Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/get-file-handle-fallback-and-no-new-event-when-fuzzing'

Browse source 
* origin/topic/awelzel/get-file-handle-fallback-and-no-new-event-when-fuzzing:
  krb/smb2_krb_nokeytab: Register get_file_handle() to avoid warnings
  fuzzer-setup: Do not always generate new_event
  EventHandler: Support unsetting generate_always
  files/main: No empty file_ids
This commit is contained in:
Tim Wojtulewicz 2023-02-06 11:13:08 -07:00
commit 3baf222376
7 changed files with 73 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

26
CHANGES
View file

@ -1,3 +1,29 @@
6.0.0-dev.11 | 2023-02-06 11:13:08 -0700
* krb/smb2_krb_nokeytab: Register get_file_handle() to avoid warnings (Arne Welzel, Corelight)
Now that the common event handler logs a warning, ensure there's one
in place, even if it's just returning stub data.
* fuzzer-setup: Do not always generate new_event (Arne Welzel, Corelight)
new_event should never be used on production systems, so don't turn
it on for fuzzing either as it showed up as bottlenecks in flamegraphs.
* EventHandler: Support unsetting generate_always (Arne Welzel, Corelight)
* files/main: No empty file_ids (Arne Welzel, Corelight)
When an analyzer calls DataIn(), there's a costly callback construct
going through the event queue. If an analyzer does not have a
get_file_handle() handler installed, the produced file_id would
end up empty and ignored. Consequently, the get_file_handle() callback
was invoked for every new DataIn() invocations.
This is surprising and costly. Log a warning when this happens and
instead set a generically generated file handle value instead to
prevent the repeated get_file_handle() invocations.
6.0.0-dev.6 | 2023-02-06 10:33:24 -0700 6.0.0-dev.6 | 2023-02-06 10:33:24 -0700
* CI: Fix the ThreadSanitizer build (Tim Wojtulewicz, Corelight) * CI: Fix the ThreadSanitizer build (Tim Wojtulewicz, Corelight)

7
NEWS
View file

@ -6,6 +6,13 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
Zeek 6.0.0 Zeek 6.0.0
========== ==========
Changed Functionality
---------------------
- When ``get_file_handle()`` is invoked for an analyzer that did not register
an appropriate callback function, log a warning and return a generic handle
value based on the analyzer and connection information.
Zeek 5.2.0 Zeek 5.2.0
========== ==========

2
VERSION
View file

@ -1 +1 @@
6.0.0-dev.6 6.0.0-dev.11

4
scripts/base/frameworks/files/main.zeek
View file

@ -513,7 +513,11 @@ function describe(f: fa_file): string
event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5 event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5
{ {
if ( tag !in registered_protocols ) if ( tag !in registered_protocols )
{
Reporter::warning(fmt("get_file_handle() invoked for %s", tag));
set_file_handle(fmt("%s-fallback-%s-%s-%s", tag, c$uid, is_orig, network_time()));
return; return;
}
local handler = registered_protocols[tag]; local handler = registered_protocols[tag];
set_file_handle(handler$get_file_handle(c, is_orig)); set_file_handle(handler$get_file_handle(c, is_orig));

5
src/EventHandler.h
View file

@ -49,7 +49,10 @@ public:
// Flags the event as interesting even if there is no body defined. In // Flags the event as interesting even if there is no body defined. In
// particular, this will then still pass the event on to plugins. // particular, this will then still pass the event on to plugins.
void SetGenerateAlways() { generate_always = true; } void SetGenerateAlways(bool arg_generate_always = true)
{
generate_always = arg_generate_always;
}
bool GenerateAlways() const { return generate_always; } bool GenerateAlways() const { return generate_always; }
uint64_t CallCount() const { return call_count; } uint64_t CallCount() const { return call_count; }

1
src/fuzzers/fuzzer-setup.h
View file

@ -47,6 +47,7 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
// even if they don't, because otherwise we lose a bit of coverage where if // even if they don't, because otherwise we lose a bit of coverage where if
// statements return false that would otherwise not. // statements return false that would otherwise not.
zeek::event_registry->ActivateAllHandlers(); zeek::event_registry->ActivateAllHandlers();
zeek::event_registry->Lookup("new_event")->SetGenerateAlways(false);
return 0; return 0;
} }

36
testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
View file

@ -8,13 +8,37 @@
# @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff .stderr # @TEST-EXEC: btest-diff .stderr
module SMB;
export {
global get_file_handle: function(c: connection, is_orig: bool): string;
global describe_file: function(f: fa_file): string;
}
global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
event zeek_init() &priority=5{
# Stubs for testing so that we don't produce a warning due
# to missing get_file_handle() handlers for SMB.
function get_file_handle(c: connection, is_orig: bool): string
{
return cat(c$uid);
}
function describe_file(f: fa_file): string
{
return "";
}
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
} Files::register_protocol(Analyzer::ANALYZER_SMB,
[$get_file_handle = SMB::get_file_handle,
event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options){ $describe = SMB::describe_file]);
print ticket?$authenticationinfo; }
}
event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
{
print ticket?$authenticationinfo;
}