Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move all of the rule matching code to zeek::detail

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-07-17 11:18:43 -07:00
parent 25c0fc7ab2
commit 382812298d
29 changed files with 269 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Conn.cc
View file

@ -449,7 +449,8 @@ static inline bool is_version_sep(const char* s, const char* end)
isspace(s[0]);
}
void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state)
void Connection::Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state)
{
if ( primary_PIA )
primary_PIA->Match(type, data, len, is_orig, bol, eol, clear_state);

6
src/Conn.h
View file

@ -25,11 +25,11 @@ class Connection;
class ConnectionTimer;
class NetSessions;
class LoginConn;
class RuleHdrTest;
class Specific_RE_Matcher;
class RuleEndpointState;
class EncapsulationStack;
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleHdrTest, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(TransportLayerAnalyzer, zeek, analyzer);
@ -179,7 +179,7 @@ public:
LoginConn* AsLoginConn() { return login_conn; }
void Match(Rule::PatternType type, const u_char* data, int len,
void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state);
/**

4
src/Rule.cc
View file

@ -5,6 +5,8 @@
#include "RuleCondition.h"
#include "RuleMatcher.h"
namespace zeek::detail {
// Start at one as we want search for this within a list,
// and List's is_member returns zero for non-membership ...
unsigned int Rule::rule_counter = 1;
@ -99,3 +101,5 @@ void Rule::SortHdrTests()
// FIXME: Do nothing for now - we may want to come up with
// something clever here.
}
} // namespace zeek::detail

17
src/Rule.h
View file

@ -9,10 +9,13 @@
#include <limits.h>
#include <stdint.h>
class RuleCondition;
class RuleAction;
class RuleHdrTest;
class Rule;
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleCondition, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleAction, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleHdrTest, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleMatcher, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
namespace zeek::detail {
using rule_list = zeek::PList<Rule>;
using rule_dict = std::map<std::string, Rule*>;
@ -107,3 +110,9 @@ private:
// Array of rules indexed by payloadid.
static rule_list rule_table;
};
} // namespace zeek::detail
using Rule [[deprecated("Remove in v4.1. Use zeek::detail::Rule.")]] = zeek::detail::Rule;
using rule_list [[deprecated("Remove in v4.1. Use zeek::detail::rule_list.")]] = zeek::detail::rule_list;
using rule_dict [[deprecated("Remove in v4.1. Use zeek::detail::rule_dict.")]] = zeek::detail::rule_dict;

4
src/RuleAction.cc
View file

@ -12,6 +12,8 @@ using std::string;
#include "analyzer/Manager.h"
namespace zeek::detail {
RuleActionEvent::RuleActionEvent(const char* arg_msg)
{
msg = copy_string(arg_msg);
@ -124,3 +126,5 @@ void RuleActionDisable::PrintDebug()
fprintf(stderr, " RuleActionDisable: ");
RuleActionAnalyzer::PrintDebug();
}
} // namespace zeek::detail

15
src/RuleAction.h
View file

@ -6,8 +6,10 @@
#include <sys/types.h> // for u_char
class Rule;
class RuleEndpointState;
ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
namespace zeek::detail {
// Base class of all rule actions.
class RuleAction {
@ -96,3 +98,12 @@ public:
void PrintDebug() override;
};
} // namespace zeek::detail
using RuleAction [[deprecated("Remove in v4.1. Use zeek::detail::RuleAction.")]] = zeek::detail::RuleAction;
using RuleActionEvent [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionEvent.")]] = zeek::detail::RuleActionEvent;
using RuleActionMIME [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionMIME.")]] = zeek::detail::RuleActionMIME;
using RuleActionAnalyzer [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionAnalyzer.")]] = zeek::detail::RuleActionAnalyzer;
using RuleActionEnable [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionEnable.")]] = zeek::detail::RuleActionEnable;
using RuleActionDisable [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionDisable.")]] = zeek::detail::RuleActionDisable;

6
src/RuleCondition.cc
View file

@ -20,6 +20,8 @@ static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
}
namespace zeek::detail {
bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
const u_char* data, int len)
{
@ -28,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
if ( ! root || ! root->IsAnalyzer("TCP") )
return false;
analyzer::tcp::TCP_Analyzer* ta = static_cast<analyzer::tcp::TCP_Analyzer*>(root);
::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root);
if ( tcpstates & STATE_STATELESS )
return true;
@ -196,3 +198,5 @@ void RuleConditionEval::PrintDebug()
{
fprintf(stderr, " RuleConditionEval: %s\n", id->Name());
}
} // namespace zeek::detail

16
src/RuleCondition.h
View file

@ -4,11 +4,12 @@
#include <sys/types.h> // for u_char
#include "util.h"
class Rule;
class RuleEndpointState;
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(ID, zeek::detail);
namespace zeek::detail {
// Base class for all rule conditions except patterns and "header".
class RuleCondition {
public:
@ -115,3 +116,12 @@ public:
private:
zeek::detail::ID* id;
};
} // namespace zeek::detail
using RuleCondition [[deprecated("Remove in v4.1. Use zeek::detail::RuleCondition.")]] = zeek::detail::RuleCondition;
using RuleConditionTCPState [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionTCPState.")]] = zeek::detail::RuleConditionTCPState;
using RuleConditionIPOptions [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionIPOptions.")]] = zeek::detail::RuleConditionIPOptions;
using RuleConditionSameIP [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionSameIP.")]] = zeek::detail::RuleConditionSameIP;
using RuleConditionPayloadSize [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionPayloadSize.")]] = zeek::detail::RuleConditionPayloadSize;
using RuleConditionEval [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionEval.")]] = zeek::detail::RuleConditionEval;

10
src/RuleMatcher.cc
View file

@ -25,6 +25,8 @@
using namespace std;
namespace zeek::detail {
// FIXME: Things that are not fully implemented/working yet:
//
// - "ip-options" always evaluates to false
@ -183,7 +185,7 @@ void RuleHdrTest::PrintDebug()
RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite,
analyzer::pia::PIA* arg_PIA)
::analyzer::pia::PIA* arg_PIA)
{
payload_size = -1;
analyzer = arg_analyzer;
@ -739,7 +741,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
const zeek::IP_Hdr* ip, int caplen,
RuleEndpointState* opposite,
bool from_orig, analyzer::pia::PIA* pia)
bool from_orig, ::analyzer::pia::PIA* pia)
{
RuleEndpointState* state =
new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -1418,7 +1420,7 @@ uint32_t id_to_uint(const char* id)
}
void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia)
int caplen, bool from_orig, ::analyzer::pia::PIA* pia)
{
if ( ! rule_matcher )
return;
@ -1492,3 +1494,5 @@ void RuleMatcherState::ClearMatchState(bool orig)
else if ( resp_match_state )
rule_matcher->ClearEndpointState(resp_match_state);
}
} // namespace zeek::detail

37
src/RuleMatcher.h
View file

@ -19,7 +19,7 @@
extern void rules_error(const char* msg);
extern void rules_error(const char* msg, const char* addl);
extern void rules_error(Rule* id, const char* msg);
extern void rules_error(zeek::detail::Rule* id, const char* msg);
extern int rules_lex(void);
extern int rules_parse(void);
extern "C" int rules_wrap(void);
@ -31,9 +31,8 @@ class BroFile;
class IntSet;
class RE_Match_State;
class Specific_RE_Matcher;
class RuleMatcher;
extern RuleMatcher* rule_matcher;
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleMatcher, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
@ -43,6 +42,10 @@ namespace analyzer {
namespace pia { class PIA; }
}
namespace zeek::detail {
extern RuleMatcher* rule_matcher;
// RuleHdrTest and associated things:
// Given a header expression like "ip[offset:len] & mask = val", we parse
@ -151,7 +154,7 @@ public:
// Returns -1 if no chunk has been fed yet at all.
int PayloadSize() { return payload_size; }
analyzer::pia::PIA* PIA() const { return pia; }
::analyzer::pia::PIA* PIA() const { return pia; }
private:
friend class RuleMatcher;
@ -159,7 +162,7 @@ private:
// Constructor is private; use RuleMatcher::InitEndpoint()
// for creating an instance.
RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA);
RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA);
struct Matcher {
RE_Match_State* state;
@ -170,7 +173,7 @@ private:
zeek::analyzer::Analyzer* analyzer;
RuleEndpointState* opposite;
analyzer::pia::PIA* pia;
::analyzer::pia::PIA* pia;
matcher_list matchers;
rule_hdr_test_list hdr_tests;
@ -252,7 +255,6 @@ public:
MIME_Matches* Match(RuleFileMagicState* state, const u_char* data,
uint64_t len, MIME_Matches* matches = nullptr) const;
/**
* Resets a state object used with matching file magic signatures.
* @param state The state object to reset to an initial condition.
@ -265,7 +267,7 @@ public:
// it needs to be given.
RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, RuleEndpointState* opposite, bool is_orig,
analyzer::pia::PIA* pia);
::analyzer::pia::PIA* pia);
// Finish matching for this stream.
void FinishEndpoint(RuleEndpointState* state);
@ -374,7 +376,7 @@ public:
// ip may be nil.
void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia = nullptr);
int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr);
// bol/eol should be set to false for type Rule::PAYLOAD; they're
// deduced automatically.
@ -391,3 +393,20 @@ private:
RuleEndpointState* orig_match_state;
RuleEndpointState* resp_match_state;
};
} // namespace zeek::detail
using Range [[deprecated("Remove in v4.1. Use zeek::detail::Range.")]] = zeek::detail::Range;
using MaskedValue [[deprecated("Remove in v4.1. Use zeek::detail::MaskedValue.")]] = zeek::detail::MaskedValue;
using RuleHdrTest [[deprecated("Remove in v4.1. Use zeek::detail::RuleHdrTest.")]] = zeek::detail::RuleHdrTest;
using RuleEndpointState [[deprecated("Remove in v4.1. Use zeek::detail::RuleEndpointState.")]] = zeek::detail::RuleEndpointState;
using RuleFileMagicState [[deprecated("Remove in v4.1. Use zeek::detail::RuleFileMagicState.")]] = zeek::detail::RuleFileMagicState;
using RuleMatcher [[deprecated("Remove in v4.1. Use zeek::detail::RuleMatcher.")]] = zeek::detail::RuleMatcher;
using RuleMatcherState [[deprecated("Remove in v4.1. Use zeek::detail::RuleMatcherState.")]] = zeek::detail::RuleMatcherState;
using maskedvalue_list [[deprecated("Remove in v4.1. Use zeek::detail::maskedvalue_list.")]] = zeek::detail::maskedvalue_list;
using string_list [[deprecated("Remove in v4.1. Use zeek::detail::string_list.")]] = zeek::detail::string_list;
using bstr_list [[deprecated("Remove in v4.1. Use zeek::detail::bstr_list.")]] = zeek::detail::bstr_list;
using rule_hdr_test_list [[deprecated("Remove in v4.1. Use zeek::detail::rule_hdr_test_list.")]] = zeek::detail::rule_hdr_test_list;
extern zeek::detail::RuleMatcher*& rule_matcher [[deprecated("Remove in v4.1. Use zeek::detail::rule_matcher.")]];

6
src/Stats.cc
View file

@ -168,10 +168,10 @@ void ProfileLogger::Log()
Reassembler::TotalMemoryAllocation() / 1024));
// Signature engine.
if ( expensive && rule_matcher )
if ( expensive && zeek::detail::rule_matcher )
{
RuleMatcher::Stats stats;
rule_matcher->GetStats(&stats);
zeek::detail::RuleMatcher::Stats stats;
zeek::detail::rule_matcher->GetStats(&stats);
file->Write(fmt("%06f RuleMatcher: matchers=%d nfa_states=%d dfa_states=%d "
"ncomputed=%d mem=%dK\n", network_time, stats.matchers,

8
src/analyzer/Analyzer.h
View file

@ -19,8 +19,8 @@
class BroFile;
using BroFilePtr = zeek::IntrusivePtr<BroFile>;
class Rule;
class Connection;
ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
namespace zeek {
@ -304,14 +304,14 @@ public:
* If this analyzer was activated by a signature match, this returns
* the signature that did so. Returns null otherwise.
*/
const Rule* Signature() const { return signature; }
const zeek::detail::Rule* Signature() const { return signature; }
/**
* Sets the signature that activated this analyzer, if any.
*
* @param sig The signature.
*/
void SetSignature(const Rule* sig) { signature = sig; }
void SetSignature(const zeek::detail::Rule* sig) { signature = sig; }
/**
* Signals the analyzer to skip all further input processsing. The \a
@ -732,7 +732,7 @@ private:
Connection* conn;
Analyzer* parent;
const Rule* signature;
const zeek::detail::Rule* signature;
OutputHandler* output_handler;
analyzer_list children;

2
src/analyzer/protocol/file/File.cc
View file

@ -72,7 +72,7 @@ void File_Analyzer::Done()
void File_Analyzer::Identify()
{
RuleMatcher::MIME_Matches matches;
zeek::detail::RuleMatcher::MIME_Matches matches;
file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
&matches);
std::string match = matches.empty() ? "<unknown>"

2
src/analyzer/protocol/finger/Finger.cc
View file

@ -74,7 +74,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host)
);
Conn()->Match(Rule::FINGER, (const u_char *) line,
Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line,
end_of_line - line, true, true, true, true);
did_deliver = 1;

4
src/analyzer/protocol/ftp/FTP.cc
View file

@ -109,8 +109,8 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
"AUTH", cmd_len) == 0 )
auth_requested = std::string(line, end_of_line - line);
if ( rule_matcher )
Conn()->Match(Rule::FTP, (const u_char *) cmd,
if ( zeek::detail::rule_matcher )
Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd,
end_of_line - cmd, true, true, true, true);
}
else

12
src/analyzer/protocol/http/HTTP.cc
View file

@ -218,9 +218,9 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, bool trailing_CRLF
if ( deliver_body )
MIME_Entity::Deliver(len, data, trailing_CRLF);
Rule::PatternType rule =
zeek::detail::Rule::PatternType rule =
http_message->IsOrig() ?
Rule::HTTP_REQUEST_BODY : Rule::HTTP_REPLY_BODY;
zeek::detail::Rule::HTTP_REQUEST_BODY : zeek::detail::Rule::HTTP_REPLY_BODY;
http_message->MyHTTP_Analyzer()->Conn()->
Match(rule, (const u_char*) data, len,
@ -1244,7 +1244,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
request_method = zeek::make_intrusive<zeek::StringVal>(end_of_method - line, line);
Conn()->Match(Rule::HTTP_REQUEST,
Conn()->Match(zeek::detail::Rule::HTTP_REQUEST,
(const u_char*) unescaped_URI->AsString()->Bytes(),
unescaped_URI->AsString()->Len(), true, true, true, true);
@ -1618,9 +1618,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
if ( http_header )
{
Rule::PatternType rule =
is_orig ? Rule::HTTP_REQUEST_HEADER :
Rule::HTTP_REPLY_HEADER;
zeek::detail::Rule::PatternType rule =
is_orig ? zeek::detail::Rule::HTTP_REQUEST_HEADER :
zeek::detail::Rule::HTTP_REPLY_HEADER;
zeek::data_chunk_t hd_name = h->get_name();
zeek::data_chunk_t hd_value = h->get_value();

6
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -78,7 +78,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
Conn()->SetLastTime(current_timestamp);
if ( rule_matcher )
if ( zeek::detail::rule_matcher )
{
if ( ! matcher_state.MatcherInitialized(is_orig) )
matcher_state.InitEndpointMatcher(this, ip, len, is_orig, nullptr);
@ -113,8 +113,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
if ( caplen >= len )
ForwardPacket(len, data, is_orig, seq, ip, caplen);
if ( rule_matcher )
matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
if ( zeek::detail::rule_matcher )
matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
false, false, true);
}

2
src/analyzer/protocol/icmp/ICMP.h
View file

@ -87,7 +87,7 @@ protected:
int code;
int request_len, reply_len;
RuleMatcherState matcher_state;
zeek::detail::RuleMatcherState matcher_state;
private:
void UpdateEndpointVal(const zeek::ValPtr& endp, bool is_orig);

16
src/analyzer/protocol/pia/PIA.cc
View file

@ -113,39 +113,39 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t
DoMatch(data, len, is_orig, true, false, false, ip);
if ( clear_state )
RuleMatcherState::ClearMatchState(is_orig);
zeek::detail::RuleMatcherState::ClearMatchState(is_orig);
pkt_buffer.state = new_state;
current_packet.data = nullptr;
}
void PIA::Match(Rule::PatternType type, const u_char* data, int len,
void PIA::Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state)
{
if ( ! MatcherInitialized(is_orig) )
InitEndpointMatcher(AsAnalyzer(), nullptr, 0, is_orig, this);
RuleMatcherState::Match(type, data, len, is_orig, bol, eol, clear_state);
zeek::detail::RuleMatcherState::Match(type, data, len, is_orig, bol, eol, clear_state);
}
void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bool clear_state, const zeek::IP_Hdr* ip)
{
if ( ! rule_matcher )
if ( ! zeek::detail::rule_matcher )
return;
if ( ! rule_matcher->HasNonFileMagicRule() )
if ( ! zeek::detail::rule_matcher->HasNonFileMagicRule() )
return;
if ( ! MatcherInitialized(is_orig) )
InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);
RuleMatcherState::Match(Rule::PAYLOAD, data, len, is_orig,
zeek::detail::RuleMatcherState::Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
bol, eol, clear_state);
}
void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
{
if ( pkt_buffer.state == MATCHING_ONLY )
{
@ -292,7 +292,7 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
// No check for buffer overrun here. I think that's ok.
}
void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
{
if ( stream_buffer.state == MATCHING_ONLY )
{

12
src/analyzer/protocol/pia/PIA.h
View file

@ -6,7 +6,7 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "RuleMatcher.h"
class RuleEndpointState;
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
namespace analyzer { namespace pia {
@ -17,7 +17,7 @@ namespace analyzer { namespace pia {
// also keeps the matching state. This is because (i) it needs to match
// itself, and (ii) in case of tunnel-decapsulation we may have multiple
// PIAs and then each needs its own matching-state.
class PIA : public RuleMatcherState {
class PIA : public zeek::detail::RuleMatcherState {
public:
explicit PIA(zeek::analyzer::Analyzer* as_analyzer);
virtual ~PIA();
@ -25,12 +25,12 @@ public:
// Called when PIA wants to put an Analyzer in charge. rule is the
// signature that triggered the activitation, if any.
virtual void ActivateAnalyzer(zeek::analyzer::Tag tag,
const Rule* rule = nullptr) = 0;
const zeek::detail::Rule* rule = nullptr) = 0;
// Called when PIA wants to remove an Analyzer.
virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0;
void Match(Rule::PatternType type, const u_char* data, int len,
void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state);
void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer);
@ -112,7 +112,7 @@ protected:
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
}
void ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule) override;
void ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
};
@ -161,7 +161,7 @@ protected:
void Undelivered(uint64_t seq, int len, bool is_orig) override;
void ActivateAnalyzer(zeek::analyzer::Tag tag,
const Rule* rule = nullptr) override;
const zeek::detail::Rule* rule = nullptr) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
private:

4
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -282,7 +282,7 @@ void TCP_Reassembler::Undelivered(uint64_t up_to_seq)
void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper)
{
if ( block_list.Empty() || ! rule_matcher )
if ( block_list.Empty() || ! zeek::detail::rule_matcher )
return;
const auto& last_block = block_list.LastBlock();
@ -312,7 +312,7 @@ void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper)
if ( b.upper > last_reassem_seq )
break;
tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b.block, b.Size(),
tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(),
false, false, IsOrig(), false);
}
}

2
src/file_analysis/File.cc
View file

@ -333,7 +333,7 @@ void File::InferMetadata()
if ( ! FileEventAvailable(file_sniff) )
return;
RuleMatcher::MIME_Matches matches;
zeek::detail::RuleMatcher::MIME_Matches matches;
const u_char* data = bof_buffer_val->AsString()->Bytes();
uint64_t len = bof_buffer_val->AsString()->Len();
len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));

17
src/file_analysis/Manager.cc
View file

@ -47,7 +47,7 @@ void Manager::InitPostScript()
void Manager::InitMagic()
{
delete magic_state;
magic_state = rule_matcher->InitFileMagic();
magic_state = zeek::detail::rule_matcher->InitFileMagic();
}
void Manager::Terminate()
@ -495,20 +495,21 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
return a;
}
RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64_t len,
RuleMatcher::MIME_Matches* rval) const
zeek::detail::RuleMatcher::MIME_Matches* Manager::DetectMIME(
const u_char* data, uint64_t len,
zeek::detail::RuleMatcher::MIME_Matches* rval) const
{
if ( ! magic_state )
reporter->InternalError("file magic signature state not initialized");
rval = rule_matcher->Match(magic_state, data, len, rval);
rule_matcher->ClearFileMagicState(magic_state);
rval = zeek::detail::rule_matcher->Match(magic_state, data, len, rval);
zeek::detail::rule_matcher->ClearFileMagicState(magic_state);
return rval;
}
string Manager::DetectMIME(const u_char* data, uint64_t len) const
{
RuleMatcher::MIME_Matches matches;
zeek::detail::RuleMatcher::MIME_Matches matches;
DetectMIME(data, len, &matches);
if ( matches.empty() )
@ -517,13 +518,13 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
return *(matches.begin()->second.begin());
}
zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
{
static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
auto rval = zeek::make_intrusive<zeek::VectorVal>(mime_matches);
for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
for ( zeek::detail::RuleMatcher::MIME_Matches::const_iterator it = m.begin();
it != m.end(); ++it )
{
auto element = zeek::make_intrusive<zeek::RecordVal>(mime_match);

9
src/file_analysis/Manager.h
View file

@ -326,8 +326,9 @@ public:
* @return Set of all matching file magic signatures, which may be
* an object allocated by the method if \a rval is a null pointer.
*/
RuleMatcher::MIME_Matches* DetectMIME(const u_char* data, uint64_t len,
RuleMatcher::MIME_Matches* rval) const;
zeek::detail::RuleMatcher::MIME_Matches* DetectMIME(
const u_char* data, uint64_t len,
zeek::detail::RuleMatcher::MIME_Matches* rval) const;
/**
* Returns the strongest MIME magic signature match for a given data chunk.
@ -421,7 +422,7 @@ private:
std::map<std::string, File*> id_map; /**< Map file ID to file_analysis::File records. */
std::set<std::string> ignored; /**< Ignored files. Will be finally removed on EOF. */
std::string current_file_id; /**< Hash of what get_file_handle event sets. */
RuleFileMagicState* magic_state; /**< File magic signature match state. */
zeek::detail::RuleFileMagicState* magic_state; /**< File magic signature match state. */
MIMEMap mime_types;/**< Mapping of MIME types to analyzers. */
inline static zeek::TableVal* disabled = nullptr; /**< Table of disabled analyzers. */
@ -435,7 +436,7 @@ private:
* Returns a script-layer value corresponding to the \c mime_matches type.
* @param m The MIME match information with which to populate the value.
*/
zeek::VectorValPtr GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m);
} // namespace file_analysis

128
src/rule-parse.y
View file

@ -10,11 +10,13 @@
#include "IPAddr.h"
#include "net_util.h"
using namespace zeek::detail;
extern void begin_PS();
extern void end_PS();
Rule* current_rule = 0;
const char* current_rule_file = 0;
zeek::detail::Rule* current_rule = nullptr;
const char* current_rule_file = nullptr;
static uint8_t ip4_mask_to_len(uint32_t mask)
{
@ -78,26 +80,26 @@ static uint8_t ip4_mask_to_len(uint32_t mask)
%type <ptype> TOK_PATTERN_TYPE
%union {
Rule* rule;
RuleHdrTest* hdr_test;
maskedvalue_list* vallist;
zeek::detail::Rule* rule;
zeek::detail::RuleHdrTest* hdr_test;
zeek::detail::maskedvalue_list* vallist;
std::vector<zeek::IPPrefix>* prefix_val_list;
zeek::IPPrefix* prefixval;
bool bl;
int val;
char* str;
MaskedValue mval;
RuleHdrTest::Prot prot;
Range range;
Rule::PatternType ptype;
zeek::detail::MaskedValue mval;
zeek::detail::RuleHdrTest::Prot prot;
zeek::detail::Range range;
zeek::detail::Rule::PatternType ptype;
}
%%
rule_list:
rule_list rule
{ rule_matcher->AddRule($2); }
{ zeek::detail::rule_matcher->AddRule($2); }
|
;
@ -105,7 +107,7 @@ rule:
TOK_SIGNATURE TOK_IDENT
{
zeek::detail::Location l(current_rule_file, rules_line_number+1, 0, 0, 0);
current_rule = new Rule(yylval.str, l);
current_rule = new zeek::detail::Rule(yylval.str, l);
}
'{' rule_attr_list '}'
{ $$ = current_rule; }
@ -119,21 +121,21 @@ rule_attr_list:
rule_attr:
TOK_DST_IP TOK_COMP prefix_value_list
{
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::IPDst,
(RuleHdrTest::Comp) $2, *($3)));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::IPDst,
(zeek::detail::RuleHdrTest::Comp) $2, *($3)));
}
| TOK_DST_PORT TOK_COMP value_list
{ // Works for both TCP and UDP
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::TCP, 2, 2,
(RuleHdrTest::Comp) $2, $3));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::TCP, 2, 2,
(zeek::detail::RuleHdrTest::Comp) $2, $3));
}
| TOK_EVAL { begin_PS(); } TOK_POLICY_SYMBOL { end_PS(); }
{
current_rule->AddCondition(new RuleConditionEval($3));
current_rule->AddCondition(new zeek::detail::RuleConditionEval($3));
}
| TOK_HEADER hdr_expr
@ -142,29 +144,29 @@ rule_attr:
| TOK_IP_OPTIONS ipoption_list
{
current_rule->AddCondition(
new RuleConditionIPOptions($2));
new zeek::detail::RuleConditionIPOptions($2));
}
| TOK_IP_PROTO TOK_COMP TOK_PROT
{
int proto = 0;
switch ( $3 ) {
case RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
case RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
case zeek::detail::RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
case zeek::detail::RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
// signature matching against outer packet headers of IP-in-IP
// tunneling not supported, so do a no-op there
case RuleHdrTest::IP: proto = 0; break;
case RuleHdrTest::IPv6: proto = 0; break;
case RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
case RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
case zeek::detail::RuleHdrTest::IP: proto = 0; break;
case zeek::detail::RuleHdrTest::IPv6: proto = 0; break;
case zeek::detail::RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
case zeek::detail::RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
default:
rules_error("internal_error: unknown protocol");
}
if ( proto )
{
maskedvalue_list* vallist = new maskedvalue_list;
MaskedValue* val = new MaskedValue();
auto* vallist = new zeek::detail::maskedvalue_list;
auto* val = new zeek::detail::MaskedValue();
val->val = proto;
val->mask = 0xffffffff;
@ -172,9 +174,9 @@ rule_attr:
// offset & size params are dummies, actual next proto value in
// header is retrieved dynamically via IP_Hdr::NextProto()
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::NEXT, 0, 0,
(RuleHdrTest::Comp) $2, vallist));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::NEXT, 0, 0,
(zeek::detail::RuleHdrTest::Comp) $2, vallist));
}
}
@ -182,22 +184,22 @@ rule_attr:
{
// offset & size params are dummies, actual next proto value in
// header is retrieved dynamically via IP_Hdr::NextProto()
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::NEXT, 0, 0,
(RuleHdrTest::Comp) $2, $3));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::NEXT, 0, 0,
(zeek::detail::RuleHdrTest::Comp) $2, $3));
}
| TOK_EVENT string
{ current_rule->AddAction(new RuleActionEvent($2)); }
{ current_rule->AddAction(new zeek::detail::RuleActionEvent($2)); }
| TOK_MIME string opt_strength
{ current_rule->AddAction(new RuleActionMIME($2, $3)); }
{ current_rule->AddAction(new zeek::detail::RuleActionMIME($2, $3)); }
| TOK_ENABLE TOK_STRING
{ current_rule->AddAction(new RuleActionEnable($2)); }
{ current_rule->AddAction(new zeek::detail::RuleActionEnable($2)); }
| TOK_DISABLE TOK_STRING
{ current_rule->AddAction(new RuleActionDisable($2)); }
{ current_rule->AddAction(new zeek::detail::RuleActionDisable($2)); }
| TOK_PATTERN_TYPE pattern
{ current_rule->AddPattern($2, $1); }
@ -212,7 +214,7 @@ rule_attr:
| TOK_PAYLOAD_SIZE TOK_COMP integer
{
current_rule->AddCondition(
new RuleConditionPayloadSize($3, (RuleConditionPayloadSize::Comp) ($2)));
new zeek::detail::RuleConditionPayloadSize($3, (zeek::detail::RuleConditionPayloadSize::Comp) ($2)));
}
| TOK_REQUIRES_SIGNATURE TOK_IDENT
@ -228,25 +230,25 @@ rule_attr:
{ current_rule->AddRequires($3, 1, 1); }
| TOK_SAME_IP
{ current_rule->AddCondition(new RuleConditionSameIP()); }
{ current_rule->AddCondition(new zeek::detail::RuleConditionSameIP()); }
| TOK_SRC_IP TOK_COMP prefix_value_list
{
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::IPSrc,
(RuleHdrTest::Comp) $2, *($3)));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::IPSrc,
(zeek::detail::RuleHdrTest::Comp) $2, *($3)));
}
| TOK_SRC_PORT TOK_COMP value_list
{ // Works for both TCP and UDP
current_rule->AddHdrTest(new RuleHdrTest(
RuleHdrTest::TCP, 0, 2,
(RuleHdrTest::Comp) $2, $3));
current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
zeek::detail::RuleHdrTest::TCP, 0, 2,
(zeek::detail::RuleHdrTest::Comp) $2, $3));
}
| TOK_TCP_STATE tcpstate_list
{
current_rule->AddCondition(new RuleConditionTCPState($2));
current_rule->AddCondition(new zeek::detail::RuleConditionTCPState($2));
}
| TOK_ACTIVE TOK_BOOL
@ -256,33 +258,33 @@ rule_attr:
hdr_expr:
TOK_PROT '[' range ']' '&' integer TOK_COMP value
{
maskedvalue_list* vallist = new maskedvalue_list;
MaskedValue* val = new MaskedValue();
auto* vallist = new zeek::detail::maskedvalue_list;
auto* val = new zeek::detail::MaskedValue();
val->val = $8.val;
val->mask = $6;
vallist->push_back(val);
$$ = new RuleHdrTest($1, $3.offset, $3.len,
(RuleHdrTest::Comp) $7, vallist);
$$ = new zeek::detail::RuleHdrTest($1, $3.offset, $3.len,
(zeek::detail::RuleHdrTest::Comp) $7, vallist);
}
| TOK_PROT '[' range ']' TOK_COMP value_list
{
$$ = new RuleHdrTest($1, $3.offset, $3.len,
(RuleHdrTest::Comp) $5, $6);
$$ = new zeek::detail::RuleHdrTest($1, $3.offset, $3.len,
(zeek::detail::RuleHdrTest::Comp) $5, $6);
}
;
value_list:
value_list ',' value
{ $1->push_back(new MaskedValue($3)); $$ = $1; }
{ $1->push_back(new zeek::detail::MaskedValue($3)); $$ = $1; }
| value_list ',' ranged_value
{
int numVals = $3->length();
for ( int idx = 0; idx < numVals; idx++ )
{
MaskedValue* val = (*$3)[idx];
zeek::detail::MaskedValue* val = (*$3)[idx];
$1->push_back(val);
}
$$ = $1;
@ -291,8 +293,8 @@ value_list:
{ id_to_maskedvallist($3, $1); $$ = $1; }
| value
{
$$ = new maskedvalue_list();
$$->push_back(new MaskedValue($1));
$$ = new zeek::detail::maskedvalue_list();
$$->push_back(new zeek::detail::MaskedValue($1));
}
| ranged_value
{
@ -300,7 +302,7 @@ value_list:
}
| TOK_IDENT
{
$$ = new maskedvalue_list();
$$ = new zeek::detail::maskedvalue_list();
id_to_maskedvallist($1, $$);
}
;
@ -340,10 +342,10 @@ prefix_value:
ranged_value:
TOK_INT '-' TOK_INT
{
$$ = new maskedvalue_list();
$$ = new zeek::detail::maskedvalue_list();
for ( int val = $1; val <= $3; val++ )
{
MaskedValue* masked = new MaskedValue();
auto* masked = new zeek::detail::MaskedValue();
masked->val = val;
masked->mask = 0xffffffff;
$$->push_back(masked);
@ -428,22 +430,22 @@ void rules_error(const char* msg)
{
reporter->Error("Error in signature (%s:%d): %s\n",
current_rule_file, rules_line_number+1, msg);
rule_matcher->SetParseError();
zeek::detail::rule_matcher->SetParseError();
}
void rules_error(const char* msg, const char* addl)
{
reporter->Error("Error in signature (%s:%d): %s (%s)\n",
current_rule_file, rules_line_number+1, msg, addl);
rule_matcher->SetParseError();
zeek::detail::rule_matcher->SetParseError();
}
void rules_error(Rule* r, const char* msg)
void rules_error(zeek::detail::Rule* r, const char* msg)
{
const zeek::detail::Location& l = r->GetLocation();
reporter->Error("Error in signature %s (%s:%d): %s\n",
r->ID(), l.filename, l.first_line, msg);
rule_matcher->SetParseError();
zeek::detail::rule_matcher->SetParseError();
}
int rules_wrap(void)

65
src/rule-scan.l
View file

@ -12,6 +12,7 @@
#include "rule-parse.h"
int rules_line_number = 0;
%}
%x PS
@ -55,61 +56,61 @@ PID {PIDCOMPONENT}(::{PIDCOMPONENT})*
[!\]\[{}&:,-] return rules_text[0];
"<=" { rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
">=" { rules_lval.val = RuleHdrTest::GE; return TOK_COMP; }
"<" { rules_lval.val = RuleHdrTest::LT; return TOK_COMP; }
">" { rules_lval.val = RuleHdrTest::GT; return TOK_COMP; }
"=" { rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
"==" { rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
"!=" { rules_lval.val = RuleHdrTest::NE; return TOK_COMP; }
"<=" { rules_lval.val = zeek::detail::RuleHdrTest::LE; return TOK_COMP; }
">=" { rules_lval.val = zeek::detail::RuleHdrTest::GE; return TOK_COMP; }
"<" { rules_lval.val = zeek::detail::RuleHdrTest::LT; return TOK_COMP; }
">" { rules_lval.val = zeek::detail::RuleHdrTest::GT; return TOK_COMP; }
"=" { rules_lval.val = zeek::detail::RuleHdrTest::EQ; return TOK_COMP; }
"==" { rules_lval.val = zeek::detail::RuleHdrTest::EQ; return TOK_COMP; }
"!=" { rules_lval.val = zeek::detail::RuleHdrTest::NE; return TOK_COMP; }
ip { rules_lval.val = RuleHdrTest::IP; return TOK_PROT; }
ip6 { rules_lval.val = RuleHdrTest::IPv6; return TOK_PROT; }
icmp { rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; }
icmp6 { rules_lval.val = RuleHdrTest::ICMPv6; return TOK_PROT; }
tcp { rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; }
udp { rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; }
ip { rules_lval.val = zeek::detail::RuleHdrTest::IP; return TOK_PROT; }
ip6 { rules_lval.val = zeek::detail::RuleHdrTest::IPv6; return TOK_PROT; }
icmp { rules_lval.val = zeek::detail::RuleHdrTest::ICMP; return TOK_PROT; }
icmp6 { rules_lval.val = zeek::detail::RuleHdrTest::ICMPv6; return TOK_PROT; }
tcp { rules_lval.val = zeek::detail::RuleHdrTest::TCP; return TOK_PROT; }
udp { rules_lval.val = zeek::detail::RuleHdrTest::UDP; return TOK_PROT; }
true { rules_lval.val = true; return TOK_BOOL; }
false { rules_lval.val = false; return TOK_BOOL; }
established {
rules_lval.val = RuleConditionTCPState::STATE_ESTABLISHED;
rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_ESTABLISHED;
return TOK_TCP_STATE_SYM;
}
originator {
rules_lval.val = RuleConditionTCPState::STATE_ORIG;
rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_ORIG;
return TOK_TCP_STATE_SYM;
}
responder {
rules_lval.val = RuleConditionTCPState::STATE_RESP;
rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_RESP;
return TOK_TCP_STATE_SYM;
}
stateless {
rules_lval.val = RuleConditionTCPState::STATE_STATELESS;
rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_STATELESS;
return TOK_TCP_STATE_SYM;
}
lsrr {
rules_lval.val = RuleConditionIPOptions::OPT_LSRR;
rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_LSRR;
return TOK_IP_OPTION_SYM;
}
lsrre {
rules_lval.val = RuleConditionIPOptions::OPT_LSRRE;
rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_LSRRE;
return TOK_IP_OPTION_SYM;
}
rr {
rules_lval.val = RuleConditionIPOptions::OPT_RR;
rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_RR;
return TOK_IP_OPTION_SYM;
}
ssrr {
rules_lval.val = RuleConditionIPOptions::OPT_SSRR;
rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_SSRR;
return TOK_IP_OPTION_SYM;
}
@ -133,18 +134,18 @@ src-port return TOK_SRC_PORT;
tcp-state return TOK_TCP_STATE;
active return TOK_ACTIVE;
file-magic { rules_lval.val = Rule::FILE_MAGIC; return TOK_PATTERN_TYPE; }
payload { rules_lval.val = Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
http-request { rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
http-request-body { rules_lval.val = Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
http-reply-body { rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
http-body { rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
http-request-header { rules_lval.val = Rule::HTTP_REQUEST_HEADER; return TOK_PATTERN_TYPE; }
http-reply-header { rules_lval.val = Rule::HTTP_REPLY_HEADER; return TOK_PATTERN_TYPE; }
http { rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
file-magic { rules_lval.val = zeek::detail::Rule::FILE_MAGIC; return TOK_PATTERN_TYPE; }
payload { rules_lval.val = zeek::detail::Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
http-request { rules_lval.val = zeek::detail::Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
http-request-body { rules_lval.val = zeek::detail::Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
http-reply-body { rules_lval.val = zeek::detail::Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
http-body { rules_lval.val = zeek::detail::Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
http-request-header { rules_lval.val = zeek::detail::Rule::HTTP_REQUEST_HEADER; return TOK_PATTERN_TYPE; }
http-reply-header { rules_lval.val = zeek::detail::Rule::HTTP_REPLY_HEADER; return TOK_PATTERN_TYPE; }
http { rules_lval.val = zeek::detail::Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
ftp { rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; }
finger { rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; }
ftp { rules_lval.val = zeek::detail::Rule::FTP; return TOK_PATTERN_TYPE; }
finger { rules_lval.val = zeek::detail::Rule::FINGER; return TOK_PATTERN_TYPE; }
{D}("."{D}){3}{OWS}"/"{OWS}{D} {
char* s = strchr(yytext, '/');

6
src/stats.bif
View file

@ -397,10 +397,10 @@ function get_matcher_stats%(%): MatcherStats
auto r = zeek::make_intrusive<zeek::RecordVal>(MatcherStats);
int n = 0;
RuleMatcher::Stats s;
zeek::detail::RuleMatcher::Stats s;
memset(&s, 0, sizeof(s));
if ( rule_matcher )
rule_matcher->GetStats(&s);
if ( zeek::detail::rule_matcher )
zeek::detail::rule_matcher->GetStats(&s);
r->Assign(n++, zeek::val_mgr->Count(s.matchers));
r->Assign(n++, zeek::val_mgr->Count(s.nfa_states));

6
src/zeek-setup.cc
View file

@ -93,6 +93,9 @@ zeek::analyzer::Manager*& analyzer_mgr = zeek::analyzer_mgr;
zeek::plugin::Manager* zeek::plugin_mgr = nullptr;
zeek::plugin::Manager*& plugin_mgr = zeek::plugin_mgr;
zeek::detail::RuleMatcher* zeek::detail::rule_matcher = nullptr;
zeek::detail::RuleMatcher*& rule_matcher = zeek::detail::rule_matcher;
DNS_Mgr* dns_mgr;
TimerMgr* timer_mgr;
@ -108,7 +111,6 @@ zeek::detail::trigger::Manager* trigger_mgr = nullptr;
std::vector<std::string> zeek_script_prefixes;
zeek::detail::Stmt* stmts;
RuleMatcher* rule_matcher = nullptr;
EventRegistry* event_registry = nullptr;
ProfileLogger* profiling_logger = nullptr;
ProfileLogger* segment_logger = nullptr;
@ -336,7 +338,7 @@ void zeek_terminate_loop(const char* reason)
// might write to connection content files.
BroFile::CloseOpenFiles();
delete rule_matcher;
delete zeek::detail::rule_matcher;
exit(0);
}

10
src/zeek.bif
View file

@ -998,7 +998,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
## .. zeek:see:: identify_data
function file_magic%(data: string%): mime_matches
%{
RuleMatcher::MIME_Matches matches;
zeek::detail::RuleMatcher::MIME_Matches matches;
file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
return file_analysis::GenMIMEMatchesVal(matches);
%}
@ -2092,8 +2092,8 @@ function is_local_interface%(ip: addr%) : bool
## .. zeek:see:: get_matcher_stats
function dump_rule_stats%(f: file%): bool
%{
if ( rule_matcher )
rule_matcher->DumpStats(f);
if ( zeek::detail::rule_matcher )
zeek::detail::rule_matcher->DumpStats(f);
return zeek::val_mgr->True();
%}
@ -5032,10 +5032,10 @@ function match_signatures%(c: connection, pattern_type: int, s: string,
bol: bool, eol: bool,
from_orig: bool, clear: bool%) : bool
%{
if ( ! rule_matcher )
if ( ! zeek::detail::rule_matcher )
return zeek::val_mgr->False();
c->Match((Rule::PatternType) pattern_type, s->Bytes(), s->Len(),
c->Match((zeek::detail::Rule::PatternType) pattern_type, s->Bytes(), s->Len(),
from_orig, bol, eol, clear);
return zeek::val_mgr->True();