diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc index 2aae3c5ae9..d5246ad5ba 100644 --- a/src/spicy/runtime-support.cc +++ b/src/spicy/runtime-support.cc @@ -683,9 +683,10 @@ void rt::protocol_handle_close(const ProtocolHandle& handle) { rt::cookie::FileState* rt::cookie::FileStateStack::push(std::optional fid_provided) { auto _ = hilti::rt::profiler::start("zeek/rt/file-stack-push"); + if ( fid_provided && find(*fid_provided) ) + throw InvalidValue(hilti::rt::fmt("Duplicate file id %s provided", *fid_provided)); + auto fid = fid_provided.value_or(file_mgr->HashHandle(hilti::rt::fmt("%s.%d", _analyzer_id, ++_id_counter))); - if ( find(fid) ) - throw InvalidValue(hilti::rt::fmt("Duplicate file id %s provided", fid)); _stack.emplace_back(fid); return &_stack.back(); } diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in-with-fuid/output b/testing/btest/Baseline/spicy.file-analysis-data-in-with-fuid/output deleted file mode 100644 index a1b10d3fd2..0000000000 --- a/testing/btest/Baseline/spicy.file-analysis-data-in-with-fuid/output +++ /dev/null @@ -1,3 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -FaAaAaAaAaAaAaAaAa -FaAaAaAaAaAaAaAaAa diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in-with-fuid/files.log b/testing/btest/Baseline/spicy.file-analysis-data-in/files-2.log similarity index 100% rename from testing/btest/Baseline/spicy.file-analysis-data-in-with-fuid/files.log rename to testing/btest/Baseline/spicy.file-analysis-data-in/files-2.log diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in/output b/testing/btest/Baseline/spicy.file-analysis-data-in/output index 8a97453dba..083ef44731 100644 --- a/testing/btest/Baseline/spicy.file-analysis-data-in/output +++ b/testing/btest/Baseline/spicy.file-analysis-data-in/output @@ -1,3 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. FM47gX3vI5ofQPm1li FZjUS57tUkGFTibv3 +FaAaAaAaAaAaAaAaAa +FaAaAaAaAaAaAaAaAa diff --git a/testing/btest/spicy/file-analysis-data-in-with-fuid.zeek b/testing/btest/spicy/file-analysis-data-in-with-fuid.zeek deleted file mode 100644 index 12200dee5b..0000000000 --- a/testing/btest/spicy/file-analysis-data-in-with-fuid.zeek +++ /dev/null @@ -1,63 +0,0 @@ -# @TEST-REQUIRES: have-spicy -# -# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt -# This is equivalent to file-analysis-data-in, besides the fact that we provide our own file ID. -# -# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort >output -# -# @TEST-EXEC: cat files.log | zeek-cut fuid filename >files.log.tmp && mv files.log.tmp files.log -# @TEST-EXEC: btest-diff files.log -# -# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output - -# @TEST-START-FILE ssh.spicy -module SSH; - -import spicy; -import zeek; - -global file_counter = 0; - -public type Banner = unit { - magic : /SSH-/ { - # This is a bit of cheating. - local d: spicy::Base64Stream; - local dec : bytes = spicy::base64_decode(d, b"MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnvUA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRrmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++AcxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmKFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7XrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7HTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoNFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrzmqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wWIRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZUSpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg=="); - dec += spicy::base64_finish(d); - - print self.file_id; - zeek::file_data_in(dec); - } - version : /[^-]*/; - dash : /-/; - software: /[^\r\n]*/; - - var file_id: string = zeek::file_begin("application/x-x509-ca-cert", "FaAaAaAaAaAaAaAaAa"); - var file_name: string = "foo-%d.txt" % ++file_counter; -}; - -on Banner::%done { zeek::file_end(self.file_id); } - -# @TEST-END-FILE - -# @TEST-START-FILE ssh-cond.evt - -import zeek; - -protocol analyzer spicy::SSH over TCP: - parse with SSH::Banner, - port 22/tcp, - replaces SSH; - -on SSH::Banner::software -> event have_filename($file, self.file_name); - -# @TEST-END-FILE - -# Trigger creation of `files.log`. -@load base/protocols/ssl -redef X509::log_x509_in_files_log = T; - -event have_filename(f: fa_file, filename: string) - { - f$info$filename = filename; - } diff --git a/testing/btest/spicy/file-analysis-data-in.zeek b/testing/btest/spicy/file-analysis-data-in.zeek index d7289455d5..4ca12d48c9 100644 --- a/testing/btest/spicy/file-analysis-data-in.zeek +++ b/testing/btest/spicy/file-analysis-data-in.zeek @@ -1,6 +1,7 @@ # @TEST-REQUIRES: have-spicy # -# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt +# @TEST-EXEC: cat ssh.spicy ssh-1.spicy > ssh-test.spicy +# @TEST-EXEC: spicyz -d -o test.hlto ssh-test.spicy ./ssh-cond.evt # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort >output # # @TEST-EXEC: cat x509.log | grep -v ^# | cut -f 4-5 >x509.log.tmp && mv x509.log.tmp x509.log @@ -9,6 +10,13 @@ # @TEST-EXEC: cat files.log | zeek-cut sha1 filename >files.log.tmp && mv files.log.tmp files.log # @TEST-EXEC: btest-diff files.log # +# @TEST-EXEC: cat ssh.spicy ssh-2.spicy > ssh-test.spicy +# @TEST-EXEC: spicyz -d -o test.hlto ssh-test.spicy ./ssh-cond.evt +# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort >>output +# +# @TEST-EXEC: cat files.log | zeek-cut fuid filename >files.log.tmp && mv files.log.tmp files-2.log +# @TEST-EXEC: btest-diff files-2.log +# # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output # @TEST-START-FILE ssh.spicy @@ -33,7 +41,7 @@ public type Banner = unit { dash : /-/; software: /[^\r\n]*/; - var file_id: string = zeek::file_begin("application/x-x509-ca-cert"); + var file_id: string; var file_name: string = "foo-%d.txt" % ++file_counter; }; @@ -41,6 +49,20 @@ on Banner::%done { zeek::file_end(self.file_id); } # @TEST-END-FILE +# First test case - just let Zeek generate the File ID +# @TEST-START-FILE ssh-1.spicy + +on Banner::%init { self.file_id = zeek::file_begin("application/x-x509-ca-cert"); } + +# @TEST-END-FILE ssh-1.spicy + +# Second test case - provide a file ID +# @TEST-START-FILE ssh-2.spicy + +on Banner::%init { self.file_id = zeek::file_begin("application/x-x509-ca-cert", "FaAaAaAaAaAaAaAaAa"); } + +# @TEST-END-FILE ssh-2.spicy + # @TEST-START-FILE ssh-cond.evt import zeek;