diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index e56833fa75..20c4bcad10 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -133,12 +133,16 @@ export { global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_TCPSTATS, } &redef; + + ## A table of ports mapped to analyzers that handle those ports. This is + ## used by BPF filtering and DPD. Session analyzers can add to this using + ## Analyzer::register_for_port(s) and packet analyzers can add to this + ## using PacketAnalyzer::register_for_port(s). + global ports: table[AllAnalyzers::Tag] of set[port]; } @load base/bif/analyzer.bif -global ports: table[AllAnalyzers::Tag] of set[port]; - event zeek_init() &priority=5 { if ( disable_all ) @@ -158,7 +162,7 @@ function disable_analyzer(tag: Analyzer::Tag) : bool return __disable_analyzer(tag); } -function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool +function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool { local rc = T; @@ -171,7 +175,7 @@ function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool return rc; } -function register_for_port(tag: AllAnalyzers::Tag, p: port) : bool +function register_for_port(tag: Analyzer::Tag, p: port) : bool { if ( ! __register_for_port(tag, p) ) return F; diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 3a4d9209cb..15cdb63131 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,3 +1,5 @@ +@load ./main.zeek + @load base/packet-protocols/root @load base/packet-protocols/ip @load base/packet-protocols/skip diff --git a/scripts/base/packet-protocols/main.zeek b/scripts/base/packet-protocols/main.zeek new file mode 100644 index 0000000000..e696da2556 --- /dev/null +++ b/scripts/base/packet-protocols/main.zeek @@ -0,0 +1,61 @@ +module PacketAnalyzer; + +@load base/frameworks/analyzer/main.zeek + +export { + ## Registers a set of well-known ports for an analyzer. If a future + ## connection on one of these ports is seen, the analyzer will be + ## automatically assigned to parsing it. The function *adds* to all ports + ## already registered, it doesn't replace them. + ## + ## tag: The tag of the analyzer. + ## + ## ports: The set of well-known ports to associate with the analyzer. + ## + ## Returns: True if the ports were successfully registered. + global register_for_ports: function(parent: PacketAnalyzer::Tag, + child: PacketAnalyzer::Tag, + ports: set[port]) : bool; + + ## Registers an individual well-known port for an analyzer. If a future + ## connection on this port is seen, the analyzer will be automatically + ## assigned to parsing it. The function *adds* to all ports already + ## registered, it doesn't replace them. + ## + ## tag: The tag of the analyzer. + ## + ## p: The well-known port to associate with the analyzer. + ## + ## Returns: True if the port was successfully registered. + global register_for_port: function(parent: PacketAnalyzer::Tag, + child: PacketAnalyzer::Tag, + p: port) : bool; +} + +function register_for_ports(parent: PacketAnalyzer::Tag, + child: PacketAnalyzer::Tag, + ports: set[port]) : bool + { + local rc = T; + + for ( p in ports ) + { + if ( ! register_for_port(parent, child, p) ) + rc = F; + } + + return rc; + } + +function register_for_port(parent: PacketAnalyzer::Tag, + child: PacketAnalyzer::Tag, + p: port) : bool + { + register_packet_analyzer(parent, port_to_count(p), child); + + if ( child !in Analyzer::ports ) + Analyzer::ports[child] = set(); + + add Analyzer::ports[child][p]; + return T; + } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 59555f5f80..8e3c6968ad 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -23,6 +23,10 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/main.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek scripts/base/packet-protocols/root/__load__.zeek scripts/base/packet-protocols/root/main.zeek scripts/base/packet-protocols/ip/__load__.zeek @@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/input/readers/config.zeek scripts/base/frameworks/input/readers/sqlite.zeek scripts/base/frameworks/analyzer/__load__.zeek - scripts/base/frameworks/analyzer/main.zeek - scripts/base/frameworks/packet-filter/utils.zeek - build/scripts/base/bif/analyzer.bif.zeek scripts/base/frameworks/files/__load__.zeek scripts/base/frameworks/files/main.zeek build/scripts/base/bif/file_analysis.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 5ffcea63e8..8608d393c8 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -23,6 +23,10 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/main.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek scripts/base/packet-protocols/root/__load__.zeek scripts/base/packet-protocols/root/main.zeek scripts/base/packet-protocols/ip/__load__.zeek @@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/input/readers/config.zeek scripts/base/frameworks/input/readers/sqlite.zeek scripts/base/frameworks/analyzer/__load__.zeek - scripts/base/frameworks/analyzer/main.zeek - scripts/base/frameworks/packet-filter/utils.zeek - build/scripts/base/bif/analyzer.bif.zeek scripts/base/frameworks/files/__load__.zeek scripts/base/frameworks/files/main.zeek build/scripts/base/bif/file_analysis.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 1fa1a829a4..6c0d0635d1 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -845,6 +845,7 @@ 0.000000 MetaHookPost LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./magic, <...>/magic) -> -1 0.000000 MetaHookPost LoadFile(0, ./main, <...>/main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./main.zeek, <...>/main.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./max, <...>/max.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./min, <...>/min.zeek) -> -1 @@ -967,6 +968,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/logging, <...>/logging) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/main, <...>/main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek, <...>/main.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/modbus, <...>/modbus) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/mpls, <...>/mpls) -> -1 @@ -2265,6 +2267,7 @@ 0.000000 MetaHookPre LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./magic, <...>/magic) 0.000000 MetaHookPre LoadFile(0, ./main, <...>/main.zeek) +0.000000 MetaHookPre LoadFile(0, ./main.zeek, <...>/main.zeek) 0.000000 MetaHookPre LoadFile(0, ./max, <...>/max.zeek) 0.000000 MetaHookPre LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./min, <...>/min.zeek) @@ -2387,6 +2390,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/logging, <...>/logging) 0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/main, <...>/main.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek, <...>/main.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/modbus, <...>/modbus) 0.000000 MetaHookPre LoadFile(0, base<...>/mpls, <...>/mpls) @@ -3693,6 +3697,7 @@ 0.000000 | HookLoadFile ./logging.bif.zeek <...>/logging.bif.zeek 0.000000 | HookLoadFile ./magic <...>/magic 0.000000 | HookLoadFile ./main <...>/main.zeek +0.000000 | HookLoadFile ./main.zeek <...>/main.zeek 0.000000 | HookLoadFile ./max <...>/max.zeek 0.000000 | HookLoadFile ./messaging.bif.zeek <...>/messaging.bif.zeek 0.000000 | HookLoadFile ./min <...>/min.zeek @@ -3818,6 +3823,7 @@ 0.000000 | HookLoadFile base<...>/logging <...>/logging 0.000000 | HookLoadFile base<...>/logging.bif <...>/logging.bif.zeek 0.000000 | HookLoadFile base<...>/main <...>/main.zeek +0.000000 | HookLoadFile base<...>/main.zeek <...>/main.zeek 0.000000 | HookLoadFile base<...>/messaging.bif <...>/messaging.bif.zeek 0.000000 | HookLoadFile base<...>/modbus <...>/modbus 0.000000 | HookLoadFile base<...>/mpls <...>/mpls