great to have no guarantee). Also, it would not take
// advantage of realloc's ability to contract in-place, it would
// allocate-and-copy.
ent* entry; ent* entry;
int max_entries; int max_entries;
@ -103,10 +131,13 @@ struct List(type) : BaseList \
explicit List(type)(type ...); \ explicit List(type)(type ...); \
List(type)() : BaseList(0) {} \ List(type)() : BaseList(0) {} \
explicit List(type)(int sz) : BaseList(sz) {} \ explicit List(type)(int sz) : BaseList(sz) {} \
List(type)(List(type)& l) : BaseList((BaseList&)l) {} \ List(type)(const List(type)& l) : BaseList(l) {} \
List(type)(List(type)&& l) : BaseList(std::move(l)) {} \
\ \
void operator=(List(type)& l) \ List(type)& operator=(const List(type)& l) \
{ BaseList::operator=((BaseList&)l); } \ { return (List(type)&) BaseList::operator=(l); } \
List(type)& operator=(List(type)&& l) \
{ return (List(type)&) BaseList::operator=(std::move(l)); } \
void insert(type a) { BaseList::insert(ent(a)); } \ void insert(type a) { BaseList::insert(ent(a)); } \
void sortedinsert(type a, list_cmp_func cmp_func) \ void sortedinsert(type a, list_cmp_func cmp_func) \
{ BaseList::sortedinsert(ent(a), cmp_func); } \ { BaseList::sortedinsert(ent(a), cmp_func); } \
@ -144,10 +175,14 @@ struct PList(type) : BaseList \
explicit PList(type)(type* ...); \ explicit PList(type)(type* ...); \
PList(type)() : BaseList(0) {} \ PList(type)() : BaseList(0) {} \
explicit PList(type)(int sz) : BaseList(sz) {} \ explicit PList(type)(int sz) : BaseList(sz) {} \
PList(type)(PList(type)& l) : BaseList((BaseList&)l) {} \ PList(type)(const PList(type)& l) : BaseList(l) {} \
PList(type)(PList(type)&& l) : BaseList(std::move(l)) {} \
PList(type)(std::initializer_list<type*> il) : BaseList((const ent*)il.begin(), il.size()) {} \
\ \
void operator=(PList(type)& l) \ PList(type)& operator=(const PList(type)& l) \
{ BaseList::operator=((BaseList&)l); } \ { return (PList(type)&) BaseList::operator=(l); } \
PList(type)& operator=(PList(type)&& l) \
{ return (PList(type)&) BaseList::operator=(std::move(l)); } \
void insert(type* a) { BaseList::insert(ent(a)); } \ void insert(type* a) { BaseList::insert(ent(a)); } \
void sortedinsert(type* a, list_cmp_func cmp_func) \ void sortedinsert(type* a, list_cmp_func cmp_func) \
{ BaseList::sortedinsert(ent(a), cmp_func); } \ { BaseList::sortedinsert(ent(a), cmp_func); } \

3
src/PersistenceSerializer.cc
View file

@ -201,7 +201,8 @@ void PersistenceSerializer::RaiseFinishedSendState()
void PersistenceSerializer::GotEvent(const char* name, double time, void PersistenceSerializer::GotEvent(const char* name, double time,
EventHandlerPtr event, val_list* args) EventHandlerPtr event, val_list* args)
{ {
mgr.QueueEvent(event, args); mgr.QueueEvent(event, std::move(*args));
delete args;
} }
void PersistenceSerializer::GotFunctionCall(const char* name, double time, void PersistenceSerializer::GotFunctionCall(const char* name, double time,

3
src/RE.h
View file

@ -229,9 +229,6 @@ protected:
Specific_RE_Matcher* re_exact; Specific_RE_Matcher* re_exact;
}; };
declare(PList, RE_Matcher);
typedef PList(RE_Matcher) re_matcher_list;
extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2); extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2);
extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2); extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2);

52
src/RemoteSerializer.cc
View file

@ -1435,7 +1435,9 @@ void RemoteSerializer::Process()
break; break;
BufferedEvent* be = events[0]; BufferedEvent* be = events[0];
::Event* event = new ::Event(be->handler, be->args, be->src); ::Event* event = new ::Event(be->handler, std::move(*be->args), be->src);
delete be->args;
be->args = nullptr;
Peer* old_current_peer = current_peer; Peer* old_current_peer = current_peer;
// Prevent the source peer from getting the event back. // Prevent the source peer from getting the event back.
@ -2260,14 +2262,14 @@ bool RemoteSerializer::ProcessPongMsg()
ping_args* args = (ping_args*) current_args->data; ping_args* args = (ping_args*) current_args->data;
val_list* vl = new val_list; mgr.QueueEvent(remote_pong, {
vl->append(current_peer->val->Ref()); current_peer->val->Ref(),
vl->append(val_mgr->GetCount((unsigned int) ntohl(args->seq))); val_mgr->GetCount((unsigned int) ntohl(args->seq)),
vl->append(new Val(current_time(true) - ntohd(args->time1), new Val(current_time(true) - ntohd(args->time1),
TYPE_INTERVAL)); TYPE_INTERVAL),
vl->append(new Val(ntohd(args->time2), TYPE_INTERVAL)); new Val(ntohd(args->time2), TYPE_INTERVAL),
vl->append(new Val(ntohd(args->time3), TYPE_INTERVAL)); new Val(ntohd(args->time3), TYPE_INTERVAL)
mgr.QueueEvent(remote_pong, vl); });
return true; return true;
} }
@ -3006,20 +3008,20 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
{ {
if ( peer ) if ( peer )
{ {
val_list* vl = new val_list(); mgr.QueueEvent(remote_log_peer, {
vl->append(peer->val->Ref()); peer->val->Ref(),
vl->append(val_mgr->GetCount(level)); val_mgr->GetCount(level),
vl->append(val_mgr->GetCount(src)); val_mgr->GetCount(src),
vl->append(new StringVal(msg)); new StringVal(msg)
mgr.QueueEvent(remote_log_peer, vl); });
} }
else else
{ {
val_list* vl = new val_list(); mgr.QueueEvent(remote_log, {
vl->append(val_mgr->GetCount(level)); val_mgr->GetCount(level),
vl->append(val_mgr->GetCount(src)); val_mgr->GetCount(src),
vl->append(new StringVal(msg)); new StringVal(msg)
mgr.QueueEvent(remote_log, vl); });
} }
#ifdef DEBUG #ifdef DEBUG
@ -3041,27 +3043,27 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer, void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
const char* arg) const char* arg)
{ {
val_list* vl = new val_list; val_list vl(1 + (bool)arg);
if ( peer ) if ( peer )
{ {
Ref(peer->val); Ref(peer->val);
vl->append(peer->val); vl.append(peer->val);
} }
else else
{ {
Val* v = mgr.GetLocalPeerVal(); Val* v = mgr.GetLocalPeerVal();
v->Ref(); v->Ref();
vl->append(v); vl.append(v);
} }
if ( arg ) if ( arg )
vl->append(new StringVal(arg)); vl.append(new StringVal(arg));
// If we only have remote sources, the network time // If we only have remote sources, the network time
// will not increase as long as no peers are connected. // will not increase as long as no peers are connected.
// Therefore, we send these events immediately. // Therefore, we send these events immediately.
mgr.Dispatch(new Event(event, vl, PEER_LOCAL)); mgr.Dispatch(new Event(event, std::move(vl), PEER_LOCAL));
} }
void RemoteSerializer::LogStats() void RemoteSerializer::LogStats()

39
src/Reporter.cc
View file

@ -216,36 +216,30 @@ void Reporter::Syslog(const char* fmt, ...)
void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...)
{ {
val_list* vl = new val_list(1); val_list vl(2);
if ( conn_val ) if ( conn_val )
vl->append(conn_val); vl.append(conn_val);
else if ( f ) else if ( f )
vl->append(f->GetVal()->Ref()); vl.append(f->GetVal()->Ref());
if ( addl ) if ( addl )
vl->append(new StringVal(addl)); vl.append(new StringVal(addl));
va_list ap; va_list ap;
va_start(ap, fmt_name); va_start(ap, fmt_name);
DoLog("weird", event, 0, 0, vl, false, false, 0, fmt_name, ap); DoLog("weird", event, 0, 0, &vl, false, false, 0, fmt_name, ap);
va_end(ap); va_end(ap);
delete vl;
} }
void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...) void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...)
{ {
val_list* vl = new val_list(2); val_list vl{new AddrVal(orig), new AddrVal(resp)};
vl->append(new AddrVal(orig));
vl->append(new AddrVal(resp));
va_list ap; va_list ap;
va_start(ap, fmt_name); va_start(ap, fmt_name);
DoLog("weird", flow_weird, 0, 0, vl, false, false, 0, fmt_name, ap); DoLog("weird", flow_weird, 0, 0, &vl, false, false, 0, fmt_name, ap);
va_end(ap); va_end(ap);
delete vl;
} }
void Reporter::UpdateWeirdStats(const char* name) void Reporter::UpdateWeirdStats(const char* name)
@ -489,29 +483,32 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
if ( raise_event && event && via_events && ! in_error_handler ) if ( raise_event && event && via_events && ! in_error_handler )
{ {
val_list* vl = new val_list; auto vl_size = 1 + (bool)time + (bool)location + (bool)conn +
(addl ? addl->length() : 0);
val_list vl(vl_size);
if ( time ) if ( time )
vl->append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME)); vl.append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME));
vl->append(new StringVal(buffer)); vl.append(new StringVal(buffer));
if ( location ) if ( location )
vl->append(new StringVal(loc_str.c_str())); vl.append(new StringVal(loc_str.c_str()));
if ( conn ) if ( conn )
vl->append(conn->BuildConnVal()); vl.append(conn->BuildConnVal());
if ( addl ) if ( addl )
{ {
loop_over_list(*addl, i) loop_over_list(*addl, i)
vl->append((*addl)[i]); vl.append((*addl)[i]);
} }
if ( conn ) if ( conn )
conn->ConnectionEvent(event, 0, vl); conn->ConnectionEventFast(event, 0, std::move(vl));
else else
mgr.QueueEvent(event, vl); mgr.QueueEventFast(event, std::move(vl));
} }
else else
{ {

15
src/RuleAction.cc
View file

@ -17,16 +17,11 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
{ {
if ( signature_match ) if ( signature_match )
{ {
val_list* vl = new val_list; mgr.QueueEventFast(signature_match, {
vl->append(rule_matcher->BuildRuleStateValue(parent, state)); rule_matcher->BuildRuleStateValue(parent, state),
vl->append(new StringVal(msg)); new StringVal(msg),
data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),
if ( data ) });
vl->append(new StringVal(len, (const char*)data));
else
vl->append(val_mgr->GetEmptyString());
mgr.QueueEvent(signature_match, vl);
} }
} }

2
src/RuleCondition.cc
View file

@ -162,7 +162,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
return id->ID_Val()->AsBool(); return id->ID_Val()->AsBool();
// Call function with a signature_state value as argument. // Call function with a signature_state value as argument.
val_list args; val_list args(2);
args.append(rule_matcher->BuildRuleStateValue(rule, state)); args.append(rule_matcher->BuildRuleStateValue(rule, state));
if ( data ) if ( data )

3
src/Scope.cc
View file

@ -7,6 +7,9 @@
#include "Scope.h" #include "Scope.h"
#include "Reporter.h" #include "Reporter.h"
declare(PList,Scope);
typedef PList(Scope) scope_list;
static scope_list scopes; static scope_list scopes;
static Scope* top_scope; static Scope* top_scope;

7
src/Serializer.cc
View file

@ -365,7 +365,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info)
d.SetIncludeStats(true); d.SetIncludeStats(true);
d.SetShort(); d.SetShort();
val_list* args = new val_list; val_list* args = new val_list(len);
for ( int i = 0; i < len; ++i ) for ( int i = 0; i < len; ++i )
{ {
Val* v = Val::Unserialize(info); Val* v = Val::Unserialize(info);
@ -996,7 +996,8 @@ void EventPlayer::GotEvent(const char* name, double time,
{ {
ne_time = time; ne_time = time;
ne_handler = event; ne_handler = event;
ne_args = args; ne_args = std::move(*args);
delete args;
} }
void EventPlayer::GotFunctionCall(const char* name, double time, void EventPlayer::GotFunctionCall(const char* name, double time,
@ -1054,7 +1055,7 @@ void EventPlayer::Process()
if ( ! (io && ne_time) ) if ( ! (io && ne_time) )
return; return;
Event* event = new Event(ne_handler, ne_args); Event* event = new Event(ne_handler, std::move(ne_args));
mgr.Dispatch(event); mgr.Dispatch(event);
ne_time = 0; ne_time = 0;

2
src/Serializer.h
View file

@ -353,7 +353,7 @@ protected:
// Next event waiting to be dispatched. // Next event waiting to be dispatched.
double ne_time; double ne_time;
EventHandlerPtr ne_handler; EventHandlerPtr ne_handler;
val_list* ne_args; val_list ne_args;
}; };

28
src/Sessions.cc
View file

@ -171,11 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
SegmentProfiler(segment_logger, "dispatching-packet"); SegmentProfiler(segment_logger, "dispatching-packet");
if ( raw_packet ) if ( raw_packet )
{ mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(pkt->BuildPktHdrVal());
mgr.QueueEvent(raw_packet, vl);
}
if ( pkt_profiler ) if ( pkt_profiler )
pkt_profiler->ProfilePkt(t, pkt->cap_len); pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -415,11 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
{ {
dump_this_packet = 1; dump_this_packet = 1;
if ( esp_packet ) if ( esp_packet )
{ mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(esp_packet, vl);
}
// Can't do more since upper-layer payloads are going to be encrypted. // Can't do more since upper-layer payloads are going to be encrypted.
return; return;
@ -439,11 +431,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
} }
if ( mobile_ipv6_message ) if ( mobile_ipv6_message )
{ mgr.QueueEvent(mobile_ipv6_message, {ip_hdr->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(mobile_ipv6_message, vl);
}
if ( ip_hdr->NextProto() != IPPROTO_NONE ) if ( ip_hdr->NextProto() != IPPROTO_NONE )
Weird("mobility_piggyback", pkt, encapsulation); Weird("mobility_piggyback", pkt, encapsulation);
@ -1327,12 +1315,12 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
{ {
conn->Event(new_connection, 0); conn->Event(new_connection, 0);
if ( external ) if ( external && connection_external )
{ {
val_list* vl = new val_list(2); conn->ConnectionEventFast(connection_external, 0, {
vl->append(conn->BuildConnVal()); conn->BuildConnVal(),
vl->append(new StringVal(conn->GetTimerMgr()->GetTag().c_str())); new StringVal(conn->GetTimerMgr()->GetTag().c_str()),
conn->ConnectionEvent(connection_external, 0, vl); });
} }
} }

47
src/StateAccess.cc
View file

@ -192,12 +192,12 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
else else
arg3 = new StringVal("<none>"); arg3 = new StringVal("<none>");
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal(op)); new StringVal(op),
args->append(arg1); arg1,
args->append(arg2); arg2,
args->append(arg3); arg3,
mgr.QueueEvent(remote_state_inconsistency, args); });
return false; return false;
} }
@ -219,12 +219,12 @@ bool StateAccess::CheckOldSet(const char* op, ID* id, Val* index,
Val* arg2 = new StringVal(should ? "set" : "not set"); Val* arg2 = new StringVal(should ? "set" : "not set");
Val* arg3 = new StringVal(is ? "set" : "not set"); Val* arg3 = new StringVal(is ? "set" : "not set");
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal(op)); new StringVal(op),
args->append(arg1); arg1,
args->append(arg2); arg2,
args->append(arg3); arg3,
mgr.QueueEvent(remote_state_inconsistency, args); });
return false; return false;
} }
@ -514,12 +514,12 @@ void StateAccess::Replay()
d.SetShort(); d.SetShort();
op1.val->Describe(&d); op1.val->Describe(&d);
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal("read")); new StringVal("read"),
args->append(new StringVal(fmt("%s[%s]", target.id->Name(), d.Description()))); new StringVal(fmt("%s[%s]", target.id->Name(), d.Description())),
args->append(new StringVal("existent")); new StringVal("existent"),
args->append(new StringVal("not existent")); new StringVal("not existent"),
mgr.QueueEvent(remote_state_inconsistency, args); });
} }
} }
} }
@ -536,10 +536,10 @@ void StateAccess::Replay()
if ( remote_state_access_performed ) if ( remote_state_access_performed )
{ {
val_list* vl = new val_list; mgr.QueueEventFast(remote_state_access_performed, {
vl->append(new StringVal(target.id->Name())); new StringVal(target.id->Name()),
vl->append(target.id->ID_Val()->Ref()); target.id->ID_Val()->Ref(),
mgr.QueueEvent(remote_state_access_performed, vl); });
} }
} }
@ -943,8 +943,7 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
} }
else else
{ {
attr_list* a = new attr_list; attr_list* a = new attr_list{attr};
a->append(attr);
id->SetAttrs(new Attributes(a, id->Type(), false)); id->SetAttrs(new Attributes(a, id->Type(), false));
} }

20
src/Stats.cc
View file

@ -310,11 +310,11 @@ void ProfileLogger::Log()
// (and for consistency we dispatch it *now*) // (and for consistency we dispatch it *now*)
if ( profiling_update ) if ( profiling_update )
{ {
val_list* vl = new val_list;
Ref(file); Ref(file);
vl->append(new Val(file)); mgr.Dispatch(new Event(profiling_update, {
vl->append(val_mgr->GetBool(expensive)); new Val(file),
mgr.Dispatch(new Event(profiling_update, vl)); val_mgr->GetBool(expensive),
}));
} }
} }
@ -369,12 +369,12 @@ void SampleLogger::SegmentProfile(const char* /* name */,
const Location* /* loc */, const Location* /* loc */,
double dtime, int dmem) double dtime, int dmem)
{ {
val_list* vl = new val_list(2); if ( load_sample )
vl->append(load_samples->Ref()); mgr.QueueEventFast(load_sample, {
vl->append(new IntervalVal(dtime, Seconds)); load_samples->Ref(),
vl->append(val_mgr->GetInt(dmem)); new IntervalVal(dtime, Seconds),
val_mgr->GetInt(dmem)
mgr.QueueEvent(load_sample, vl); });
} }
void SegmentProfiler::Init() void SegmentProfiler::Init()

20
src/Stmt.cc
View file

@ -292,13 +292,14 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
if ( print_hook ) if ( print_hook )
{ {
val_list* vl = new val_list(2);
::Ref(f); ::Ref(f);
vl->append(new Val(f));
vl->append(new StringVal(d.Len(), d.Description()));
// Note, this doesn't do remote printing. // Note, this doesn't do remote printing.
mgr.Dispatch(new Event(print_hook, vl), true); mgr.Dispatch(
new Event(
print_hook,
{new Val(f), new StringVal(d.Len(), d.Description())}),
true);
} }
if ( remote_serializer ) if ( remote_serializer )
@ -704,7 +705,7 @@ bool Case::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
type_cases = new id_list; type_cases = new id_list(len);
while ( len-- ) while ( len-- )
{ {
@ -1198,7 +1199,10 @@ Val* EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
val_list* args = eval_list(f, event_expr->Args()); val_list* args = eval_list(f, event_expr->Args());
if ( args ) if ( args )
mgr.QueueEvent(event_expr->Handler(), args); {
mgr.QueueEvent(event_expr->Handler(), std::move(*args));
delete args;
}
flow = FLOW_NEXT; flow = FLOW_NEXT;
@ -1633,7 +1637,7 @@ bool ForStmt::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
loop_vars = new id_list; loop_vars = new id_list(len);
while ( len-- ) while ( len-- )
{ {
@ -2149,7 +2153,7 @@ bool InitStmt::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
inits = new id_list; inits = new id_list(len);
while ( len-- ) while ( len-- )
{ {

3
src/Stmt.h
View file

@ -213,6 +213,9 @@ protected:
Stmt* s; Stmt* s;
}; };
declare(PList,Case);
typedef PList(Case) case_list;
class SwitchStmt : public ExprStmt { class SwitchStmt : public ExprStmt {
public: public:
SwitchStmt(Expr* index, case_list* cases); SwitchStmt(Expr* index, case_list* cases);

2
src/Type.cc
View file

@ -2266,7 +2266,7 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
if ( rt1->NumFields() != rt2->NumFields() ) if ( rt1->NumFields() != rt2->NumFields() )
return 0; return 0;
type_decl_list* tdl3 = new type_decl_list; type_decl_list* tdl3 = new type_decl_list(rt1->NumFields());
for ( int i = 0; i < rt1->NumFields(); ++i ) for ( int i = 0; i < rt1->NumFields(); ++i )
{ {

3
src/Type.h
View file

@ -460,6 +460,9 @@ public:
const char* id; const char* id;
}; };
declare(PList,TypeDecl);
typedef PList(TypeDecl) type_decl_list;
class RecordType : public BroType { class RecordType : public BroType {
public: public:
explicit RecordType(type_decl_list* types); explicit RecordType(type_decl_list* types);

49
src/Val.cc
View file

@ -1861,29 +1861,30 @@ Val* TableVal::Default(Val* index)
return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone(); return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone();
const Func* f = def_val->AsFunc(); const Func* f = def_val->AsFunc();
val_list* vl = new val_list(); val_list vl;
if ( index->Type()->Tag() == TYPE_LIST ) if ( index->Type()->Tag() == TYPE_LIST )
{ {
const val_list* vl0 = index->AsListVal()->Vals(); const val_list* vl0 = index->AsListVal()->Vals();
vl = val_list(vl0->length());
loop_over_list(*vl0, i) loop_over_list(*vl0, i)
vl->append((*vl0)[i]->Ref()); vl.append((*vl0)[i]->Ref());
} }
else else
vl->append(index->Ref()); {
vl = val_list{index->Ref()};
}
Val* result = 0; Val* result = 0;
try try
{ {
result = f->Call(vl); result = f->Call(&vl);
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ /* Already reported. */ } { /* Already reported. */ }
delete vl;
if ( ! result ) if ( ! result )
{ {
Error("no value returned from &default function"); Error("no value returned from &default function");
@ -2423,21 +2424,6 @@ double TableVal::CallExpireFunc(Val* idx)
return 0; return 0;
} }
val_list* vl = new val_list;
vl->append(Ref());
// Flatten lists of a single element.
if ( idx->Type()->Tag() == TYPE_LIST &&
idx->AsListVal()->Length() == 1 )
{
Val* old = idx;
idx = idx->AsListVal()->Index(0);
idx->Ref();
Unref(old);
}
vl->append(idx);
double secs = 0; double secs = 0;
try try
@ -2447,19 +2433,31 @@ double TableVal::CallExpireFunc(Val* idx)
if ( ! vf ) if ( ! vf )
{ {
// Will have been reported already. // Will have been reported already.
delete_vals(vl); Unref(idx);
return 0; return 0;
} }
if ( vf->Type()->Tag() != TYPE_FUNC ) if ( vf->Type()->Tag() != TYPE_FUNC )
{ {
Unref(vf);
delete_vals(vl);
vf->Error("not a function"); vf->Error("not a function");
Unref(vf);
Unref(idx);
return 0; return 0;
} }
Val* vs = vf->AsFunc()->Call(vl);
// Flatten lists of a single element.
if ( idx->Type()->Tag() == TYPE_LIST &&
idx->AsListVal()->Length() == 1 )
{
Val* old = idx;
idx = idx->AsListVal()->Index(0);
idx->Ref();
Unref(old);
}
val_list vl{Ref(), idx};
Val* vs = vf->AsFunc()->Call(&vl);
if ( vs ) if ( vs )
{ {
@ -2468,7 +2466,6 @@ double TableVal::CallExpireFunc(Val* idx)
} }
Unref(vf); Unref(vf);
delete vl;
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )

3
src/Var.cc
View file

@ -325,8 +325,7 @@ static void transfer_arg_defaults(RecordType* args, RecordType* recv)
if ( ! recv_i->attrs ) if ( ! recv_i->attrs )
{ {
attr_list* a = new attr_list(); attr_list* a = new attr_list{def};
a->append(def);
recv_i->attrs = new Attributes(a, recv_i->type, true); recv_i->attrs = new Attributes(a, recv_i->type, true);
} }

42
src/analyzer/Analyzer.cc
View file

@ -662,16 +662,19 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
if ( protocol_confirmed ) if ( protocol_confirmed )
return; return;
protocol_confirmed = true;
if ( ! protocol_confirmation )
return;
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal(); EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
Ref(tval); Ref(tval);
val_list* vl = new val_list; mgr.QueueEventFast(protocol_confirmation, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(tval); tval,
vl->append(val_mgr->GetCount(id)); val_mgr->GetCount(id),
mgr.QueueEvent(protocol_confirmation, vl); });
protocol_confirmed = true;
} }
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -689,15 +692,18 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
else else
r = new StringVal(reason); r = new StringVal(reason);
if ( ! protocol_violation )
return;
EnumVal* tval = tag.AsEnumVal(); EnumVal* tval = tag.AsEnumVal();
Ref(tval); Ref(tval);
val_list* vl = new val_list; mgr.QueueEventFast(protocol_violation, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(tval); tval,
vl->append(val_mgr->GetCount(id)); val_mgr->GetCount(id),
vl->append(r); r,
mgr.QueueEvent(protocol_violation, vl); });
} }
void Analyzer::AddTimer(analyzer_timer_func timer, double t, void Analyzer::AddTimer(analyzer_timer_func timer, double t,
@ -782,6 +788,16 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
conn->ConnectionEvent(f, this, vl); conn->ConnectionEvent(f, this, vl);
} }
void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
{
conn->ConnectionEvent(f, this, std::move(vl));
}
void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl)
{
conn->ConnectionEventFast(f, this, std::move(vl));
}
void Analyzer::Weird(const char* name, const char* addl) void Analyzer::Weird(const char* name, const char* addl)
{ {
conn->Weird(name, addl); conn->Weird(name, addl);

12
src/analyzer/Analyzer.h
View file

@ -541,6 +541,18 @@ public:
*/ */
void ConnectionEvent(EventHandlerPtr f, val_list* vl); void ConnectionEvent(EventHandlerPtr f, val_list* vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEvent().
*/
void ConnectionEvent(EventHandlerPtr f, val_list vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEventFast().
*/
void ConnectionEventFast(EventHandlerPtr f, val_list vl);
/** /**
* Convenience function that forwards directly to the corresponding * Convenience function that forwards directly to the corresponding
* Connection::Weird(). * Connection::Weird().

34
src/analyzer/protocol/arp/ARP.cc
View file

@ -190,13 +190,13 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
if ( ! bad_arp ) if ( ! bad_arp )
return; return;
val_list* vl = new val_list; mgr.QueueEventFast(bad_arp, {
vl->append(ConstructAddrVal(ar_spa(hdr))); ConstructAddrVal(ar_spa(hdr)),
vl->append(EthAddrToStr((const u_char*) ar_sha(hdr))); EthAddrToStr((const u_char*) ar_sha(hdr)),
vl->append(ConstructAddrVal(ar_tpa(hdr))); ConstructAddrVal(ar_tpa(hdr)),
vl->append(EthAddrToStr((const u_char*) ar_tha(hdr))); EthAddrToStr((const u_char*) ar_tha(hdr)),
vl->append(new StringVal(msg)); new StringVal(msg),
mgr.QueueEvent(bad_arp, vl); });
} }
void ARP_Analyzer::Corrupted(const char* msg) void ARP_Analyzer::Corrupted(const char* msg)
@ -212,18 +212,14 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
if ( ! e ) if ( ! e )
return; return;
// init the val_list mgr.QueueEventFast(e, {
val_list* vl = new val_list; EthAddrToStr(src),
EthAddrToStr(dst),
// prepare the event arguments ConstructAddrVal(spa),
vl->append(EthAddrToStr(src)); EthAddrToStr((const u_char*) sha),
vl->append(EthAddrToStr(dst)); ConstructAddrVal(tpa),
vl->append(ConstructAddrVal(spa)); EthAddrToStr((const u_char*) tha),
vl->append(EthAddrToStr((const u_char*) sha)); });
vl->append(ConstructAddrVal(tpa));
vl->append(EthAddrToStr((const u_char*) tha));
mgr.QueueEvent(e, vl);
} }
AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)

54
src/analyzer/protocol/backdoor/BackDoor.cc
View file

@ -246,13 +246,15 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
rlogin_checking_done = 1; rlogin_checking_done = 1;
val_list* vl = new val_list; if ( ! rlogin_signature_found )
vl->append(endp->TCP()->BuildConnVal()); return;
vl->append(val_mgr->GetBool(endp->IsOrig()));
vl->append(val_mgr->GetCount(rlogin_num_null));
vl->append(val_mgr->GetCount(len));
endp->TCP()->ConnectionEvent(rlogin_signature_found, vl); endp->TCP()->ConnectionEventFast(rlogin_signature_found, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(rlogin_num_null),
val_mgr->GetCount(len),
});
} }
void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data) void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
@ -338,12 +340,14 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d
void BackDoorEndpoint::TelnetSignatureFound(int len) void BackDoorEndpoint::TelnetSignatureFound(int len)
{ {
val_list* vl = new val_list; if ( ! telnet_signature_found )
vl->append(endp->TCP()->BuildConnVal()); return;
vl->append(val_mgr->GetBool(endp->IsOrig()));
vl->append(val_mgr->GetCount(len));
endp->TCP()->ConnectionEvent(telnet_signature_found, vl); endp->TCP()->ConnectionEventFast(telnet_signature_found, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(len),
});
} }
void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data) void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
@ -643,13 +647,15 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig) void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
{ {
val_list* vl = new val_list; if ( ! e )
vl->append(endp->TCP()->BuildConnVal()); return;
if ( do_orig ) if ( do_orig )
vl->append(val_mgr->GetBool(endp->IsOrig())); endp->TCP()->ConnectionEventFast(e,
{endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())});
endp->TCP()->ConnectionEvent(e, vl); else
endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()});
} }
@ -776,20 +782,22 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire)
void BackDoor_Analyzer::StatEvent() void BackDoor_Analyzer::StatEvent()
{ {
val_list* vl = new val_list; if ( ! backdoor_stats )
vl->append(TCP()->BuildConnVal()); return;
vl->append(orig_endp->BuildStats());
vl->append(resp_endp->BuildStats());
TCP()->ConnectionEvent(backdoor_stats, vl); TCP()->ConnectionEventFast(backdoor_stats, {
TCP()->BuildConnVal(),
orig_endp->BuildStats(),
resp_endp->BuildStats(),
});
} }
void BackDoor_Analyzer::RemoveEvent() void BackDoor_Analyzer::RemoveEvent()
{ {
val_list* vl = new val_list; if ( ! backdoor_remove_conn )
vl->append(TCP()->BuildConnVal()); return;
TCP()->ConnectionEvent(backdoor_remove_conn, vl); TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()});
} }
BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a) BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)

10
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,10 +120,10 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
{ {
val_list* vl = new val_list; ConnectionEventFast(bittorrent_peer_weird, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(msg)); new StringVal(msg),
ConnectionEvent(bittorrent_peer_weird, vl); });
} }
} }

51
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,11 +247,11 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bt_tracker_weird ) if ( bt_tracker_weird )
{ {
val_list* vl = new val_list; ConnectionEventFast(bt_tracker_weird, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(msg)); new StringVal(msg),
ConnectionEvent(bt_tracker_weird, vl); });
} }
} }
@ -346,19 +346,17 @@ void BitTorrentTracker_Analyzer::RequestGet(char* uri)
void BitTorrentTracker_Analyzer::EmitRequest(void) void BitTorrentTracker_Analyzer::EmitRequest(void)
{ {
val_list* vl;
ProtocolConfirmation(); ProtocolConfirmation();
vl = new val_list; if ( bt_tracker_request )
vl->append(BuildConnVal()); ConnectionEventFast(bt_tracker_request, {
vl->append(req_val_uri); BuildConnVal(),
vl->append(req_val_headers); req_val_uri,
req_val_headers,
});
req_val_uri = 0; req_val_uri = 0;
req_val_headers = 0; req_val_headers = 0;
ConnectionEvent(bt_tracker_request, vl);
} }
bool BitTorrentTracker_Analyzer::ParseResponse(char* line) bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
@ -404,11 +402,12 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{ {
if ( res_status != 200 ) if ( res_status != 200 )
{ {
val_list* vl = new val_list; if ( bt_tracker_response_not_ok )
vl->append(BuildConnVal()); ConnectionEventFast(bt_tracker_response_not_ok, {
vl->append(val_mgr->GetCount(res_status)); BuildConnVal(),
vl->append(res_val_headers); val_mgr->GetCount(res_status),
ConnectionEvent(bt_tracker_response_not_ok, vl); res_val_headers,
});
res_val_headers = 0; res_val_headers = 0;
res_buf_pos = res_buf + res_buf_len; res_buf_pos = res_buf + res_buf_len;
res_state = BTT_RES_DONE; res_state = BTT_RES_DONE;
@ -790,16 +789,16 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
{ {
ProtocolConfirmation(); ProtocolConfirmation();
val_list* vl = new val_list; if ( bt_tracker_response )
vl->append(BuildConnVal()); ConnectionEventFast(bt_tracker_response, {
vl->append(val_mgr->GetCount(res_status)); BuildConnVal(),
vl->append(res_val_headers); val_mgr->GetCount(res_status),
vl->append(res_val_peers); res_val_headers,
vl->append(res_val_benc); res_val_peers,
res_val_benc,
});
res_val_headers = 0; res_val_headers = 0;
res_val_peers = 0; res_val_peers = 0;
res_val_benc = 0; res_val_benc = 0;
ConnectionEvent(bt_tracker_response, vl);
} }

10
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -47,11 +47,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list; ConnectionEventFast(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetCount(threshold)); val_mgr->GetCount(threshold),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
ConnectionEvent(f, vl); });
} }
void ConnSize_Analyzer::CheckSizes(bool is_orig) void ConnSize_Analyzer::CheckSizes(bool is_orig)

387
src/analyzer/protocol/dns/DNS.cc
View file

@ -46,13 +46,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message ) if ( dns_message )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(dns_message, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_query)); val_mgr->GetBool(is_query),
vl->append(msg.BuildHdrVal()); msg.BuildHdrVal(),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
});
analyzer->ConnectionEvent(dns_message, vl);
} }
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
@ -133,11 +132,11 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{ {
val_list* vl = new val_list; if ( dns_end )
analyzer->ConnectionEventFast(dns_end, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
analyzer->ConnectionEvent(dns_end, vl); });
return 1; return 1;
} }
@ -336,11 +335,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event ) if ( dns_unknown_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_unknown_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
analyzer->ConnectionEvent(dns_unknown_reply, vl); });
} }
analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype)); analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
@ -551,14 +550,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event ) if ( reply_event && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(reply_event, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); });
analyzer->ConnectionEvent(reply_event, vl);
} }
return 1; return 1;
@ -598,14 +595,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event ) if ( dns_SOA_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(msg->BuildHdrVal());
vl->append(msg->BuildAnswerVal());
RecordVal* r = new RecordVal(dns_soa); RecordVal* r = new RecordVal(dns_soa);
r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1))); r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1)));
r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1))); r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1)));
r->Assign(2, val_mgr->GetCount(serial)); r->Assign(2, val_mgr->GetCount(serial));
@ -614,9 +604,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
r->Assign(5, new IntervalVal(double(expire), Seconds)); r->Assign(5, new IntervalVal(double(expire), Seconds));
r->Assign(6, new IntervalVal(double(minimum), Seconds)); r->Assign(6, new IntervalVal(double(minimum), Seconds));
vl->append(r); analyzer->ConnectionEventFast(dns_SOA_reply, {
analyzer->BuildConnVal(),
analyzer->ConnectionEvent(dns_SOA_reply, vl); msg->BuildHdrVal(),
msg->BuildAnswerVal(),
r
});
} }
return 1; return 1;
@ -642,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event ) if ( dns_MX_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_MX_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); val_mgr->GetCount(preference),
vl->append(val_mgr->GetCount(preference)); });
analyzer->ConnectionEvent(dns_MX_reply, vl);
} }
return 1; return 1;
@ -687,16 +678,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event ) if ( dns_SRV_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_SRV_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(val_mgr->GetCount(priority)); val_mgr->GetCount(priority),
vl->append(val_mgr->GetCount(weight)); val_mgr->GetCount(weight),
vl->append(val_mgr->GetCount(port)); val_mgr->GetCount(port),
});
analyzer->ConnectionEvent(dns_SRV_reply, vl);
} }
return 1; return 1;
@ -711,12 +701,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event ) if ( dns_EDNS_addl && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_EDNS_addl, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildEDNS_Val(),
vl->append(msg->BuildEDNS_Val()); });
analyzer->ConnectionEvent(dns_EDNS_addl, vl);
} }
// Currently EDNS supports the movement of type:data pairs // Currently EDNS supports the movement of type:data pairs
@ -778,24 +767,24 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
unsigned int rr_error = ExtractShort(data, len); unsigned int rr_error = ExtractShort(data, len);
ExtractOctets(data, len, 0); // Other Data ExtractOctets(data, len, 0); // Other Data
msg->tsig = new TSIG_DATA; if ( dns_TSIG_addl )
{
TSIG_DATA tsig;
tsig.alg_name =
new BroString(alg_name, alg_name_end - alg_name, 1);
tsig.sig = request_MAC;
tsig.time_s = sign_time_sec;
tsig.time_ms = sign_time_msec;
tsig.fudge = fudge;
tsig.orig_id = orig_id;
tsig.rr_error = rr_error;
msg->tsig->alg_name = analyzer->ConnectionEventFast(dns_TSIG_addl, {
new BroString(alg_name, alg_name_end - alg_name, 1); analyzer->BuildConnVal(),
msg->tsig->sig = request_MAC; msg->BuildHdrVal(),
msg->tsig->time_s = sign_time_sec; msg->BuildTSIG_Val(&tsig),
msg->tsig->time_ms = sign_time_msec; });
msg->tsig->fudge = fudge; }
msg->tsig->orig_id = orig_id;
msg->tsig->rr_error = rr_error;
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(msg->BuildHdrVal());
vl->append(msg->BuildTSIG_Val());
analyzer->ConnectionEvent(dns_TSIG_addl, vl);
return 1; return 1;
} }
@ -878,25 +867,26 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
break; break;
} }
RRSIG_DATA rrsig; if ( dns_RRSIG )
rrsig.type_covered = type_covered; {
rrsig.algorithm = algo; RRSIG_DATA rrsig;
rrsig.labels = lab; rrsig.type_covered = type_covered;
rrsig.orig_ttl = orig_ttl; rrsig.algorithm = algo;
rrsig.sig_exp = sign_exp; rrsig.labels = lab;
rrsig.sig_incep = sign_incp; rrsig.orig_ttl = orig_ttl;
rrsig.key_tag = key_tag; rrsig.sig_exp = sign_exp;
rrsig.signer_name = new BroString(name, name_end - name, 1); rrsig.sig_incep = sign_incp;
rrsig.signature = sign; rrsig.key_tag = key_tag;
rrsig.signer_name = new BroString(name, name_end - name, 1);
rrsig.signature = sign;
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_RRSIG, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildRRSIG_Val(&rrsig),
vl->append(msg->BuildRRSIG_Val(&rrsig)); });
}
analyzer->ConnectionEvent(dns_RRSIG, vl);
return 1; return 1;
} }
@ -977,20 +967,21 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
break; break;
} }
DNSKEY_DATA dnskey; if ( dns_DNSKEY )
dnskey.dflags = dflags; {
dnskey.dalgorithm = dalgorithm; DNSKEY_DATA dnskey;
dnskey.dprotocol = dprotocol; dnskey.dflags = dflags;
dnskey.public_key = key; dnskey.dalgorithm = dalgorithm;
dnskey.dprotocol = dprotocol;
dnskey.public_key = key;
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_DNSKEY, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildDNSKEY_Val(&dnskey),
vl->append(msg->BuildDNSKEY_Val(&dnskey)); });
}
analyzer->ConnectionEvent(dns_DNSKEY, vl);
return 1; return 1;
} }
@ -1035,15 +1026,16 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
typebitmaps_len = typebitmaps_len - (2 + bmlen); typebitmaps_len = typebitmaps_len - (2 + bmlen);
} }
val_list* vl = new val_list; if ( dns_NSEC )
analyzer->ConnectionEventFast(dns_NSEC, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(char_strings); char_strings,
});
analyzer->ConnectionEvent(dns_NSEC, vl); else
Unref(char_strings);
return 1; return 1;
} }
@ -1111,24 +1103,25 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
typebitmaps_len = typebitmaps_len - (2 + bmlen); typebitmaps_len = typebitmaps_len - (2 + bmlen);
} }
NSEC3_DATA nsec3; if ( dns_NSEC3 )
nsec3.nsec_flags = nsec_flags; {
nsec3.nsec_hash_algo = hash_algo; NSEC3_DATA nsec3;
nsec3.nsec_iter = iter; nsec3.nsec_flags = nsec_flags;
nsec3.nsec_salt_len = salt_len; nsec3.nsec_hash_algo = hash_algo;
nsec3.nsec_salt = salt_val; nsec3.nsec_iter = iter;
nsec3.nsec_hlen = hash_len; nsec3.nsec_salt_len = salt_len;
nsec3.nsec_hash = hash_val; nsec3.nsec_salt = salt_val;
nsec3.bitmaps = char_strings; nsec3.nsec_hlen = hash_len;
nsec3.nsec_hash = hash_val;
nsec3.bitmaps = char_strings;
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_NSEC3, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildNSEC3_Val(&nsec3),
vl->append(msg->BuildNSEC3_Val(&nsec3)); });
}
analyzer->ConnectionEvent(dns_NSEC3, vl);
return 1; return 1;
} }
@ -1172,20 +1165,21 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
break; break;
} }
DS_DATA ds; if ( dns_DS )
ds.key_tag = ds_key_tag; {
ds.algorithm = ds_algo; DS_DATA ds;
ds.digest_type = ds_dtype; ds.key_tag = ds_key_tag;
ds.digest_val = ds_digest; ds.algorithm = ds_algo;
ds.digest_type = ds_dtype;
ds.digest_val = ds_digest;
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_DS, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildDS_Val(&ds),
vl->append(msg->BuildDS_Val(&ds)); });
}
analyzer->ConnectionEvent(dns_DS, vl);
return 1; return 1;
} }
@ -1203,14 +1197,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event ) if ( dns_A_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(dns_A_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new AddrVal(htonl(addr)),
vl->append(new AddrVal(htonl(addr))); });
analyzer->ConnectionEvent(dns_A_reply, vl);
} }
return 1; return 1;
@ -1242,13 +1234,12 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
event = dns_A6_reply; event = dns_A6_reply;
if ( event && ! msg->skip_event ) if ( event && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new AddrVal(addr),
vl->append(new AddrVal(addr)); });
analyzer->ConnectionEvent(event, vl);
} }
return 1; return 1;
@ -1317,14 +1308,15 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string); char_strings->Assign(char_strings->Size(), char_string);
val_list* vl = new val_list; if ( dns_TXT_reply )
analyzer->ConnectionEventFast(dns_TXT_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
vl->append(char_strings); char_strings,
});
analyzer->ConnectionEvent(dns_TXT_reply, vl); else
Unref(char_strings);
return rdlength == 0; return rdlength == 0;
} }
@ -1359,16 +1351,20 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
data += value->Len(); data += value->Len();
rdlength -= value->Len(); rdlength -= value->Len();
val_list* vl = new val_list; if ( dns_CAA_reply )
analyzer->ConnectionEventFast(dns_CAA_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
vl->append(val_mgr->GetCount(flags)); val_mgr->GetCount(flags),
vl->append(new StringVal(tag)); new StringVal(tag),
vl->append(new StringVal(value)); new StringVal(value),
});
analyzer->ConnectionEvent(dns_CAA_reply, vl); else
{
delete tag;
delete value;
}
return rdlength == 0; return rdlength == 0;
} }
@ -1382,14 +1378,14 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
RR_Type qtype = RR_Type(ExtractShort(data, len)); RR_Type qtype = RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len); int qclass = ExtractShort(data, len);
val_list* vl = new val_list; if ( event )
vl->append(analyzer->BuildConnVal()); analyzer->ConnectionEventFast(event, {
vl->append(msg->BuildHdrVal()); analyzer->BuildConnVal(),
vl->append(new StringVal(question_name)); msg->BuildHdrVal(),
vl->append(val_mgr->GetCount(qtype)); new StringVal(question_name),
vl->append(val_mgr->GetCount(qclass)); val_mgr->GetCount(qtype),
val_mgr->GetCount(qclass),
analyzer->ConnectionEvent(event, vl); });
} }
@ -1423,7 +1419,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
answer_type = DNS_QUESTION; answer_type = DNS_QUESTION;
skip_event = 0; skip_event = 0;
tsig = 0;
} }
DNS_MsgInfo::~DNS_MsgInfo() DNS_MsgInfo::~DNS_MsgInfo()
@ -1502,7 +1497,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
return r; return r;
} }
Val* DNS_MsgInfo::BuildTSIG_Val() Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
{ {
RecordVal* r = new RecordVal(dns_tsig_additional); RecordVal* r = new RecordVal(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0; double rtime = tsig->time_s + tsig->time_ms / 1000.0;
@ -1519,9 +1514,6 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
r->Assign(7, val_mgr->GetCount(tsig->rr_error)); r->Assign(7, val_mgr->GetCount(tsig->rr_error));
r->Assign(8, val_mgr->GetCount(is_query)); r->Assign(8, val_mgr->GetCount(is_query));
delete tsig;
tsig = 0;
return r; return r;
} }
@ -1737,10 +1729,11 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
{ {
if ( ! interp->ParseMessage(data, len, 1) && non_dns_request ) if ( ! interp->ParseMessage(data, len, 1) && non_dns_request )
{ {
val_list* vl = new val_list; if ( non_dns_request )
vl->append(BuildConnVal()); ConnectionEventFast(non_dns_request, {
vl->append(new StringVal(len, (const char*) data)); BuildConnVal(),
ConnectionEvent(non_dns_request, vl); new StringVal(len, (const char*) data),
});
} }
} }

6
src/analyzer/protocol/dns/DNS.h
View file

@ -182,7 +182,7 @@ public:
Val* BuildHdrVal(); Val* BuildHdrVal();
Val* BuildAnswerVal(); Val* BuildAnswerVal();
Val* BuildEDNS_Val(); Val* BuildEDNS_Val();
Val* BuildTSIG_Val(); Val* BuildTSIG_Val(struct TSIG_DATA*);
Val* BuildRRSIG_Val(struct RRSIG_DATA*); Val* BuildRRSIG_Val(struct RRSIG_DATA*);
Val* BuildDNSKEY_Val(struct DNSKEY_DATA*); Val* BuildDNSKEY_Val(struct DNSKEY_DATA*);
Val* BuildNSEC3_Val(struct NSEC3_DATA*); Val* BuildNSEC3_Val(struct NSEC3_DATA*);
@ -214,10 +214,6 @@ public:
///< identical answer, there may be problems ///< identical answer, there may be problems
// uint32* addr; ///< cache value to pass back results // uint32* addr; ///< cache value to pass back results
///< for forward lookups ///< for forward lookups
// More values for spesific DNS types.
//struct EDNS_ADDITIONAL* edns;
struct TSIG_DATA* tsig;
}; };

14
src/analyzer/protocol/file/File.cc
View file

@ -77,10 +77,12 @@ void File_Analyzer::Identify()
&matches); &matches);
string match = matches.empty() ? "<unknown>" string match = matches.empty() ? "<unknown>"
: *(matches.begin()->second.begin()); : *(matches.begin()->second.begin());
val_list* vl = new val_list;
vl->append(BuildConnVal()); if ( file_transferred )
vl->append(new StringVal(buffer_len, buffer)); ConnectionEventFast(file_transferred, {
vl->append(new StringVal("<unknown>")); BuildConnVal(),
vl->append(new StringVal(match)); new StringVal(buffer_len, buffer),
ConnectionEvent(file_transferred, vl); new StringVal("<unknown>"),
new StringVal(match),
});
} }

24
src/analyzer/protocol/finger/Finger.cc
View file

@ -66,14 +66,15 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
else else
host = at + 1; host = at + 1;
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(long_cnt));
vl->append(new StringVal(at - line, line));
vl->append(new StringVal(end_of_line - host, host));
if ( finger_request ) if ( finger_request )
ConnectionEvent(finger_request, vl); {
ConnectionEventFast(finger_request, {
BuildConnVal(),
val_mgr->GetBool(long_cnt),
new StringVal(at - line, line),
new StringVal(end_of_line - host, host),
});
}
Conn()->Match(Rule::FINGER, (const u_char *) line, Conn()->Match(Rule::FINGER, (const u_char *) line,
end_of_line - line, true, true, 1, true); end_of_line - line, true, true, 1, true);
@ -86,10 +87,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_reply ) if ( ! finger_reply )
return; return;
val_list* vl = new val_list; ConnectionEventFast(finger_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
});
ConnectionEvent(finger_reply, vl);
} }
} }

21
src/analyzer/protocol/ftp/FTP.cc
View file

@ -73,8 +73,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it. // Could emit "ftp empty request/reply" weird, but maybe not worth it.
return; return;
val_list* vl = new val_list; val_list vl;
vl->append(BuildConnVal());
EventHandlerPtr f; EventHandlerPtr f;
if ( orig ) if ( orig )
@ -95,8 +94,11 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
else else
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper(); cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl->append(cmd_str); vl = val_list{
vl->append(new StringVal(end_of_line - line, line)); BuildConnVal(),
cmd_str,
new StringVal(end_of_line - line, line),
};
f = ftp_request; f = ftp_request;
ProtocolConfirmation(); ProtocolConfirmation();
@ -171,14 +173,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
} }
} }
vl->append(val_mgr->GetCount(reply_code)); vl = val_list{
vl->append(new StringVal(end_of_line - line, line)); BuildConnVal(),
vl->append(val_mgr->GetBool(cont_resp)); val_mgr->GetCount(reply_code),
new StringVal(end_of_line - line, line),
val_mgr->GetBool(cont_resp),
};
f = ftp_reply; f = ftp_reply;
} }
ConnectionEvent(f, vl); ConnectionEvent(f, std::move(vl));
ForwardStream(length, data, orig); ForwardStream(length, data, orig);
} }

73
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -58,16 +58,10 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
if ( Established() && gnutella_establish ) if ( Established() && gnutella_establish )
ConnectionEvent(gnutella_establish, vl); ConnectionEventFast(gnutella_establish, {BuildConnVal()});
else if ( ! Established () && gnutella_not_establish ) else if ( ! Established () && gnutella_not_establish )
ConnectionEvent(gnutella_not_establish, vl); ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
else
delete_vals(vl);
} }
if ( gnutella_partial_binary_msg ) if ( gnutella_partial_binary_msg )
@ -78,14 +72,12 @@ void Gnutella_Analyzer::Done()
{ {
if ( ! p->msg_sent && p->msg_pos ) if ( ! p->msg_sent && p->msg_pos )
{ {
val_list* vl = new val_list; ConnectionEventFast(gnutella_partial_binary_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(p->msg),
vl->append(new StringVal(p->msg)); val_mgr->GetBool((i == 0)),
vl->append(val_mgr->GetBool((i == 0))); val_mgr->GetCount(p->msg_pos),
vl->append(val_mgr->GetCount(p->msg_pos)); });
ConnectionEvent(gnutella_partial_binary_msg, vl);
} }
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
@ -129,10 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
if ( gnutella_http_notify ) if ( gnutella_http_notify )
{ {
val_list* vl = new val_list; ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(gnutella_http_notify, vl);
} }
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -192,13 +181,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{ {
if ( gnutella_text_msg ) if ( gnutella_text_msg )
{ {
val_list* vl = new val_list; ConnectionEventFast(gnutella_text_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(orig),
vl->append(val_mgr->GetBool(orig)); new StringVal(ms->headers.data()),
vl->append(new StringVal(ms->headers.data())); });
ConnectionEvent(gnutella_text_msg, vl);
} }
ms->headers = ""; ms->headers = "";
@ -206,12 +193,9 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
if ( Established () && gnutella_establish ) if ( Established () && gnutella_establish )
{ {
val_list* vl = new val_list;
sent_establish = 1; sent_establish = 1;
vl->append(BuildConnVal());
ConnectionEvent(gnutella_establish, vl); ConnectionEventFast(gnutella_establish, {BuildConnVal()});
} }
} }
} }
@ -237,21 +221,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
{ {
val_list* vl = new val_list; ConnectionEventFast(gnutella_binary_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetCount(p->msg_type),
vl->append(val_mgr->GetCount(p->msg_type)); val_mgr->GetCount(p->msg_ttl),
vl->append(val_mgr->GetCount(p->msg_ttl)); val_mgr->GetCount(p->msg_hops),
vl->append(val_mgr->GetCount(p->msg_hops)); val_mgr->GetCount(p->msg_len),
vl->append(val_mgr->GetCount(p->msg_len)); new StringVal(p->payload),
vl->append(new StringVal(p->payload)); val_mgr->GetCount(p->payload_len),
vl->append(val_mgr->GetCount(p->payload_len)); val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
vl->append(val_mgr->GetBool( val_mgr->GetBool((p->payload_left == 0)),
(p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))); });
vl->append(val_mgr->GetBool((p->payload_left == 0)));
ConnectionEvent(gnutella_binary_msg, vl);
} }
} }

130
src/analyzer/protocol/http/HTTP.cc
View file

@ -646,11 +646,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
if ( http_message_done ) if ( http_message_done )
{ {
val_list* vl = new val_list; GetAnalyzer()->ConnectionEventFast(http_message_done, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(BuildMessageStat(interrupted, detail)); BuildMessageStat(interrupted, detail),
GetAnalyzer()->ConnectionEvent(http_message_done, vl); });
} }
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this); MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
@ -679,10 +679,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity ) if ( http_begin_entity )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(http_begin_entity, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
analyzer->ConnectionEvent(http_begin_entity, vl); });
} }
} }
@ -696,10 +696,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity ) if ( http_end_entity )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(http_end_entity, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
analyzer->ConnectionEvent(http_end_entity, vl); });
} }
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
@ -737,11 +737,11 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{ {
if ( http_all_headers ) if ( http_all_headers )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(http_all_headers, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(BuildHeaderTable(hlist)); BuildHeaderTable(hlist),
analyzer->ConnectionEvent(http_all_headers, vl); });
} }
if ( http_content_type ) if ( http_content_type )
@ -751,12 +751,12 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
ty->Ref(); ty->Ref();
subty->Ref(); subty->Ref();
val_list* vl = new val_list(); analyzer->ConnectionEventFast(http_content_type, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(ty); ty,
vl->append(subty); subty,
analyzer->ConnectionEvent(http_content_type, vl); });
} }
} }
@ -1182,12 +1182,8 @@ void HTTP_Analyzer::GenStats()
r->Assign(2, new Val(request_version, TYPE_DOUBLE)); r->Assign(2, new Val(request_version, TYPE_DOUBLE));
r->Assign(3, new Val(reply_version, TYPE_DOUBLE)); r->Assign(3, new Val(reply_version, TYPE_DOUBLE));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(r);
// DEBUG_MSG("%.6f http_stats\n", network_time); // DEBUG_MSG("%.6f http_stats\n", network_time);
ConnectionEvent(http_stats, vl); ConnectionEventFast(http_stats, {BuildConnVal(), r});
} }
} }
@ -1384,13 +1380,12 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
{ {
if ( http_event ) if ( http_event )
{ {
val_list* vl = new val_list();
vl->append(BuildConnVal());
vl->append(new StringVal(category));
vl->append(detail);
// DEBUG_MSG("%.6f http_event\n", network_time); // DEBUG_MSG("%.6f http_event\n", network_time);
ConnectionEvent(http_event, vl); ConnectionEventFast(http_event, {
BuildConnVal(),
new StringVal(category),
detail,
});
} }
else else
delete detail; delete detail;
@ -1426,17 +1421,16 @@ void HTTP_Analyzer::HTTP_Request()
if ( http_request ) if ( http_request )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
Ref(request_method); Ref(request_method);
vl->append(request_method);
vl->append(TruncateURI(request_URI->AsStringVal()));
vl->append(TruncateURI(unescaped_URI->AsStringVal()));
vl->append(new StringVal(fmt("%.1f", request_version)));
// DEBUG_MSG("%.6f http_request\n", network_time); // DEBUG_MSG("%.6f http_request\n", network_time);
ConnectionEvent(http_request, vl); ConnectionEventFast(http_request, {
BuildConnVal(),
request_method,
TruncateURI(request_URI->AsStringVal()),
TruncateURI(unescaped_URI->AsStringVal()),
new StringVal(fmt("%.1f", request_version)),
});
} }
} }
@ -1444,15 +1438,14 @@ void HTTP_Analyzer::HTTP_Reply()
{ {
if ( http_reply ) if ( http_reply )
{ {
val_list* vl = new val_list; ConnectionEventFast(http_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(fmt("%.1f", reply_version))); new StringVal(fmt("%.1f", reply_version)),
vl->append(val_mgr->GetCount(reply_code)); val_mgr->GetCount(reply_code),
if ( reply_reason_phrase ) reply_reason_phrase ?
vl->append(reply_reason_phrase->Ref()); reply_reason_phrase->Ref() :
else new StringVal("<empty>"),
vl->append(new StringVal("<empty>")); });
ConnectionEvent(http_reply, vl);
} }
else else
{ {
@ -1524,10 +1517,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
if ( http_connection_upgrade ) if ( http_connection_upgrade )
{ {
val_list* vl = new val_list(); ConnectionEventFast(http_connection_upgrade, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(upgrade_protocol)); new StringVal(upgrade_protocol),
ConnectionEvent(http_connection_upgrade, vl); });
} }
} }
@ -1697,14 +1690,15 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length, Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length,
is_orig, false, true, false); is_orig, false, true, false);
val_list* vl = new val_list();
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(is_orig));
vl->append(mime::new_string_val(h->get_name())->ToUpper());
vl->append(mime::new_string_val(h->get_value()));
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time); DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEvent(http_header, vl);
ConnectionEventFast(http_header, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
mime::new_string_val(h->get_name())->ToUpper(),
mime::new_string_val(h->get_value()),
});
} }
} }
@ -1833,12 +1827,12 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
{ {
if ( http_entity_data ) if ( http_entity_data )
{ {
val_list* vl = new val_list(); ConnectionEventFast(http_entity_data, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(entity_data->Len())); val_mgr->GetCount(entity_data->Len()),
vl->append(new StringVal(entity_data)); new StringVal(entity_data),
ConnectionEvent(http_entity_data, vl); });
} }
else else
delete entity_data; delete entity_data;

164
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -199,20 +199,21 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{ {
if ( icmp_sent ) if ( icmp_sent )
{ {
val_list* vl = new val_list; ConnectionEventFast(icmp_sent, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
ConnectionEvent(icmp_sent, vl); });
} }
if ( icmp_sent_payload ) if ( icmp_sent_payload )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
BroString* payload = new BroString(data, min(len, caplen), 0); BroString* payload = new BroString(data, min(len, caplen), 0);
vl->append(new StringVal(payload));
ConnectionEvent(icmp_sent_payload, vl); ConnectionEventFast(icmp_sent_payload, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
new StringVal(payload),
});
} }
} }
@ -511,14 +512,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, 0); BroString* payload = new BroString(data, caplen, 0);
val_list* vl = new val_list; ConnectionEventFast(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)); BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
vl->append(val_mgr->GetCount(iid)); val_mgr->GetCount(iid),
vl->append(val_mgr->GetCount(iseq)); val_mgr->GetCount(iseq),
vl->append(new StringVal(payload)); new StringVal(payload),
});
ConnectionEvent(f, vl);
} }
@ -526,6 +526,10 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_router_advertisement; EventHandlerPtr f = icmp_router_advertisement;
if ( ! f )
return;
uint32 reachable = 0, retrans = 0; uint32 reachable = 0, retrans = 0;
if ( caplen >= (int)sizeof(reachable) ) if ( caplen >= (int)sizeof(reachable) )
@ -534,24 +538,23 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) ) if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) )
memcpy(&retrans, data + sizeof(reachable), sizeof(retrans)); memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(val_mgr->GetCount(icmpp->icmp_num_addrs)); // Cur Hop Limit
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x80)); // Managed
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x40)); // Other
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x20)); // Home Agent
vl->append(val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)); // Pref
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x04)); // Proxy
vl->append(val_mgr->GetCount(icmpp->icmp_wpa & 0x02)); // Reserved
vl->append(new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds));
vl->append(new IntervalVal((double)ntohl(reachable), Milliseconds));
vl->append(new IntervalVal((double)ntohl(retrans), Milliseconds));
int opt_offset = sizeof(reachable) + sizeof(retrans); int opt_offset = sizeof(reachable) + sizeof(retrans);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
new IntervalVal((double)ntohl(reachable), Milliseconds),
new IntervalVal((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -559,23 +562,26 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_neighbor_advertisement; EventHandlerPtr f = icmp_neighbor_advertisement;
if ( ! f )
return;
IPAddr tgtaddr; IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)); // Router
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)); // Solicited
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)); // Override
vl->append(new AddrVal(tgtaddr));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -583,20 +589,23 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_neighbor_solicitation; EventHandlerPtr f = icmp_neighbor_solicitation;
if ( ! f )
return;
IPAddr tgtaddr; IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(new AddrVal(tgtaddr));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -604,6 +613,10 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_redirect; EventHandlerPtr f = icmp_redirect;
if ( ! f )
return;
IPAddr tgtaddr, dstaddr; IPAddr tgtaddr, dstaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
@ -612,16 +625,15 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
if ( caplen >= 2 * (int)sizeof(in6_addr) ) if ( caplen >= 2 * (int)sizeof(in6_addr) )
dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(new AddrVal(tgtaddr));
vl->append(new AddrVal(dstaddr));
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
new AddrVal(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -630,12 +642,14 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
{ {
EventHandlerPtr f = icmp_router_solicitation; EventHandlerPtr f = icmp_router_solicitation;
val_list* vl = new val_list; if ( ! f )
vl->append(BuildConnVal()); return;
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(BuildNDOptionsVal(caplen, data));
ConnectionEvent(f, vl); ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data),
});
} }
@ -657,12 +671,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f ) if ( f )
{ {
val_list* vl = new val_list; ConnectionEventFast(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, 0, ip_hdr)); BuildICMPVal(icmpp, len, 0, ip_hdr),
vl->append(val_mgr->GetCount(icmpp->icmp_code)); val_mgr->GetCount(icmpp->icmp_code),
vl->append(ExtractICMP4Context(caplen, data)); ExtractICMP4Context(caplen, data),
ConnectionEvent(f, vl); });
} }
} }
@ -697,12 +711,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f ) if ( f )
{ {
val_list* vl = new val_list; ConnectionEventFast(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); BuildICMPVal(icmpp, len, 1, ip_hdr),
vl->append(val_mgr->GetCount(icmpp->icmp_code)); val_mgr->GetCount(icmpp->icmp_code),
vl->append(ExtractICMP6Context(caplen, data)); ExtractICMP6Context(caplen, data),
ConnectionEvent(f, vl); });
} }
} }

40
src/analyzer/protocol/ident/Ident.cc
View file

@ -83,12 +83,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
Weird("ident_request_addendum", s.CheckString()); Weird("ident_request_addendum", s.CheckString());
} }
val_list* vl = new val_list; ConnectionEventFast(ident_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
});
ConnectionEvent(ident_request, vl);
did_deliver = 1; did_deliver = 1;
} }
@ -144,13 +143,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( is_error ) if ( is_error )
{ {
val_list* vl = new val_list; if ( ident_error )
vl->append(BuildConnVal()); ConnectionEventFast(ident_error, {
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); BuildConnVal(),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(new StringVal(end_of_line - line, line)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
new StringVal(end_of_line - line, line),
ConnectionEvent(ident_error, vl); });
} }
else else
@ -178,14 +177,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line); line = skip_whitespace(colon + 1, end_of_line);
val_list* vl = new val_list; ConnectionEventFast(ident_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
vl->append(new StringVal(sys_type_s)); new StringVal(sys_type_s),
});
ConnectionEvent(ident_reply, vl);
} }
} }
} }

7
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -43,7 +43,9 @@ refine connection IMAP_Conn += {
if ( commands == "ok" ) if ( commands == "ok" )
{ {
bro_analyzer()->StartTLS(); bro_analyzer()->StartTLS();
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
} }
else else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@ -54,6 +56,9 @@ refine connection IMAP_Conn += {
function proc_server_capability(capabilities: Capability[]): bool function proc_server_capability(capabilities: Capability[]): bool
%{ %{
if ( ! imap_capabilities )
return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType()); VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ ) for ( unsigned int i = 0; i< capabilities->size(); i++ )
{ {

18
src/analyzer/protocol/interconn/InterConn.cc
View file

@ -241,20 +241,18 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire)
void InterConn_Analyzer::StatEvent() void InterConn_Analyzer::StatEvent()
{ {
val_list* vl = new val_list; if ( interconn_stats )
vl->append(Conn()->BuildConnVal()); Conn()->ConnectionEventFast(interconn_stats, this, {
vl->append(orig_endp->BuildStats()); Conn()->BuildConnVal(),
vl->append(resp_endp->BuildStats()); orig_endp->BuildStats(),
resp_endp->BuildStats(),
Conn()->ConnectionEvent(interconn_stats, this, vl); });
} }
void InterConn_Analyzer::RemoveEvent() void InterConn_Analyzer::RemoveEvent()
{ {
val_list* vl = new val_list; if ( interconn_remove_conn )
vl->append(Conn()->BuildConnVal()); Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()});
Conn()->ConnectionEvent(interconn_remove_conn, this, vl);
} }
InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a) InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)

514
src/analyzer/protocol/irc/IRC.cc
View file

@ -233,14 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
val_list* vl = new val_list; ConnectionEventFast(irc_network_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(users)); val_mgr->GetInt(users),
vl->append(val_mgr->GetInt(services)); val_mgr->GetInt(services),
vl->append(val_mgr->GetInt(servers)); val_mgr->GetInt(servers),
});
ConnectionEvent(irc_network_info, vl);
} }
break; break;
@ -271,13 +270,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(type.c_str()));
vl->append(new StringVal(channel.c_str()));
TableVal* set = new TableVal(string_set); TableVal* set = new TableVal(string_set);
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
if ( parts[i][0] == '@' ) if ( parts[i][0] == '@' )
@ -286,9 +280,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
set->Assign(idx, 0); set->Assign(idx, 0);
Unref(idx); Unref(idx);
} }
vl->append(set);
ConnectionEvent(irc_names_info, vl); ConnectionEventFast(irc_names_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(type.c_str()),
new StringVal(channel.c_str()),
set,
});
} }
break; break;
@ -316,14 +315,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
val_list* vl = new val_list; ConnectionEventFast(irc_server_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(users)); val_mgr->GetInt(users),
vl->append(val_mgr->GetInt(services)); val_mgr->GetInt(services),
vl->append(val_mgr->GetInt(servers)); val_mgr->GetInt(servers),
});
ConnectionEvent(irc_server_info, vl);
} }
break; break;
@ -339,12 +337,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[i] == ":channels" ) if ( parts[i] == ":channels" )
channels = atoi(parts[i - 1].c_str()); channels = atoi(parts[i - 1].c_str());
val_list* vl = new val_list; ConnectionEventFast(irc_channel_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(channels)); val_mgr->GetInt(channels),
});
ConnectionEvent(irc_channel_info, vl);
} }
break; break;
@ -372,12 +369,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
break; break;
} }
val_list* vl = new val_list; ConnectionEventFast(irc_global_users, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(eop - prefix, prefix)); new StringVal(eop - prefix, prefix),
vl->append(new StringVal(++msg)); new StringVal(++msg),
ConnectionEvent(irc_global_users, vl); });
break; break;
} }
@ -397,12 +394,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str())); vl.append(new StringVal(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4); parts.erase(parts.begin(), parts.begin() + 4);
@ -413,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' ) if ( real_name[0] == ':' )
real_name = real_name.substr(1); real_name = real_name.substr(1);
vl->append(new StringVal(real_name.c_str())); vl.append(new StringVal(real_name.c_str()));
ConnectionEvent(irc_whois_user_line, vl); ConnectionEventFast(irc_whois_user_line, std::move(vl));
} }
break; break;
@ -436,12 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; ConnectionEventFast(irc_whois_operator_line, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
});
ConnectionEvent(irc_whois_operator_line, vl);
} }
break; break;
@ -467,11 +463,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(nick.c_str()));
TableVal* set = new TableVal(string_set); TableVal* set = new TableVal(string_set);
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
Val* idx = new StringVal(parts[i].c_str()); Val* idx = new StringVal(parts[i].c_str());
@ -479,9 +472,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx); Unref(idx);
} }
vl->append(set); ConnectionEventFast(irc_whois_channel_line, {
BuildConnVal(),
ConnectionEvent(irc_whois_channel_line, vl); val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
set,
});
} }
break; break;
@ -502,19 +498,17 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( pos < params.size() ) if ( pos < params.size() )
{ {
string topic = params.substr(pos + 1); string topic = params.substr(pos + 1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[1].c_str()));
const char* t = topic.c_str(); const char* t = topic.c_str();
if ( *t == ':' ) if ( *t == ':' )
++t; ++t;
vl->append(new StringVal(t)); ConnectionEventFast(irc_channel_topic, {
BuildConnVal(),
ConnectionEvent(irc_channel_topic, vl); val_mgr->GetBool(orig),
new StringVal(parts[1].c_str()),
new StringVal(t),
});
} }
else else
{ {
@ -537,24 +531,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str()));
if ( parts[2][0] == '~' ) if ( parts[2][0] == '~' )
parts[2] = parts[2].substr(1); parts[2] = parts[2].substr(1);
vl->append(new StringVal(parts[2].c_str()));
vl->append(new StringVal(parts[3].c_str()));
vl->append(new StringVal(parts[4].c_str()));
vl->append(new StringVal(parts[5].c_str()));
vl->append(new StringVal(parts[6].c_str()));
if ( parts[7][0] == ':' ) if ( parts[7][0] == ':' )
parts[7] = parts[7].substr(1); parts[7] = parts[7].substr(1);
vl->append(val_mgr->GetInt(atoi(parts[7].c_str())));
vl->append(new StringVal(parts[8].c_str()));
ConnectionEvent(irc_who_line, vl); ConnectionEventFast(irc_who_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new StringVal(parts[3].c_str()),
new StringVal(parts[4].c_str()),
new StringVal(parts[5].c_str()),
new StringVal(parts[6].c_str()),
val_mgr->GetInt(atoi(parts[7].c_str())),
new StringVal(parts[8].c_str()),
});
} }
break; break;
@ -565,10 +560,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436: case 436:
if ( irc_invalid_nick ) if ( irc_invalid_nick )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_invalid_nick, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
ConnectionEvent(irc_invalid_nick, vl); });
} }
break; break;
@ -577,11 +572,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator case 491: // user is not operator
if ( irc_oper_response ) if ( irc_oper_response )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_oper_response, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetBool(code == 381)); val_mgr->GetBool(code == 381),
ConnectionEvent(irc_oper_response, vl); });
} }
break; break;
@ -592,14 +587,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// All other server replies. // All other server replies.
default: default:
val_list* vl = new val_list; if ( irc_reply )
vl->append(BuildConnVal()); ConnectionEventFast(irc_reply, {
vl->append(val_mgr->GetBool(orig)); BuildConnVal(),
vl->append(new StringVal(prefix.c_str())); val_mgr->GetBool(orig),
vl->append(val_mgr->GetCount(code)); new StringVal(prefix.c_str()),
vl->append(new StringVal(params.c_str())); val_mgr->GetCount(code),
new StringVal(params.c_str()),
ConnectionEvent(irc_reply, vl); });
break; break;
} }
return; return;
@ -662,33 +657,33 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
raw_ip = (10 * raw_ip) + atoi(s.c_str()); raw_ip = (10 * raw_ip) + atoi(s.c_str());
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str()));
vl->append(new AddrVal(htonl(raw_ip)));
vl->append(val_mgr->GetCount(atoi(parts[4].c_str())));
if ( parts.size() >= 6 )
vl->append(val_mgr->GetCount(atoi(parts[5].c_str())));
else
vl->append(val_mgr->GetCount(0));
ConnectionEvent(irc_dcc_message, vl); if ( irc_dcc_message )
ConnectionEventFast(irc_dcc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new AddrVal(htonl(raw_ip)),
val_mgr->GetCount(atoi(parts[4].c_str())),
parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0),
});
} }
else else
{ {
val_list* vl = new val_list; if ( irc_privmsg_message )
vl->append(BuildConnVal()); ConnectionEventFast(irc_privmsg_message, {
vl->append(val_mgr->GetBool(orig)); BuildConnVal(),
vl->append(new StringVal(prefix.c_str())); val_mgr->GetBool(orig),
vl->append(new StringVal(target.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(target.c_str()),
new StringVal(message.c_str()),
ConnectionEvent(irc_privmsg_message, vl); });
} }
} }
@ -707,14 +702,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
val_list* vl = new val_list; ConnectionEventFast(irc_notice_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(target.c_str())); new StringVal(target.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_notice_message, vl);
} }
else if ( irc_squery_message && command == "SQUERY" ) else if ( irc_squery_message && command == "SQUERY" )
@ -732,35 +726,34 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
val_list* vl = new val_list; ConnectionEventFast(irc_squery_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(target.c_str())); new StringVal(target.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_squery_message, vl);
} }
else if ( irc_user_message && command == "USER" ) else if ( irc_user_message && command == "USER" )
{ {
// extract username and real name // extract username and real name
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl->append(new StringVal(parts[2].c_str())); vl.append(new StringVal(parts[2].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
string realname; string realname;
for ( unsigned int i = 3; i < parts.size(); i++ ) for ( unsigned int i = 3; i < parts.size(); i++ )
@ -771,9 +764,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
const char* name = realname.c_str(); const char* name = realname.c_str();
vl->append(new StringVal(*name == ':' ? name + 1 : name)); vl.append(new StringVal(*name == ':' ? name + 1 : name));
ConnectionEvent(irc_user_message, vl); ConnectionEventFast(irc_user_message, std::move(vl));
} }
else if ( irc_oper_message && command == "OPER" ) else if ( irc_oper_message && command == "OPER" )
@ -782,13 +775,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 ) if ( parts.size() == 2 )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_oper_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
vl->append(new StringVal(parts[1].c_str())); new StringVal(parts[1].c_str()),
});
ConnectionEvent(irc_oper_message, vl);
} }
else else
@ -805,12 +797,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str())); vl.append(new StringVal(prefix.c_str()));
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
if ( parts.size() > 2 ) if ( parts.size() > 2 )
{ {
string comment = parts[2]; string comment = parts[2];
@ -820,12 +812,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' ) if ( comment[0] == ':' )
comment = comment.substr(1); comment = comment.substr(1);
vl->append(new StringVal(comment.c_str())); vl.append(new StringVal(comment.c_str()));
} }
else else
vl->append(val_mgr->GetEmptyString()); vl.append(val_mgr->GetEmptyString());
ConnectionEvent(irc_kick_message, vl); ConnectionEventFast(irc_kick_message, std::move(vl));
} }
else if ( irc_join_message && command == "JOIN" ) else if ( irc_join_message && command == "JOIN" )
@ -849,11 +841,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
vector<string> channels = SplitWords(parts[0], ','); vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords; vector<string> passwords;
@ -876,9 +865,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info); Unref(info);
} }
vl->append(list); ConnectionEventFast(irc_join_message, {
BuildConnVal(),
ConnectionEvent(irc_join_message, vl); val_mgr->GetBool(orig),
list,
});
} }
else if ( irc_join_message && command == "NJOIN" ) else if ( irc_join_message && command == "NJOIN" )
@ -895,12 +886,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ','); vector<string> users = SplitWords(parts[1], ',');
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
string empty_string = ""; string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i ) for ( unsigned int i = 0; i < users.size(); ++i )
@ -939,9 +926,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info); Unref(info);
} }
vl->append(list); ConnectionEventFast(irc_join_message, {
BuildConnVal(),
ConnectionEvent(irc_join_message, vl); val_mgr->GetBool(orig),
list,
});
} }
else if ( irc_part_message && command == "PART" ) else if ( irc_part_message && command == "PART" )
@ -977,14 +966,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx); Unref(idx);
} }
val_list* vl = new val_list; ConnectionEventFast(irc_part_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(nick.c_str())); new StringVal(nick.c_str()),
vl->append(set); set,
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_part_message, vl);
} }
else if ( irc_quit_message && command == "QUIT" ) else if ( irc_quit_message && command == "QUIT" )
@ -1001,13 +989,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
val_list* vl = new val_list; ConnectionEventFast(irc_quit_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(nickname.c_str())); new StringVal(nickname.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_quit_message, vl);
} }
else if ( irc_nick_message && command == "NICK" ) else if ( irc_nick_message && command == "NICK" )
@ -1016,13 +1003,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( nick[0] == ':' ) if ( nick[0] == ':' )
nick = nick.substr(1); nick = nick.substr(1);
val_list* vl = new val_list; ConnectionEventFast(irc_nick_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(nick.c_str())); new StringVal(nick.c_str())
});
ConnectionEvent(irc_nick_message, vl);
} }
else if ( irc_who_message && command == "WHO" ) else if ( irc_who_message && command == "WHO" )
@ -1042,16 +1028,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list; ConnectionEventFast(irc_who_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
if ( parts.size() > 0 ) parts.size() > 0 ?
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()) :
else val_mgr->GetEmptyString(),
vl->append(val_mgr->GetEmptyString()); val_mgr->GetBool(oper),
vl->append(val_mgr->GetBool(oper)); });
ConnectionEvent(irc_who_message, vl);
} }
else if ( irc_whois_message && command == "WHOIS" ) else if ( irc_whois_message && command == "WHOIS" )
@ -1074,26 +1058,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else else
users = parts[0]; users = parts[0];
val_list* vl = new val_list; ConnectionEventFast(irc_whois_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(server.c_str())); new StringVal(server.c_str()),
vl->append(new StringVal(users.c_str())); new StringVal(users.c_str()),
});
ConnectionEvent(irc_whois_message, vl);
} }
else if ( irc_error_message && command == "ERROR" ) else if ( irc_error_message && command == "ERROR" )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str()));
if ( params[0] == ':' ) if ( params[0] == ':' )
params = params.substr(1); params = params.substr(1);
vl->append(new StringVal(params.c_str()));
ConnectionEvent(irc_error_message, vl); ConnectionEventFast(irc_error_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(params.c_str()),
});
} }
else if ( irc_invite_message && command == "INVITE" ) else if ( irc_invite_message && command == "INVITE" )
@ -1104,14 +1087,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[1].size() > 0 && parts[1][0] == ':' ) if ( parts[1].size() > 0 && parts[1][0] == ':' )
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
val_list* vl = new val_list; ConnectionEventFast(irc_invite_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
vl->append(new StringVal(parts[1].c_str())); new StringVal(parts[1].c_str()),
});
ConnectionEvent(irc_invite_message, vl);
} }
else else
Weird("irc_invalid_invite_message_format"); Weird("irc_invalid_invite_message_format");
@ -1121,13 +1103,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( params.size() > 0 ) if ( params.size() > 0 )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_mode_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_mode_message, vl);
} }
else else
@ -1136,11 +1117,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" ) else if ( irc_password_message && command == "PASS" )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_password_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
ConnectionEvent(irc_password_message, vl); });
} }
else if ( irc_squit_message && command == "SQUIT" ) else if ( irc_squit_message && command == "SQUIT" )
@ -1158,14 +1139,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1); message = message.substr(1);
} }
val_list* vl = new val_list; ConnectionEventFast(irc_squit_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(server.c_str())); new StringVal(server.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_squit_message, vl);
} }
@ -1173,14 +1153,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_request ) if ( irc_request )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(command.c_str())); new StringVal(command.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_request, vl);
} }
} }
@ -1188,14 +1167,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_message ) if ( irc_message )
{ {
val_list* vl = new val_list; ConnectionEventFast(irc_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(command.c_str())); new StringVal(command.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_message, vl);
} }
} }
@ -1224,10 +1202,8 @@ void IRC_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; if ( irc_starttls )
vl->append(BuildConnVal()); ConnectionEventFast(irc_starttls, {BuildConnVal()});
ConnectionEvent(irc_starttls, vl);
} }
vector<string> IRC_Analyzer::SplitWords(const string input, const char split) vector<string> IRC_Analyzer::SplitWords(const string input, const char split)

80
src/analyzer/protocol/login/Login.cc
View file

@ -289,9 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
{ {
if ( authentication_skipped ) if ( authentication_skipped )
{ {
val_list* vl = new val_list; ConnectionEventFast(authentication_skipped, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(authentication_skipped, vl);
} }
state = LOGIN_STATE_SKIP; state = LOGIN_STATE_SKIP;
@ -334,32 +332,26 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") ) else if ( login_terminal && streq(name, "TERM") )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_terminal, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_terminal, vl);
} }
else if ( login_display && streq(name, "DISPLAY") ) else if ( login_display && streq(name, "DISPLAY") )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_display, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_display, vl);
} }
else if ( login_prompt && streq(name, "TTYPROMPT") ) else if ( login_prompt && streq(name, "TTYPROMPT") )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_prompt, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_prompt, vl);
} }
} }
@ -433,15 +425,13 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
Val* password = HaveTypeahead() ? Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>"); PopUserTextVal() : new StringVal("<none>");
val_list* vl = new val_list; ConnectionEventFast(f, {
BuildConnVal(),
vl->append(BuildConnVal()); username->Ref(),
vl->append(username->Ref()); client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
vl->append(client_name ? client_name->Ref() : val_mgr->GetEmptyString()); password,
vl->append(password); new StringVal(line),
vl->append(new StringVal(line)); });
ConnectionEvent(f, vl);
} }
const char* Login_Analyzer::GetUsername(const char* line) const const char* Login_Analyzer::GetUsername(const char* line) const
@ -454,12 +444,13 @@ const char* Login_Analyzer::GetUsername(const char* line) const
void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line) void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
{ {
val_list* vl = new val_list; if ( ! f )
return;
vl->append(BuildConnVal()); ConnectionEventFast(f, {
vl->append(new StringVal(line)); BuildConnVal(),
new StringVal(line),
ConnectionEvent(f, vl); });
} }
@ -469,12 +460,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused ) if ( login_confused )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_confused, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(msg)); new StringVal(msg),
vl->append(new StringVal(line)); new StringVal(line),
});
ConnectionEvent(login_confused, vl);
} }
if ( login_confused_text ) if ( login_confused_text )
@ -496,10 +486,10 @@ void Login_Analyzer::ConfusionText(const char* line)
{ {
if ( login_confused_text ) if ( login_confused_text )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_confused_text, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(line)); new StringVal(line),
ConnectionEvent(login_confused_text, vl); });
} }
} }

9
src/analyzer/protocol/login/NVT.cc
View file

@ -461,11 +461,10 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{ {
if ( login_terminal ) if ( login_terminal )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_terminal, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(new BroString(terminal, len, 0))); new StringVal(new BroString(terminal, len, 0)),
});
ConnectionEvent(login_terminal, vl);
} }
} }

35
src/analyzer/protocol/login/RSH.cc
View file

@ -156,31 +156,38 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
Login_Analyzer::DeliverStream(len, data, orig); Login_Analyzer::DeliverStream(len, data, orig);
if ( orig )
{
if ( ! rsh_request )
return;
}
else
{
if ( ! rsh_reply )
return;
}
val_list vl(4 + orig);
const char* line = (const char*) data; const char* line = (const char*) data;
val_list* vl = new val_list;
line = skip_whitespace(line); line = skip_whitespace(line);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(client_name ? client_name->Ref() : new StringVal("<none>")); vl.append(client_name ? client_name->Ref() : new StringVal("<none>"));
vl->append(username ? username->Ref() : new StringVal("<none>")); vl.append(username ? username->Ref() : new StringVal("<none>"));
vl->append(new StringVal(line)); vl.append(new StringVal(line));
if ( orig && rsh_request ) if ( orig )
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl->append(val_mgr->GetTrue()); vl.append(val_mgr->GetTrue());
else else
vl->append(val_mgr->GetFalse()); vl.append(val_mgr->GetFalse());
ConnectionEvent(rsh_request, vl); ConnectionEventFast(rsh_request, std::move(vl));
} }
else if ( rsh_reply )
ConnectionEvent(rsh_reply, vl);
else else
delete_vals(vl); ConnectionEventFast(rsh_reply, std::move(vl));
} }
void Rsh_Analyzer::ClientUserName(const char* s) void Rsh_Analyzer::ClientUserName(const char* s)

10
src/analyzer/protocol/login/Rlogin.cc
View file

@ -244,11 +244,9 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{ {
if ( login_terminal ) if ( login_terminal )
{ {
val_list* vl = new val_list; ConnectionEventFast(login_terminal, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(s),
vl->append(new StringVal(s)); });
ConnectionEvent(login_terminal, vl);
} }
} }

80
src/analyzer/protocol/mime/MIME.cc
View file

@ -1358,11 +1358,11 @@ void MIME_Mail::Done()
hash_final(md5_hash, digest); hash_final(md5_hash, digest);
md5_hash = nullptr; md5_hash = nullptr;
val_list* vl = new val_list; analyzer->ConnectionEventFast(mime_content_hash, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(content_hash_length)); val_mgr->GetCount(content_hash_length),
vl->append(new StringVal(new BroString(1, digest, 16))); new StringVal(new BroString(1, digest, 16)),
analyzer->ConnectionEvent(mime_content_hash, vl); });
} }
MIME_Message::Done(); MIME_Message::Done();
@ -1386,11 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear(); cur_entity_id.clear();
if ( mime_begin_entity ) if ( mime_begin_entity )
{ analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
analyzer->ConnectionEvent(mime_begin_entity, vl);
}
buffer_start = data_start = 0; buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0); ASSERT(entity_content.size() == 0);
@ -1402,12 +1398,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{ {
BroString* s = concatenate(entity_content); BroString* s = concatenate(entity_content);
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_entity_data, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(s->Len())); val_mgr->GetCount(s->Len()),
vl->append(new StringVal(s)); new StringVal(s),
});
analyzer->ConnectionEvent(mime_entity_data, vl);
if ( ! mime_all_data ) if ( ! mime_all_data )
delete_strings(entity_content); delete_strings(entity_content);
@ -1416,11 +1411,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
} }
if ( mime_end_entity ) if ( mime_end_entity )
{ analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
analyzer->ConnectionEvent(mime_end_entity, vl);
}
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear(); cur_entity_id.clear();
@ -1430,10 +1421,10 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{ {
if ( mime_one_header ) if ( mime_one_header )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_one_header, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(BuildHeaderVal(h)); BuildHeaderVal(h),
analyzer->ConnectionEvent(mime_one_header, vl); });
} }
} }
@ -1441,10 +1432,10 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{ {
if ( mime_all_headers ) if ( mime_all_headers )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_all_headers, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(BuildHeaderTable(hlist)); BuildHeaderTable(hlist),
analyzer->ConnectionEvent(mime_all_headers, vl); });
} }
} }
@ -1478,11 +1469,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
const char* data = (char*) data_buffer->Bytes() + data_start; const char* data = (char*) data_buffer->Bytes() + data_start;
int data_len = (buf + len) - data; int data_len = (buf + len) - data;
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_segment_data, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(data_len)); val_mgr->GetCount(data_len),
vl->append(new StringVal(data_len, data)); new StringVal(data_len, data),
analyzer->ConnectionEvent(mime_segment_data, vl); });
} }
cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1525,12 +1516,11 @@ void MIME_Mail::SubmitAllData()
BroString* s = concatenate(all_content); BroString* s = concatenate(all_content);
delete_strings(all_content); delete_strings(all_content);
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_all_data, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(s->Len())); val_mgr->GetCount(s->Len()),
vl->append(new StringVal(s)); new StringVal(s),
});
analyzer->ConnectionEvent(mime_all_data, vl);
} }
} }
@ -1555,10 +1545,10 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event ) if ( mime_event )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(mime_event, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(new StringVal(category)); new StringVal(category),
vl->append(new StringVal(detail)); new StringVal(detail),
analyzer->ConnectionEvent(mime_event, vl); });
} }
} }

26
src/analyzer/protocol/ncp/NCP.cc
View file

@ -61,21 +61,27 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply; EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
if ( f ) if ( f )
{ {
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(val_mgr->GetCount(frame->frame_type()));
vl->append(val_mgr->GetCount(frame->body_length()));
if ( frame->is_orig() ) if ( frame->is_orig() )
vl->append(val_mgr->GetCount(req_func)); {
analyzer->ConnectionEventFast(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_func),
});
}
else else
{ {
vl->append(val_mgr->GetCount(req_frame_type)); analyzer->ConnectionEventFast(f, {
vl->append(val_mgr->GetCount(req_func)); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(frame->reply()->completion_code())); val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_frame_type),
val_mgr->GetCount(req_func),
val_mgr->GetCount(frame->reply()->completion_code()),
});
} }
analyzer->ConnectionEvent(f, vl);
} }
} }

30
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -58,12 +58,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
{ {
if ( netbios_session_message ) if ( netbios_session_message )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(netbios_session_message, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_query)); val_mgr->GetBool(is_query),
vl->append(val_mgr->GetCount(type)); val_mgr->GetCount(type),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
analyzer->ConnectionEvent(netbios_session_message, vl); });
} }
switch ( type ) { switch ( type ) {
@ -328,13 +328,19 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( ! event ) if ( ! event )
return; return;
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
if ( is_orig >= 0 ) if ( is_orig >= 0 )
vl->append(val_mgr->GetBool(is_orig)); {
vl->append(new StringVal(new BroString(data, len, 0))); analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
analyzer->ConnectionEvent(event, vl); val_mgr->GetBool(is_orig),
new StringVal(new BroString(data, len, 0)),
});
}
else
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
new StringVal(new BroString(data, len, 0)),
});
} }

9
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -94,6 +94,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_negotiate(val: NTLM_Negotiate): bool function proc_ntlm_negotiate(val: NTLM_Negotiate): bool
%{ %{
if ( ! ntlm_negotiate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate); RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -115,6 +118,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_challenge(val: NTLM_Challenge): bool function proc_ntlm_challenge(val: NTLM_Challenge): bool
%{ %{
if ( ! ntlm_challenge )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge); RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -136,6 +142,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_authenticate(val: NTLM_Authenticate): bool function proc_ntlm_authenticate(val: NTLM_Authenticate): bool
%{ %{
if ( ! ntlm_authenticate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate); RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));

14
src/analyzer/protocol/ntp/NTP.cc
View file

@ -62,6 +62,9 @@ void NTP_Analyzer::Message(const u_char* data, int len)
len -= sizeof *ntp_data; len -= sizeof *ntp_data;
data += sizeof *ntp_data; data += sizeof *ntp_data;
if ( ! ntp_message )
return;
RecordVal* msg = new RecordVal(ntp_msg); RecordVal* msg = new RecordVal(ntp_msg);
unsigned int code = ntp_data->status & 0x7; unsigned int code = ntp_data->status & 0x7;
@ -78,12 +81,11 @@ void NTP_Analyzer::Message(const u_char* data, int len)
msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME)); msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME)); msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
val_list* vl = new val_list; ConnectionEventFast(ntp_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(msg); msg,
vl->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
});
ConnectionEvent(ntp_message, vl);
} }
double NTP_Analyzer::ShortFloat(struct s_fixedpt fp) double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)

18
src/analyzer/protocol/pop3/POP3.cc
View file

@ -833,10 +833,8 @@ void POP3_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; if ( pop3_starttls )
vl->append(BuildConnVal()); ConnectionEventFast(pop3_starttls, {BuildConnVal()});
ConnectionEvent(pop3_starttls, vl);
} }
void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::AuthSuccessfull()
@ -926,14 +924,14 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
if ( ! event ) if ( ! event )
return; return;
val_list* vl = new val_list; val_list vl(2 + (bool)arg1 + (bool)arg2);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(is_orig)); vl.append(val_mgr->GetBool(is_orig));
if ( arg1 ) if ( arg1 )
vl->append(new StringVal(arg1)); vl.append(new StringVal(arg1));
if ( arg2 ) if ( arg2 )
vl->append(new StringVal(arg2)); vl.append(new StringVal(arg2));
ConnectionEvent(event, vl); ConnectionEventFast(event, std::move(vl));
} }

24
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -1,7 +1,8 @@
refine flow RFB_Flow += { refine flow RFB_Flow += {
function proc_rfb_message(msg: RFB_PDU): bool function proc_rfb_message(msg: RFB_PDU): bool
%{ %{
BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); if ( rfb_event )
BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
return true; return true;
%} %}
@ -9,44 +10,51 @@ refine flow RFB_Flow += {
%{ %{
if (client) if (client)
{ {
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); if ( rfb_client_version )
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->bro_analyzer()->ProtocolConfirmation();
} }
else else
{ {
BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); if ( rfb_server_version )
BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
} }
return true; return true;
%} %}
function proc_rfb_share_flag(shared: bool) : bool function proc_rfb_share_flag(shared: bool) : bool
%{ %{
BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); if ( rfb_share_flag )
BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
return true; return true;
%} %}
function proc_security_types(msg: RFBSecurityTypes) : bool function proc_security_types(msg: RFBSecurityTypes) : bool
%{ %{
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
return true; return true;
%} %}
function proc_security_types37(msg: RFBAuthTypeSelected) : bool function proc_security_types37(msg: RFBAuthTypeSelected) : bool
%{ %{
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
return true; return true;
%} %}
function proc_handle_server_params(msg:RFBServerInit) : bool function proc_handle_server_params(msg:RFBServerInit) : bool
%{ %{
BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); if ( rfb_server_parameters )
BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
return true; return true;
%} %}
function proc_handle_security_result(result : uint32) : bool function proc_handle_security_result(result : uint32) : bool
%{ %{
BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); if ( rfb_auth_result )
BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
return true; return true;
%} %}
}; };

28
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -93,9 +93,9 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
if ( mount_reply_status ) if ( mount_reply_status )
{ {
val_list* vl = event_common_vl(c, rpc_status, mount_status, auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len); start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(mount_reply_status, vl); analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -162,34 +162,34 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
// optional and all are set to 0 ... // optional and all are set to 0 ...
if ( event ) if ( event )
{ {
val_list* vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len);
Val *request = c->TakeRequestVal(); Val *request = c->TakeRequestVal();
auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
analyzer->ConnectionEvent(event, vl); analyzer->ConnectionEventFast(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
return 1; return 1;
} }
val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c, val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and mount3_info. // Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ... // These are the first parameters for each mount_* event ...
val_list *vl = new val_list; val_list vl(2 + extra_elements);
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
for (size_t i = 0; i < c->AuxGIDs().size(); ++i) for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
@ -212,7 +212,7 @@ val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
info->Assign(11, new StringVal(c->MachineName())); info->Assign(11, new StringVal(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, auxgids);
vl->append(info); vl.append(info);
return vl; return vl;
} }

4
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -22,10 +22,10 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event // mount_status. These are the first parameters for each mount_* event
// ... // ...
val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len); int reply_len, int extra_elements);
// These methods parse the appropriate MOUNTv3 "type" out of buf. If // These methods parse the appropriate MOUNTv3 "type" out of buf. If
// there are any errors (i.e., buffer to short, etc), buf will be set // there are any errors (i.e., buffer to short, etc), buf will be set

28
src/analyzer/protocol/rpc/NFS.cc
View file

@ -147,9 +147,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
if ( nfs_reply_status ) if ( nfs_reply_status )
{ {
val_list* vl = event_common_vl(c, rpc_status, nfs_status, auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len); start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(nfs_reply_status, vl); analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -274,18 +274,18 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
// optional and all are set to 0 ... // optional and all are set to 0 ...
if ( event ) if ( event )
{ {
val_list* vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len);
Val *request = c->TakeRequestVal(); Val *request = c->TakeRequestVal();
auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
analyzer->ConnectionEvent(event, vl); analyzer->ConnectionEventFast(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
@ -317,15 +317,15 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
return 0; return 0;
} }
val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and nfs3_info. // Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ... // These are the first parameters for each nfs_* event ...
val_list *vl = new val_list; val_list vl(2 + extra_elements);
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
@ -346,7 +346,7 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
info->Assign(11, new StringVal(c->MachineName())); info->Assign(11, new StringVal(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, auxgids);
vl->append(info); vl.append(info);
return vl; return vl;
} }

4
src/analyzer/protocol/rpc/NFS.h
View file

@ -22,10 +22,10 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event // nfs_status. These are the first parameters for each nfs_* event
// ... // ...
val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len); int reply_len, int extra_elements);
// These methods parse the appropriate NFSv3 "type" out of buf. If // These methods parse the appropriate NFSv3 "type" out of buf. If
// there are any errors (i.e., buffer to short, etc), buf will be set // there are any errors (i.e., buffer to short, etc), buf will be set

22
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -261,10 +261,10 @@ uint32 PortmapperInterp::CheckPort(uint32 port)
{ {
if ( pm_bad_port ) if ( pm_bad_port )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(pm_bad_port, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(port)); val_mgr->GetCount(port),
analyzer->ConnectionEvent(pm_bad_port, vl); });
} }
port = 0; port = 0;
@ -282,25 +282,25 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
return; return;
} }
val_list* vl = new val_list; val_list vl;
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
if ( status == BifEnum::RPC_SUCCESS ) if ( status == BifEnum::RPC_SUCCESS )
{ {
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
} }
else else
{ {
vl->append(BifType::Enum::rpc_status->GetVal(status)); vl.append(BifType::Enum::rpc_status->GetVal(status));
if ( request ) if ( request )
vl->append(request); vl.append(request);
} }
analyzer->ConnectionEvent(f, vl); analyzer->ConnectionEventFast(f, std::move(vl));
} }
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)

48
src/analyzer/protocol/rpc/RPC.cc
View file

@ -330,16 +330,16 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
{ {
if ( rpc_dialogue ) if ( rpc_dialogue )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(rpc_dialogue, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(c->Program())); val_mgr->GetCount(c->Program()),
vl->append(val_mgr->GetCount(c->Version())); val_mgr->GetCount(c->Version()),
vl->append(val_mgr->GetCount(c->Proc())); val_mgr->GetCount(c->Proc()),
vl->append(BifType::Enum::rpc_status->GetVal(status)); BifType::Enum::rpc_status->GetVal(status),
vl->append(new Val(c->StartTime(), TYPE_TIME)); new Val(c->StartTime(), TYPE_TIME),
vl->append(val_mgr->GetCount(c->CallLen())); val_mgr->GetCount(c->CallLen()),
vl->append(val_mgr->GetCount(reply_len)); val_mgr->GetCount(reply_len),
analyzer->ConnectionEvent(rpc_dialogue, vl); });
} }
} }
@ -347,14 +347,14 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
{ {
if ( rpc_call ) if ( rpc_call )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(rpc_call, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(c->XID())); val_mgr->GetCount(c->XID()),
vl->append(val_mgr->GetCount(c->Program())); val_mgr->GetCount(c->Program()),
vl->append(val_mgr->GetCount(c->Version())); val_mgr->GetCount(c->Version()),
vl->append(val_mgr->GetCount(c->Proc())); val_mgr->GetCount(c->Proc()),
vl->append(val_mgr->GetCount(c->CallLen())); val_mgr->GetCount(c->CallLen()),
analyzer->ConnectionEvent(rpc_call, vl); });
} }
} }
@ -362,12 +362,12 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
{ {
if ( rpc_reply ) if ( rpc_reply )
{ {
val_list* vl = new val_list; analyzer->ConnectionEventFast(rpc_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(xid)); val_mgr->GetCount(xid),
vl->append(BifType::Enum::rpc_status->GetVal(status)); BifType::Enum::rpc_status->GetVal(status),
vl->append(val_mgr->GetCount(reply_len)); val_mgr->GetCount(reply_len),
analyzer->ConnectionEvent(rpc_reply, vl); });
} }
} }

6
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -6,8 +6,10 @@ refine connection SMB_Conn += {
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{ {
set_tree_is_pipe(${header.tid}); set_tree_is_pipe(${header.tid});
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn()); if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
} }
if ( smb1_nt_create_andx_request ) if ( smb1_nt_create_andx_request )

7
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -66,9 +66,10 @@ refine connection SMB_Conn += {
} }
else else
{ {
BifEvent::generate_smb1_error(bro_analyzer(), if ( smb1_error )
bro_analyzer()->Conn(), BifEvent::generate_smb1_error(bro_analyzer(),
BuildHeaderVal(h), is_orig); bro_analyzer()->Conn(),
BuildHeaderVal(h), is_orig);
} }
return true; return true;
%} %}

6
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -7,8 +7,10 @@ refine connection SMB_Conn += {
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{ {
set_tree_is_pipe(${h.tree_id}); set_tree_is_pipe(${h.tree_id});
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn()); if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
} }
if ( smb2_create_request ) if ( smb2_create_request )

60
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -220,11 +220,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( smtp_data && ! skip_data ) if ( smtp_data && ! skip_data )
{ {
val_list* vl = new val_list; ConnectionEventFast(smtp_data, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(data_len, line)); new StringVal(data_len, line),
ConnectionEvent(smtp_data, vl); });
} }
} }
@ -350,15 +350,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
break; break;
} }
val_list* vl = new val_list; ConnectionEventFast(smtp_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetCount(reply_code)); val_mgr->GetCount(reply_code),
vl->append(new StringVal(cmd)); new StringVal(cmd),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
vl->append(val_mgr->GetBool((pending_reply > 0))); val_mgr->GetBool((pending_reply > 0)),
});
ConnectionEvent(smtp_reply, vl);
} }
} }
@ -411,10 +410,8 @@ void SMTP_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; if ( smtp_starttls )
vl->append(BuildConnVal()); ConnectionEventFast(smtp_starttls, {BuildConnVal()});
ConnectionEvent(smtp_starttls, vl);
} }
@ -856,14 +853,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
int arg_len, const char* arg) int arg_len, const char* arg)
{ {
ProtocolConfirmation(); ProtocolConfirmation();
val_list* vl = new val_list;
vl->append(BuildConnVal()); if ( smtp_request )
vl->append(val_mgr->GetBool(orig_is_sender)); ConnectionEventFast(smtp_request, {
vl->append((new StringVal(cmd_len, cmd))->ToUpper()); BuildConnVal(),
vl->append(new StringVal(arg_len, arg)); val_mgr->GetBool(orig_is_sender),
(new StringVal(cmd_len, cmd))->ToUpper(),
ConnectionEvent(smtp_request, vl); new StringVal(arg_len, arg),
});
} }
void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,17 +871,16 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
if ( smtp_unexpected ) if ( smtp_unexpected )
{ {
val_list* vl = new val_list;
int is_orig = is_sender; int is_orig = is_sender;
if ( ! orig_is_sender ) if ( ! orig_is_sender )
is_orig = ! is_orig; is_orig = ! is_orig;
vl->append(BuildConnVal()); ConnectionEventFast(smtp_unexpected, {
vl->append(val_mgr->GetBool(is_orig)); BuildConnVal(),
vl->append(new StringVal(msg)); val_mgr->GetBool(is_orig),
vl->append(new StringVal(detail_len, detail)); new StringVal(msg),
new StringVal(detail_len, detail),
ConnectionEvent(smtp_unexpected, vl); });
} }
} }

87
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -22,18 +22,22 @@ refine connection SOCKS_Conn += {
function socks4_request(request: SOCKS4_Request): bool function socks4_request(request: SOCKS4_Request): bool
%{ %{
RecordVal* sa = new RecordVal(socks_address); if ( socks_request )
sa->Assign(0, new AddrVal(htonl(${request.addr}))); {
if ( ${request.v4a} ) RecordVal* sa = new RecordVal(socks_address);
sa->Assign(1, array_to_string(${request.name})); sa->Assign(0, new AddrVal(htonl(${request.addr})));
BifEvent::generate_socks_request(bro_analyzer(), if ( ${request.v4a} )
bro_analyzer()->Conn(), sa->Assign(1, array_to_string(${request.name}));
4,
${request.command}, BifEvent::generate_socks_request(bro_analyzer(),
sa, bro_analyzer()->Conn(),
val_mgr->GetPort(${request.port}, TRANSPORT_TCP), 4,
array_to_string(${request.user})); ${request.command},
sa,
val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
array_to_string(${request.user}));
}
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -42,15 +46,18 @@ refine connection SOCKS_Conn += {
function socks4_reply(reply: SOCKS4_Reply): bool function socks4_reply(reply: SOCKS4_Reply): bool
%{ %{
RecordVal* sa = new RecordVal(socks_address); if ( socks_reply )
sa->Assign(0, new AddrVal(htonl(${reply.addr}))); {
RecordVal* sa = new RecordVal(socks_address);
sa->Assign(0, new AddrVal(htonl(${reply.addr})));
BifEvent::generate_socks_reply(bro_analyzer(), BifEvent::generate_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
4, 4,
${reply.status}, ${reply.status},
sa, sa,
val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
}
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -97,13 +104,16 @@ refine connection SOCKS_Conn += {
return false; return false;
} }
BifEvent::generate_socks_request(bro_analyzer(), if ( socks_request )
bro_analyzer()->Conn(), BifEvent::generate_socks_request(bro_analyzer(),
5, bro_analyzer()->Conn(),
${request.command}, 5,
sa, ${request.command},
val_mgr->GetPort(${request.port}, TRANSPORT_TCP), sa,
val_mgr->GetEmptyString()); val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
val_mgr->GetEmptyString());
else
Unref(sa);
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -136,12 +146,15 @@ refine connection SOCKS_Conn += {
return false; return false;
} }
BifEvent::generate_socks_reply(bro_analyzer(), if ( socks_reply )
bro_analyzer()->Conn(), BifEvent::generate_socks_reply(bro_analyzer(),
5, bro_analyzer()->Conn(),
${reply.reply}, 5,
sa, ${reply.reply},
val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); sa,
val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
else
Unref(sa);
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -150,6 +163,9 @@ refine connection SOCKS_Conn += {
function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool
%{ %{
if ( ! socks_login_userpass_request )
return true;
StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin()); StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin()); StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
@ -173,9 +189,10 @@ refine connection SOCKS_Conn += {
function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
%{ %{
BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), if ( socks_login_userpass_reply )
bro_analyzer()->Conn(), BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
${reply.code}); bro_analyzer()->Conn(),
${reply.code});
return true; return true;
%} %}

4
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -17,8 +17,8 @@ refine connection SSL_Conn += {
function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
%{ %{
BifEvent::generate_ssl_established(bro_analyzer(), if ( ssl_established )
bro_analyzer()->Conn()); BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
return true; return true;
%} %}

21
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -31,8 +31,9 @@ refine connection SSL_Conn += {
function proc_alert(rec: SSLRecord, level : int, desc : int) : bool function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
%{ %{
BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), if ( ssl_alert )
${rec.is_orig}, level, desc); BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, level, desc);
return true; return true;
%} %}
function proc_unknown_record(rec: SSLRecord) : bool function proc_unknown_record(rec: SSLRecord) : bool
@ -50,8 +51,8 @@ refine connection SSL_Conn += {
established_ == false ) established_ == false )
{ {
established_ = true; established_ = true;
BifEvent::generate_ssl_established(bro_analyzer(), if ( ssl_established )
bro_analyzer()->Conn()); BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
} }
if ( ssl_encrypted_data ) if ( ssl_encrypted_data )
@ -72,9 +73,10 @@ refine connection SSL_Conn += {
function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
%{ %{
BifEvent::generate_ssl_heartbeat(bro_analyzer(), if ( ssl_heartbeat )
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, BifEvent::generate_ssl_heartbeat(bro_analyzer(),
new StringVal(data.length(), (const char*) data.data())); bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
new StringVal(data.length(), (const char*) data.data()));
return true; return true;
%} %}
@ -93,8 +95,9 @@ refine connection SSL_Conn += {
function proc_ccs(rec: SSLRecord) : bool function proc_ccs(rec: SSLRecord) : bool
%{ %{
BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), if ( ssl_change_cipher_spec )
bro_analyzer()->Conn(), ${rec.is_orig}); BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig});
return true; return true;
%} %}

172
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -72,6 +72,9 @@ refine connection Handshake_Conn += {
function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool
%{ %{
if ( ! ssl_extension_ec_point_formats )
return true;
VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( point_format_list ) if ( point_format_list )
@ -88,6 +91,9 @@ refine connection Handshake_Conn += {
function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool
%{ %{
if ( ! ssl_extension_elliptic_curves )
return true;
VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( list ) if ( list )
@ -104,6 +110,9 @@ refine connection Handshake_Conn += {
function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool
%{ %{
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( keyshare ) if ( keyshare )
@ -113,11 +122,15 @@ refine connection Handshake_Conn += {
} }
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist); BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
return true; return true;
%} %}
function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool
%{ %{
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup())); nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup()));
@ -127,6 +140,9 @@ refine connection Handshake_Conn += {
function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
%{ %{
if ( ! ssl_extension_signature_algorithm )
return true;
VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType()); VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
if ( supported_signature_algorithms ) if ( supported_signature_algorithms )
@ -147,6 +163,9 @@ refine connection Handshake_Conn += {
function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool
%{ %{
if ( ! ssl_extension_application_layer_protocol_negotiation )
return true;
VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
if ( protocols ) if ( protocols )
@ -183,14 +202,20 @@ refine connection Handshake_Conn += {
} }
} }
BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), if ( ssl_extension_server_name )
${rec.is_orig}, servers); BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, servers);
else
Unref(servers);
return true; return true;
%} %}
function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
%{ %{
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( versions_list ) if ( versions_list )
@ -207,6 +232,9 @@ refine connection Handshake_Conn += {
function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool
%{ %{
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
versions->Assign(0u, val_mgr->GetCount(version)); versions->Assign(0u, val_mgr->GetCount(version));
@ -218,6 +246,9 @@ refine connection Handshake_Conn += {
function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
%{ %{
if ( ! ssl_extension_psk_key_exchange_modes )
return true;
VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( mode_list ) if ( mode_list )
@ -272,10 +303,11 @@ refine connection Handshake_Conn += {
response.length(), bro_analyzer()->GetAnalyzerTag(), response.length(), bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), if ( ssl_stapled_ocsp )
bro_analyzer()->Conn(), ${rec.is_orig}, BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
new StringVal(response.length(), bro_analyzer()->Conn(),
(const char*) response.data())); ${rec.is_orig},
new StringVal(response.length(), (const char*) response.data()));
file_mgr->EndOfFile(file_id); file_mgr->EndOfFile(file_id);
} }
@ -288,26 +320,32 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE ) if ( ${kex.curve_type} != NAMED_CURVE )
return true; return true;
BifEvent::generate_ssl_server_curve(bro_analyzer(), if ( ssl_server_curve )
bro_analyzer()->Conn(), ${kex.params.curve}); BifEvent::generate_ssl_server_curve(bro_analyzer(),
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), bro_analyzer()->Conn(), ${kex.params.curve});
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); if ( ssl_ecdh_server_params )
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
if ( ssl_server_signature )
{ {
ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm})); RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm})); if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
} {
ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm}));
ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm}));
}
else else
{ {
// set to impossible value // set to impossible value
ha->Assign(0, val_mgr->GetCount(256)); ha->Assign(0, val_mgr->GetCount(256));
ha->Assign(1, val_mgr->GetCount(256)); ha->Assign(1, val_mgr->GetCount(256));
} }
BifEvent::generate_ssl_server_signature(bro_analyzer(), BifEvent::generate_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
}
return true; return true;
%} %}
@ -317,34 +355,46 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE ) if ( ${kex.curve_type} != NAMED_CURVE )
return true; return true;
BifEvent::generate_ssl_server_curve(bro_analyzer(), if ( ssl_server_curve )
bro_analyzer()->Conn(), ${kex.params.curve}); BifEvent::generate_ssl_server_curve(bro_analyzer(),
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), bro_analyzer()->Conn(), ${kex.params.curve});
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
return true; return true;
%} %}
function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
%{ %{
BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); if ( ssl_rsa_client_pms )
BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
return true; return true;
%} %}
function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
%{ %{
BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); if ( ssl_dh_client_params )
BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
return true; return true;
%} %}
function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
%{ %{
BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); if ( ssl_ecdh_client_params )
BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
return true; return true;
%} %}
function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
%{ %{
if ( ! ssl_extension_signed_certificate_timestamp )
return true;
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()));
ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm())); ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()));
@ -363,50 +413,56 @@ refine connection Handshake_Conn += {
function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
%{ %{
BifEvent::generate_ssl_dh_server_params(bro_analyzer(), if ( ssl_ecdh_server_params )
bro_analyzer()->Conn(), BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
new StringVal(p.length(), (const char*) p.data()), bro_analyzer()->Conn(),
new StringVal(g.length(), (const char*) g.data()), new StringVal(p.length(), (const char*) p.data()),
new StringVal(Ys.length(), (const char*) Ys.data()) new StringVal(g.length(), (const char*) g.data()),
); new StringVal(Ys.length(), (const char*) Ys.data())
);
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); if ( ssl_server_signature )
if ( ${signed_params.uses_signature_and_hashalgorithm} )
{ {
ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm})); RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm})); if ( ${signed_params.uses_signature_and_hashalgorithm} )
} {
else ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm}));
{ ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm}));
// set to impossible value }
ha->Assign(0, val_mgr->GetCount(256)); else
ha->Assign(1, val_mgr->GetCount(256)); {
} // set to impossible value
ha->Assign(0, val_mgr->GetCount(256));
ha->Assign(1, val_mgr->GetCount(256));
}
BifEvent::generate_ssl_server_signature(bro_analyzer(), BifEvent::generate_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), ha, bro_analyzer()->Conn(), ha,
new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
); );
}
return true; return true;
%} %}
function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
%{ %{
BifEvent::generate_ssl_dh_server_params(bro_analyzer(), if ( ssl_dh_server_params )
bro_analyzer()->Conn(), BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
new StringVal(p.length(), (const char*) p.data()), bro_analyzer()->Conn(),
new StringVal(g.length(), (const char*) g.data()), new StringVal(p.length(), (const char*) p.data()),
new StringVal(Ys.length(), (const char*) Ys.data()) new StringVal(g.length(), (const char*) g.data()),
); new StringVal(Ys.length(), (const char*) Ys.data())
);
return true; return true;
%} %}
function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool
%{ %{
BifEvent::generate_ssl_handshake_message(bro_analyzer(), if ( ssl_handshake_message )
bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); BifEvent::generate_ssl_handshake_message(bro_analyzer(),
bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length));
return true; return true;
%} %}

22
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -139,25 +139,23 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list;
vl->append(val_mgr->GetInt(id1));
if ( id2 >= 0 ) if ( id2 >= 0 )
vl->append(val_mgr->GetInt(id2)); endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
else
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
endp->TCP()->ConnectionEvent(f, vl);
} }
void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
{ {
val_list* vl = new val_list; if ( ! stp_create_endp )
return;
vl->append(endp->TCP()->BuildConnVal()); endp->TCP()->ConnectionEventFast(stp_create_endp, {
vl->append(val_mgr->GetInt(stp_id)); endp->TCP()->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetInt(stp_id),
val_mgr->GetBool(is_orig),
endp->TCP()->ConnectionEvent(stp_create_endp, vl); });
} }
SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)

3
src/analyzer/protocol/syslog/syslog-analyzer.pac
View file

@ -11,6 +11,9 @@ flow Syslog_Flow
function process_syslog_message(m: Syslog_Message): bool function process_syslog_message(m: Syslog_Message): bool
%{ %{
if ( ! syslog_message )
return true;
if ( ${m.has_pri} ) if ( ${m.has_pri} )
BifEvent::generate_syslog_message( BifEvent::generate_syslog_message(
connection()->bro_analyzer(), connection()->bro_analyzer(),

93
src/analyzer/protocol/tcp/TCP.cc
View file

@ -299,11 +299,11 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
if ( OS_val ) if ( OS_val )
{ // found new OS version { // found new OS version
val_list* vl = new val_list; tcp->ConnectionEventFast(OS_version_found, {
vl->append(tcp->BuildConnVal()); tcp->BuildConnVal(),
vl->append(src_addr_val->Ref()); src_addr_val->Ref(),
vl->append(OS_val); OS_val,
tcp->ConnectionEvent(OS_version_found, vl); });
} }
} }
@ -965,20 +965,17 @@ void TCP_Analyzer::GeneratePacketEvent(
const u_char* data, int len, int caplen, const u_char* data, int len, int caplen,
int is_orig, TCP_Flags flags) int is_orig, TCP_Flags flags)
{ {
val_list* vl = new val_list(); ConnectionEventFast(tcp_packet, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); new StringVal(flags.AsString()),
vl->append(new StringVal(flags.AsString())); val_mgr->GetCount(rel_seq),
vl->append(val_mgr->GetCount(rel_seq)); val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
vl->append(val_mgr->GetCount(flags.ACK() ? rel_ack : 0)); val_mgr->GetCount(len),
vl->append(val_mgr->GetCount(len)); // We need the min() here because Ethernet padding can lead to
// caplen > len.
// We need the min() here because Ethernet padding can lead to new StringVal(min(caplen, len), (const char*) data),
// caplen > len. });
vl->append(new StringVal(min(caplen, len), (const char*) data));
ConnectionEvent(tcp_packet, vl);
} }
int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen, int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1283,10 +1280,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( connection_SYN_packet ) if ( connection_SYN_packet )
{ {
val_list* vl = new val_list; ConnectionEventFast(connection_SYN_packet, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(SYN_vals->Ref()); SYN_vals->Ref(),
ConnectionEvent(connection_SYN_packet, vl); });
} }
passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len); passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
@ -1510,14 +1507,12 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt,
{ {
if ( tcp_option ) if ( tcp_option )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEventFast(tcp_option, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetCount(opt),
vl->append(val_mgr->GetCount(opt)); val_mgr->GetCount(optlen),
vl->append(val_mgr->GetCount(optlen)); });
analyzer->ConnectionEvent(tcp_option, vl);
} }
return 0; return 0;
@ -1833,10 +1828,10 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
{ {
if ( connection_EOF ) if ( connection_EOF )
{ {
val_list* vl = new val_list(); ConnectionEventFast(connection_EOF, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
ConnectionEvent(connection_EOF, vl); });
} }
const analyzer_list& children(GetChildren()); const analyzer_list& children(GetChildren());
@ -2115,15 +2110,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
if ( tcp_rexmit ) if ( tcp_rexmit )
{ {
val_list* vl = new val_list(); endp->TCP()->ConnectionEventFast(tcp_rexmit, {
vl->append(endp->TCP()->BuildConnVal()); endp->TCP()->BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
vl->append(val_mgr->GetCount(data_in_flight)); val_mgr->GetCount(data_in_flight),
vl->append(val_mgr->GetCount(endp->peer->window)); val_mgr->GetCount(endp->peer->window),
});
endp->TCP()->ConnectionEvent(tcp_rexmit, vl);
} }
} }
else else
@ -2171,11 +2165,12 @@ void TCPStats_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); TCP_ApplicationAnalyzer::Done();
val_list* vl = new val_list; if ( conn_stats )
vl->append(BuildConnVal()); ConnectionEventFast(conn_stats, {
vl->append(orig_stats->BuildStats()); BuildConnVal(),
vl->append(resp_stats->BuildStats()); orig_stats->BuildStats(),
ConnectionEvent(conn_stats, vl); resp_stats->BuildStats(),
});
} }
void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)

10
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -237,11 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
vl->append(Conn()->BuildConnVal()); Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal(buf)); new StringVal(buf),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
} }

57
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -145,12 +145,12 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len)
if ( report_gap(endp, endp->peer) ) if ( report_gap(endp, endp->peer) )
{ {
val_list* vl = new val_list; dst_analyzer->ConnectionEventFast(content_gap, {
vl->append(dst_analyzer->BuildConnVal()); dst_analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
dst_analyzer->ConnectionEvent(content_gap, vl); });
} }
if ( type == Direct ) if ( type == Direct )
@ -344,11 +344,11 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
vl->append(Endpoint()->Conn()->BuildConnVal()); Endpoint()->Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal("TCP reassembler content write failure")); new StringVal("TCP reassembler content write failure"),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
@ -361,11 +361,11 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
vl->append(Endpoint()->Conn()->BuildConnVal()); Endpoint()->Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal("TCP reassembler gap write failure")); new StringVal("TCP reassembler gap write failure"),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
@ -434,12 +434,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
BroString* b1_s = new BroString((const u_char*) b1, n, 0); BroString* b1_s = new BroString((const u_char*) b1, n, 0);
BroString* b2_s = new BroString((const u_char*) b2, n, 0); BroString* b2_s = new BroString((const u_char*) b2, n, 0);
val_list* vl = new val_list(3); tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
vl->append(tcp_analyzer->BuildConnVal()); tcp_analyzer->BuildConnVal(),
vl->append(new StringVal(b1_s)); new StringVal(b1_s),
vl->append(new StringVal(b2_s)); new StringVal(b2_s),
vl->append(new StringVal(flags.AsString())); new StringVal(flags.AsString()),
tcp_analyzer->ConnectionEvent(rexmit_inconsistency, vl); });
} }
} }
@ -605,13 +605,12 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
if ( deliver_tcp_contents ) if ( deliver_tcp_contents )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEventFast(tcp_contents, {
vl->append(tcp_analyzer->BuildConnVal()); tcp_analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(new StringVal(len, (const char*) data)); new StringVal(len, (const char*) data),
});
tcp_analyzer->ConnectionEvent(tcp_contents, vl);
} }
// Q. Can we say this because it is already checked in DataSent()? // Q. Can we say this because it is already checked in DataSent()?

10
src/analyzer/protocol/udp/UDP.cc
View file

@ -157,11 +157,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( do_udp_contents ) if ( do_udp_contents )
{ {
val_list* vl = new val_list; ConnectionEventFast(udp_contents, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(new StringVal(len, (const char*) data)); new StringVal(len, (const char*) data),
ConnectionEvent(udp_contents, vl); });
} }
Unref(port_val); Unref(port_val);

3
src/analyzer/protocol/xmpp/xmpp-analyzer.pac
View file

@ -32,7 +32,8 @@ refine connection XMPP_Conn += {
if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls ) if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls )
{ {
bro_analyzer()->StartTLS(); bro_analyzer()->StartTLS();
BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); if ( xmpp_starttls )
BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
} }
else if ( !is_orig && token == "proceed" ) else if ( !is_orig && token == "proceed" )
reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls"); reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");

38
src/broker/Manager.cc
View file

@ -540,9 +540,11 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
std::string serial_data(data, len); std::string serial_data(data, len);
free(data); free(data);
val_list vl(2); val_list vl{
vl.append(stream->Ref()); stream->Ref(),
vl.append(new StringVal(path)); new StringVal(path),
};
Val* v = log_topic_func->Call(&vl); Val* v = log_topic_func->Call(&vl);
if ( ! v ) if ( ! v )
@ -993,7 +995,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
return; return;
} }
auto vl = new val_list; val_list vl(args.size());
for ( auto i = 0u; i < args.size(); ++i ) for ( auto i = 0u; i < args.size(); ++i )
{ {
@ -1002,7 +1004,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
auto val = data_to_val(std::move(args[i]), expected_type); auto val = data_to_val(std::move(args[i]), expected_type);
if ( val ) if ( val )
vl->append(val); vl.append(val);
else else
{ {
reporter->Warning("failed to convert remote event '%s' arg #%d," reporter->Warning("failed to convert remote event '%s' arg #%d,"
@ -1013,10 +1015,13 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
} }
} }
if ( static_cast<size_t>(vl->length()) == args.size() ) if ( static_cast<size_t>(vl.length()) == args.size() )
mgr.QueueEvent(handler, vl, SOURCE_BROKER); mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER);
else else
delete_vals(vl); {
loop_over_list(vl, i)
Unref(vl[i]);
}
} }
bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc) bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
@ -1242,6 +1247,9 @@ void Manager::ProcessStatus(broker::status stat)
break; break;
} }
if ( ! event )
return;
auto ei = internal_type("Broker::EndpointInfo")->AsRecordType(); auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
auto endpoint_info = new RecordVal(ei); auto endpoint_info = new RecordVal(ei);
@ -1270,11 +1278,7 @@ void Manager::ProcessStatus(broker::status stat)
auto str = stat.message(); auto str = stat.message();
auto msg = new StringVal(str ? *str : ""); auto msg = new StringVal(str ? *str : "");
auto vl = new val_list; mgr.QueueEventFast(event, {endpoint_info, msg});
vl->append(endpoint_info);
vl->append(msg);
mgr.QueueEvent(event, vl);
} }
void Manager::ProcessError(broker::error err) void Manager::ProcessError(broker::error err)
@ -1351,10 +1355,10 @@ void Manager::ProcessError(broker::error err)
msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str()); msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
} }
auto vl = new val_list; mgr.QueueEventFast(Broker::error, {
vl->append(BifType::Enum::Broker::ErrorCode->GetVal(ec)); BifType::Enum::Broker::ErrorCode->GetVal(ec),
vl->append(new StringVal(msg)); new StringVal(msg),
mgr.QueueEvent(Broker::error, vl); });
} }
void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response) void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)

8
src/broker/messaging.bif
View file

@ -183,9 +183,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
if ( ! topic_func ) if ( ! topic_func )
topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc(); topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
val_list vl(2); val_list vl{pool->Ref(), key->Ref()};
vl.append(pool->Ref());
vl.append(key->Ref());
auto topic = topic_func->Call(&vl); auto topic = topic_func->Call(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )
@ -226,9 +224,7 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
if ( ! topic_func ) if ( ! topic_func )
topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc(); topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
val_list vl(2); val_list vl{pool->Ref(), key->Ref()};
vl.append(pool->Ref());
vl.append(key->Ref());
auto topic = topic_func->Call(&vl); auto topic = topic_func->Call(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )

53
src/file_analysis/File.cc
View file

@ -154,11 +154,11 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
{ {
if ( conn && FileEventAvailable(file_over_new_connection) ) if ( conn && FileEventAvailable(file_over_new_connection) )
{ {
val_list* vl = new val_list(); FileEvent(file_over_new_connection, {
vl->append(val->Ref()); val->Ref(),
vl->append(conn->BuildConnVal()); conn->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
FileEvent(file_over_new_connection, vl); });
} }
} }
@ -303,13 +303,11 @@ bool File::SetMime(const string& mime_type)
if ( ! FileEventAvailable(file_sniff) ) if ( ! FileEventAvailable(file_sniff) )
return false; return false;
val_list* vl = new val_list();
vl->append(val->Ref());
RecordVal* meta = new RecordVal(fa_metadata_type); RecordVal* meta = new RecordVal(fa_metadata_type);
vl->append(meta);
meta->Assign(meta_mime_type_idx, new StringVal(mime_type)); meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->GetBool(0)); meta->Assign(meta_inferred_idx, val_mgr->GetBool(0));
FileEvent(file_sniff, vl);
FileEvent(file_sniff, {val->Ref(), meta});
return true; return true;
} }
@ -338,10 +336,7 @@ void File::InferMetadata()
len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
file_mgr->DetectMIME(data, len, &matches); file_mgr->DetectMIME(data, len, &matches);
val_list* vl = new val_list();
vl->append(val->Ref());
RecordVal* meta = new RecordVal(fa_metadata_type); RecordVal* meta = new RecordVal(fa_metadata_type);
vl->append(meta);
if ( ! matches.empty() ) if ( ! matches.empty() )
{ {
@ -351,7 +346,7 @@ void File::InferMetadata()
file_analysis::GenMIMEMatchesVal(matches)); file_analysis::GenMIMEMatchesVal(matches));
} }
FileEvent(file_sniff, vl); FileEvent(file_sniff, {val->Ref(), meta});
return; return;
} }
@ -463,11 +458,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
if ( FileEventAvailable(file_reassembly_overflow) ) if ( FileEventAvailable(file_reassembly_overflow) )
{ {
val_list* vl = new val_list(); FileEvent(file_reassembly_overflow, {
vl->append(val->Ref()); val->Ref(),
vl->append(val_mgr->GetCount(current_offset)); val_mgr->GetCount(current_offset),
vl->append(val_mgr->GetCount(gap_bytes)); val_mgr->GetCount(gap_bytes),
FileEvent(file_reassembly_overflow, vl); });
} }
} }
@ -608,11 +603,11 @@ void File::Gap(uint64 offset, uint64 len)
if ( FileEventAvailable(file_gap) ) if ( FileEventAvailable(file_gap) )
{ {
val_list* vl = new val_list(); FileEvent(file_gap, {
vl->append(val->Ref()); val->Ref(),
vl->append(val_mgr->GetCount(offset)); val_mgr->GetCount(offset),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
FileEvent(file_gap, vl); });
} }
analyzers.DrainModifications(); analyzers.DrainModifications();
@ -631,14 +626,18 @@ void File::FileEvent(EventHandlerPtr h)
if ( ! FileEventAvailable(h) ) if ( ! FileEventAvailable(h) )
return; return;
val_list* vl = new val_list(); FileEvent(h, {val->Ref()});
vl->append(val->Ref());
FileEvent(h, vl);
} }
void File::FileEvent(EventHandlerPtr h, val_list* vl) void File::FileEvent(EventHandlerPtr h, val_list* vl)
{ {
mgr.QueueEvent(h, vl); FileEvent(h, std::move(*vl));
delete vl;
}
void File::FileEvent(EventHandlerPtr h, val_list vl)
{
mgr.QueueEventFast(h, std::move(vl));
if ( h == file_new || h == file_over_new_connection || if ( h == file_new || h == file_over_new_connection ||
h == file_sniff || h == file_sniff ||

6
src/file_analysis/File.h
View file

@ -172,6 +172,12 @@ public:
*/ */
void FileEvent(EventHandlerPtr h, val_list* vl); void FileEvent(EventHandlerPtr h, val_list* vl);
/**
* Raises an event related to the file's life-cycle.
* @param h pointer to an event handler.
* @param vl list of argument values to pass to event call.
*/
void FileEvent(EventHandlerPtr h, val_list vl);
/** /**
* Sets the MIME type for a file to a specific value. * Sets the MIME type for a file to a specific value.

11
src/file_analysis/Manager.cc
View file

@ -443,12 +443,11 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
EnumVal* tagval = tag.AsEnumVal(); EnumVal* tagval = tag.AsEnumVal();
Ref(tagval); Ref(tagval);
val_list* vl = new val_list(); mgr.QueueEventFast(get_file_handle, {
vl->append(tagval); tagval,
vl->append(c->BuildConnVal()); c->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
});
mgr.QueueEvent(get_file_handle, vl);
mgr.Drain(); // need file handle immediately so we don't have to buffer data mgr.Drain(); // need file handle immediately so we don't have to buffer data
return current_file_id; return current_file_id;
} }

20
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -41,12 +41,11 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
{ {
if ( ! chunk_event ) return true; if ( ! chunk_event ) return true;
val_list* args = new val_list; mgr.QueueEventFast(chunk_event, {
args->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
args->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
args->append(val_mgr->GetCount(offset)); val_mgr->GetCount(offset),
});
mgr.QueueEvent(chunk_event, args);
return true; return true;
} }
@ -55,11 +54,10 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len)
{ {
if ( ! stream_event ) return true; if ( ! stream_event ) return true;
val_list* args = new val_list; mgr.QueueEventFast(stream_event, {
args->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
args->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
});
mgr.QueueEvent(stream_event, args);
return true; return true;
} }

10
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -53,8 +53,8 @@ void Entropy::Finalize()
if ( ! fed ) if ( ! fed )
return; return;
val_list* vl = new val_list(); if ( ! file_entropy )
vl->append(GetFile()->GetVal()->Ref()); return;
double montepi, scc, ent, mean, chisq; double montepi, scc, ent, mean, chisq;
montepi = scc = ent = mean = chisq = 0.0; montepi = scc = ent = mean = chisq = 0.0;
@ -67,6 +67,8 @@ void Entropy::Finalize()
ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); ent_result->Assign(4, new Val(scc, TYPE_DOUBLE));
vl->append(ent_result); mgr.QueueEventFast(file_entropy, {
mgr.QueueEvent(file_entropy, vl); GetFile()->GetVal()->Ref(),
ent_result,
});
} }

12
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -90,12 +90,12 @@ bool Extract::DeliverStream(const u_char* data, uint64 len)
if ( limit_exceeded && file_extraction_limit ) if ( limit_exceeded && file_extraction_limit )
{ {
File* f = GetFile(); File* f = GetFile();
val_list* vl = new val_list(); f->FileEvent(file_extraction_limit, {
vl->append(f->GetVal()->Ref()); f->GetVal()->Ref(),
vl->append(Args()->Ref()); Args()->Ref(),
vl->append(val_mgr->GetCount(limit)); val_mgr->GetCount(limit),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
f->FileEvent(file_extraction_limit, vl); });
// Limit may have been modified by a BIF, re-check it. // Limit may have been modified by a BIF, re-check it.
limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite); limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite);

12
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -48,10 +48,12 @@ void Hash::Finalize()
if ( ! hash->IsValid() || ! fed ) if ( ! hash->IsValid() || ! fed )
return; return;
val_list* vl = new val_list(); if ( ! file_hash )
vl->append(GetFile()->GetVal()->Ref()); return;
vl->append(new StringVal(kind));
vl->append(hash->Get());
mgr.QueueEvent(file_hash, vl); mgr.QueueEventFast(file_hash, {
GetFile()->GetVal()->Ref(),
new StringVal(kind),
hash->Get(),
});
} }

Some files were not shown because too many files have changed in this diff Show more