Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Deprecate Analyzer::ConnectionEvent()

Browse source 
And update usages to Analyzer::EnqueueConnEvent()
This commit is contained in:
Jon Siwek 2020-03-25 18:36:58 -07:00
parent e394ea38bc
commit 5e496e43b7
34 changed files with 954 additions and 1043 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -63,6 +63,10 @@ Deprecated Functionality
arguments are now deprecated, use the overload that takes a ``zeek::Args`` arguments are now deprecated, use the overload that takes a ``zeek::Args``
instead. instead.
- The ``analyzer::Analyzer::ConnectionEvent()`` and
``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
``analyzer::Analyzer::EnqueueConnEvent()`` instead.
Zeek 3.1.0 Zeek 3.1.0
========== ==========

18
src/analyzer/Analyzer.h
View file

@ -10,6 +10,8 @@
#include <list> #include <list>
#include <vector> #include <vector>
#include <tuple>
#include <type_traits>
#include <sys/types.h> // for u_char #include <sys/types.h> // for u_char
@ -567,21 +569,21 @@ public:
* Convenience function that forwards directly to * Convenience function that forwards directly to
* Connection::ConnectionEvent(). * Connection::ConnectionEvent().
*/ */
// TODO: deprecate [[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, val_list* vl); void ConnectionEvent(EventHandlerPtr f, val_list* vl);
/** /**
* Convenience function that forwards directly to * Convenience function that forwards directly to
* Connection::ConnectionEvent(). * Connection::ConnectionEvent().
*/ */
// TODO: deprecate [[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, val_list vl); void ConnectionEvent(EventHandlerPtr f, val_list vl);
/** /**
* Convenience function that forwards directly to * Convenience function that forwards directly to
* Connection::ConnectionEventFast(). * Connection::ConnectionEventFast().
*/ */
// TODO: deprecate [[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEventFast(EventHandlerPtr f, val_list vl); void ConnectionEventFast(EventHandlerPtr f, val_list vl);
/** /**
@ -590,6 +592,16 @@ public:
*/ */
void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args); void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args);
/**
* A version of EnqueueConnEvent() taking a variable number of arguments.
*/
template <class... Args>
std::enable_if_t<
std::is_convertible_v<
std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
EnqueueConnEvent(EventHandlerPtr h, Args&&... args)
{ return EnqueueConnEvent(h, zeek::Args{std::forward<Args>(args)...}); }
/** /**
* Convenience function that forwards directly to the corresponding * Convenience function that forwards directly to the corresponding
* Connection::Weird(). * Connection::Weird().

12
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -119,11 +119,9 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
{ EnqueueConnEvent(bittorrent_peer_weird,
ConnectionEventFast(bittorrent_peer_weird, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), make_intrusive<StringVal>(msg)
new StringVal(msg), );
});
}
} }

46
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -246,13 +246,11 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bt_tracker_weird ) if ( bt_tracker_weird )
{ EnqueueConnEvent(bt_tracker_weird,
ConnectionEventFast(bt_tracker_weird, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), make_intrusive<StringVal>(msg)
new StringVal(msg), );
});
}
} }
bool BitTorrentTracker_Analyzer::ParseRequest(char* line) bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@ -349,11 +347,11 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
ProtocolConfirmation(); ProtocolConfirmation();
if ( bt_tracker_request ) if ( bt_tracker_request )
ConnectionEventFast(bt_tracker_request, { EnqueueConnEvent(bt_tracker_request,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
req_val_uri, IntrusivePtr{AdoptRef{}, req_val_uri},
req_val_headers, IntrusivePtr{AdoptRef{}, req_val_headers}
}); );
req_val_uri = 0; req_val_uri = 0;
req_val_headers = 0; req_val_headers = 0;
@ -403,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
if ( res_status != 200 ) if ( res_status != 200 )
{ {
if ( bt_tracker_response_not_ok ) if ( bt_tracker_response_not_ok )
ConnectionEventFast(bt_tracker_response_not_ok, { EnqueueConnEvent(bt_tracker_response_not_ok,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetCount(res_status), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
res_val_headers, IntrusivePtr{AdoptRef{}, res_val_headers}
}); );
res_val_headers = 0; res_val_headers = 0;
res_buf_pos = res_buf + res_buf_len; res_buf_pos = res_buf + res_buf_len;
res_state = BTT_RES_DONE; res_state = BTT_RES_DONE;
@ -790,13 +788,13 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
ProtocolConfirmation(); ProtocolConfirmation();
if ( bt_tracker_response ) if ( bt_tracker_response )
ConnectionEventFast(bt_tracker_response, { EnqueueConnEvent(bt_tracker_response,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetCount(res_status), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
res_val_headers, IntrusivePtr{AdoptRef{}, res_val_headers},
res_val_peers, IntrusivePtr{AdoptRef{}, res_val_peers},
res_val_benc, IntrusivePtr{AdoptRef{}, res_val_benc}
}); );
res_val_headers = 0; res_val_headers = 0;
res_val_peers = 0; res_val_peers = 0;

20
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -50,11 +50,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
if ( ! f ) if ( ! f )
return; return;
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetCount(threshold), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
}); );
} }
void ConnSize_Analyzer::CheckThresholds(bool is_orig) void ConnSize_Analyzer::CheckThresholds(bool is_orig)
@ -92,11 +92,11 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
{ {
if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed ) if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed )
{ {
ConnectionEventFast(conn_duration_threshold_crossed, { EnqueueConnEvent(conn_duration_threshold_crossed,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
new Val(duration_thresh, TYPE_INTERVAL), make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
}); );
duration_thresh = 0; duration_thresh = 0;
} }
} }

277
src/analyzer/protocol/dns/DNS.cc
View file

@ -48,14 +48,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
first_message = false; first_message = false;
if ( dns_message ) if ( dns_message )
{ analyzer->EnqueueConnEvent(dns_message,
analyzer->ConnectionEventFast(dns_message, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
val_mgr->GetBool(is_query), IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
msg.BuildHdrVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
val_mgr->GetCount(len), );
});
}
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
// This should weed out most of it. // This should weed out most of it.
@ -136,10 +134,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{ {
if ( dns_end ) if ( dns_end )
analyzer->ConnectionEventFast(dns_end, { analyzer->EnqueueConnEvent(dns_end,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
}); );
return 1; return 1;
} }
@ -341,13 +339,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
default: default:
if ( dns_unknown_reply && ! msg->skip_event ) if ( dns_unknown_reply && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(dns_unknown_reply,
analyzer->ConnectionEventFast(dns_unknown_reply, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
msg->BuildAnswerVal(), );
});
}
analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype)); analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
data += rdlength; data += rdlength;
@ -556,14 +552,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
} }
if ( reply_event && ! msg->skip_event ) if ( reply_event && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(reply_event,
analyzer->ConnectionEventFast(reply_event, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildAnswerVal(), make_intrusive<StringVal>(new BroString(name, name_end - name, 1))
new StringVal(new BroString(name, name_end - name, 1)), );
});
}
return 1; return 1;
} }
@ -602,7 +596,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event ) if ( dns_SOA_reply && ! msg->skip_event )
{ {
RecordVal* r = new RecordVal(dns_soa); auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1))); r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1)));
r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1))); r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1)));
r->Assign(2, val_mgr->GetCount(serial)); r->Assign(2, val_mgr->GetCount(serial));
@ -611,12 +605,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds)); r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds)); r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->ConnectionEventFast(dns_SOA_reply, { analyzer->EnqueueConnEvent(dns_SOA_reply,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
r std::move(r)
}); );
} }
return 1; return 1;
@ -641,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch"); analyzer->Weird("DNS_RR_length_mismatch");
if ( dns_MX_reply && ! msg->skip_event ) if ( dns_MX_reply && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(dns_MX_reply,
analyzer->ConnectionEventFast(dns_MX_reply, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildAnswerVal(), make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
new StringVal(new BroString(name, name_end - name, 1)), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
val_mgr->GetCount(preference), );
});
}
return 1; return 1;
} }
@ -684,17 +676,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch"); analyzer->Weird("DNS_RR_length_mismatch");
if ( dns_SRV_reply && ! msg->skip_event ) if ( dns_SRV_reply && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(dns_SRV_reply,
analyzer->ConnectionEventFast(dns_SRV_reply, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildAnswerVal(), make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
new StringVal(new BroString(name, name_end - name, 1)), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
val_mgr->GetCount(priority), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
val_mgr->GetCount(weight), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
val_mgr->GetCount(port), );
});
}
return 1; return 1;
} }
@ -707,13 +697,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
// out to the policy side of the house if rdlength > 0. // out to the policy side of the house if rdlength > 0.
if ( dns_EDNS_addl && ! msg->skip_event ) if ( dns_EDNS_addl && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(dns_EDNS_addl,
analyzer->ConnectionEventFast(dns_EDNS_addl, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
msg->BuildEDNS_Val(), );
});
}
// Currently EDNS supports the movement of type:data pairs // Currently EDNS supports the movement of type:data pairs
// in the RR_DATA section. Here's where we should put together // in the RR_DATA section. Here's where we should put together
@ -786,11 +774,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
tsig.orig_id = orig_id; tsig.orig_id = orig_id;
tsig.rr_error = rr_error; tsig.rr_error = rr_error;
analyzer->ConnectionEventFast(dns_TSIG_addl, { analyzer->EnqueueConnEvent(dns_TSIG_addl,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildTSIG_Val(&tsig), IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
}); );
} }
return 1; return 1;
@ -887,12 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signer_name = new BroString(name, name_end - name, 1); rrsig.signer_name = new BroString(name, name_end - name, 1);
rrsig.signature = sign; rrsig.signature = sign;
analyzer->ConnectionEventFast(dns_RRSIG, { analyzer->EnqueueConnEvent(dns_RRSIG,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildRRSIG_Val(&rrsig), IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
}); );
} }
return 1; return 1;
@ -982,12 +970,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.dprotocol = dprotocol; dnskey.dprotocol = dprotocol;
dnskey.public_key = key; dnskey.public_key = key;
analyzer->ConnectionEventFast(dns_DNSKEY, { analyzer->EnqueueConnEvent(dns_DNSKEY,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildDNSKEY_Val(&dnskey), IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
}); );
} }
return 1; return 1;
@ -1014,7 +1002,7 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start); int typebitmaps_len = rdlength - (data - data_start);
VectorVal* char_strings = new VectorVal(string_vec); auto char_strings = make_intrusive<VectorVal>(string_vec);
while ( typebitmaps_len > 0 && len > 0 ) while ( typebitmaps_len > 0 && len > 0 )
{ {
@ -1034,15 +1022,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
} }
if ( dns_NSEC ) if ( dns_NSEC )
analyzer->ConnectionEventFast(dns_NSEC, { analyzer->EnqueueConnEvent(dns_NSEC,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
new StringVal(new BroString(name, name_end - name, 1)), make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
char_strings, std::move(char_strings)
}); );
else
Unref(char_strings);
return 1; return 1;
} }
@ -1122,12 +1108,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.nsec_hash = hash_val; nsec3.nsec_hash = hash_val;
nsec3.bitmaps = char_strings; nsec3.bitmaps = char_strings;
analyzer->ConnectionEventFast(dns_NSEC3, { analyzer->EnqueueConnEvent(dns_NSEC3,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildNSEC3_Val(&nsec3), IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
}); );
} }
else else
Unref(char_strings); Unref(char_strings);
@ -1182,12 +1168,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_type = ds_dtype; ds.digest_type = ds_dtype;
ds.digest_val = ds_digest; ds.digest_val = ds_digest;
analyzer->ConnectionEventFast(dns_DS, { analyzer->EnqueueConnEvent(dns_DS,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildDS_Val(&ds), IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
}); );
} }
return 1; return 1;
@ -1205,14 +1191,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
uint32_t addr = ExtractLong(data, len); uint32_t addr = ExtractLong(data, len);
if ( dns_A_reply && ! msg->skip_event ) if ( dns_A_reply && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(dns_A_reply,
analyzer->ConnectionEventFast(dns_A_reply, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildAnswerVal(), make_intrusive<AddrVal>(htonl(addr))
new AddrVal(htonl(addr)), );
});
}
return 1; return 1;
} }
@ -1241,15 +1225,14 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
event = dns_AAAA_reply; event = dns_AAAA_reply;
else else
event = dns_A6_reply; event = dns_A6_reply;
if ( event && ! msg->skip_event ) if ( event && ! msg->skip_event )
{ analyzer->EnqueueConnEvent(event,
analyzer->ConnectionEventFast(event, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
msg->BuildAnswerVal(), make_intrusive<AddrVal>(addr)
new AddrVal(addr), );
});
}
return 1; return 1;
} }
@ -1311,21 +1294,19 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
return 1; return 1;
} }
VectorVal* char_strings = new VectorVal(string_vec); auto char_strings = make_intrusive<VectorVal>(string_vec);
StringVal* char_string; StringVal* char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string); char_strings->Assign(char_strings->Size(), char_string);
if ( dns_TXT_reply ) if ( dns_TXT_reply )
analyzer->ConnectionEventFast(dns_TXT_reply, { analyzer->EnqueueConnEvent(dns_TXT_reply,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
char_strings, std::move(char_strings)
}); );
else
Unref(char_strings);
return rdlength == 0; return rdlength == 0;
} }
@ -1341,21 +1322,19 @@ int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
return 1; return 1;
} }
VectorVal* char_strings = new VectorVal(string_vec); auto char_strings = make_intrusive<VectorVal>(string_vec);
StringVal* char_string; StringVal* char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string); char_strings->Assign(char_strings->Size(), char_string);
if ( dns_SPF_reply ) if ( dns_SPF_reply )
analyzer->ConnectionEventFast(dns_SPF_reply, { analyzer->EnqueueConnEvent(dns_SPF_reply,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
char_strings, std::move(char_strings)
}); );
else
Unref(char_strings);
return rdlength == 0; return rdlength == 0;
} }
@ -1391,14 +1370,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
rdlength -= value->Len(); rdlength -= value->Len();
if ( dns_CAA_reply ) if ( dns_CAA_reply )
analyzer->ConnectionEventFast(dns_CAA_reply, { analyzer->EnqueueConnEvent(dns_CAA_reply,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
msg->BuildAnswerVal(), IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
val_mgr->GetCount(flags), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
new StringVal(tag), make_intrusive<StringVal>(tag),
new StringVal(value), make_intrusive<StringVal>(value)
}); );
else else
{ {
delete tag; delete tag;
@ -1419,13 +1398,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
assert(event); assert(event);
analyzer->ConnectionEventFast(event, { analyzer->EnqueueConnEvent(event,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
msg->BuildHdrVal(), IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
new StringVal(question_name), make_intrusive<StringVal>(question_name),
val_mgr->GetCount(qtype), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
val_mgr->GetCount(qclass), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
}); );
} }

12
src/analyzer/protocol/file/File.cc
View file

@ -79,10 +79,10 @@ void File_Analyzer::Identify()
: *(matches.begin()->second.begin()); : *(matches.begin()->second.begin());
if ( file_transferred ) if ( file_transferred )
ConnectionEventFast(file_transferred, { EnqueueConnEvent(file_transferred,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
new StringVal(buffer_len, buffer), make_intrusive<StringVal>(buffer_len, buffer),
new StringVal("<unknown>"), make_intrusive<StringVal>("<unknown>"),
new StringVal(match), make_intrusive<StringVal>(match)
}); );
} }

22
src/analyzer/protocol/finger/Finger.cc
View file

@ -67,14 +67,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
host = at + 1; host = at + 1;
if ( finger_request ) if ( finger_request )
{ EnqueueConnEvent(finger_request,
ConnectionEventFast(finger_request, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
val_mgr->GetBool(long_cnt), make_intrusive<StringVal>(at - line, line),
new StringVal(at - line, line), make_intrusive<StringVal>(end_of_line - host, host)
new StringVal(end_of_line - host, host), );
});
}
Conn()->Match(Rule::FINGER, (const u_char *) line, Conn()->Match(Rule::FINGER, (const u_char *) line,
end_of_line - line, true, true, 1, true); end_of_line - line, true, true, 1, true);
@ -87,9 +85,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_reply ) if ( ! finger_reply )
return; return;
ConnectionEventFast(finger_reply, { EnqueueConnEvent(finger_reply,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line)
}); );
} }
} }

22
src/analyzer/protocol/ftp/FTP.cc
View file

@ -75,7 +75,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it. // Could emit "ftp empty request/reply" weird, but maybe not worth it.
return; return;
val_list vl; zeek::Args vl;
EventHandlerPtr f; EventHandlerPtr f;
if ( orig ) if ( orig )
@ -96,10 +96,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
else else
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper(); cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = val_list{ vl = {
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
cmd_str, IntrusivePtr{AdoptRef{}, cmd_str},
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
}; };
f = ftp_request; f = ftp_request;
@ -175,17 +175,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
} }
} }
vl = val_list{ vl = {
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetCount(reply_code), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
val_mgr->GetBool(cont_resp), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
}; };
f = ftp_reply; f = ftp_reply;
} }
ConnectionEvent(f, std::move(vl)); EnqueueConnEvent(f, std::move(vl));
ForwardStream(length, data, orig); ForwardStream(length, data, orig);
} }

62
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
if ( Established() && gnutella_establish ) if ( Established() && gnutella_establish )
ConnectionEventFast(gnutella_establish, {BuildConnVal()}); EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
else if ( ! Established () && gnutella_not_establish ) else if ( ! Established () && gnutella_not_establish )
ConnectionEventFast(gnutella_not_establish, {BuildConnVal()}); EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
} }
if ( gnutella_partial_binary_msg ) if ( gnutella_partial_binary_msg )
@ -71,14 +71,12 @@ void Gnutella_Analyzer::Done()
for ( int i = 0; i < 2; ++i, p = resp_msg_state ) for ( int i = 0; i < 2; ++i, p = resp_msg_state )
{ {
if ( ! p->msg_sent && p->msg_pos ) if ( ! p->msg_sent && p->msg_pos )
{ EnqueueConnEvent(gnutella_partial_binary_msg,
ConnectionEventFast(gnutella_partial_binary_msg, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(p->msg),
new StringVal(p->msg), IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
val_mgr->GetBool((i == 0)), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
val_mgr->GetCount(p->msg_pos), );
});
}
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
SendEvents(p, (i == 0)); SendEvents(p, (i == 0));
@ -120,9 +118,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
return 0; return 0;
if ( gnutella_http_notify ) if ( gnutella_http_notify )
{ EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
}
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -180,13 +176,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
else else
{ {
if ( gnutella_text_msg ) if ( gnutella_text_msg )
{ EnqueueConnEvent(gnutella_text_msg,
ConnectionEventFast(gnutella_text_msg, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), make_intrusive<StringVal>(ms->headers.data())
new StringVal(ms->headers.data()), );
});
}
ms->headers = ""; ms->headers = "";
state |= new_state; state |= new_state;
@ -195,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{ {
sent_establish = 1; sent_establish = 1;
ConnectionEventFast(gnutella_establish, {BuildConnVal()}); EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
} }
} }
} }
@ -220,20 +214,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
return; return;
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
{ EnqueueConnEvent(gnutella_binary_msg,
ConnectionEventFast(gnutella_binary_msg, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
val_mgr->GetCount(p->msg_type), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
val_mgr->GetCount(p->msg_ttl), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
val_mgr->GetCount(p->msg_hops), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
val_mgr->GetCount(p->msg_len), make_intrusive<StringVal>(p->payload),
new StringVal(p->payload), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
val_mgr->GetCount(p->payload_len), IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))), IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
val_mgr->GetBool((p->payload_left == 0)), );
});
}
} }

146
src/analyzer/protocol/http/HTTP.cc
View file

@ -649,13 +649,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
} }
if ( http_message_done ) if ( http_message_done )
{ GetAnalyzer()->EnqueueConnEvent(http_message_done,
GetAnalyzer()->ConnectionEventFast(http_message_done, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
BuildMessageStat(interrupted, detail), );
});
}
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this); MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
} }
@ -682,12 +680,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
current_entity = (HTTP_Entity*) entity; current_entity = (HTTP_Entity*) entity;
if ( http_begin_entity ) if ( http_begin_entity )
{ analyzer->EnqueueConnEvent(http_begin_entity,
analyzer->ConnectionEventFast(http_begin_entity, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
val_mgr->GetBool(is_orig), );
});
}
} }
void HTTP_Message::EndEntity(mime::MIME_Entity* entity) void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
@ -699,12 +695,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
header_length += ((HTTP_Entity*) entity)->HeaderLength(); header_length += ((HTTP_Entity*) entity)->HeaderLength();
if ( http_end_entity ) if ( http_end_entity )
{ analyzer->EnqueueConnEvent(http_end_entity,
analyzer->ConnectionEventFast(http_end_entity, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
val_mgr->GetBool(is_orig), );
});
}
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
@ -740,27 +734,23 @@ void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{ {
if ( http_all_headers ) if ( http_all_headers )
{ analyzer->EnqueueConnEvent(http_all_headers,
analyzer->ConnectionEventFast(http_all_headers, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
BuildHeaderTable(hlist), );
});
}
if ( http_content_type ) if ( http_content_type )
{ {
StringVal* ty = current_entity->ContentType(); StringVal* ty = current_entity->ContentType();
StringVal* subty = current_entity->ContentSubType(); StringVal* subty = current_entity->ContentSubType();
ty->Ref();
subty->Ref();
analyzer->ConnectionEventFast(http_content_type, { analyzer->EnqueueConnEvent(http_content_type,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
ty, IntrusivePtr{NewRef{}, ty},
subty, IntrusivePtr{NewRef{}, subty}
}); );
} }
} }
@ -1182,14 +1172,14 @@ void HTTP_Analyzer::GenStats()
{ {
if ( http_stats ) if ( http_stats )
{ {
RecordVal* r = new RecordVal(http_stats_rec); auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->GetCount(num_requests)); r->Assign(0, val_mgr->GetCount(num_requests));
r->Assign(1, val_mgr->GetCount(num_replies)); r->Assign(1, val_mgr->GetCount(num_replies));
r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE)); r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE)); r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time); // DEBUG_MSG("%.6f http_stats\n", network_time);
ConnectionEventFast(http_stats, {BuildConnVal(), r}); EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
} }
} }
@ -1387,16 +1377,14 @@ void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail) void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
{ {
if ( http_event ) if ( http_event )
{
// DEBUG_MSG("%.6f http_event\n", network_time); // DEBUG_MSG("%.6f http_event\n", network_time);
ConnectionEventFast(http_event, { EnqueueConnEvent(http_event,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
new StringVal(category), make_intrusive<StringVal>(category),
detail, IntrusivePtr{AdoptRef{}, detail}
}); );
}
else else
delete detail; Unref(detail);
} }
StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri) StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
@ -1428,33 +1416,27 @@ void HTTP_Analyzer::HTTP_Request()
connect_request = true; connect_request = true;
if ( http_request ) if ( http_request )
{
Ref(request_method);
// DEBUG_MSG("%.6f http_request\n", network_time); // DEBUG_MSG("%.6f http_request\n", network_time);
ConnectionEventFast(http_request, { EnqueueConnEvent(http_request,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
request_method, IntrusivePtr{NewRef{}, request_method},
TruncateURI(request_URI->AsStringVal()), IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
TruncateURI(unescaped_URI->AsStringVal()), IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
new StringVal(fmt("%.1f", request_version.ToDouble())), make_intrusive<StringVal>(fmt("%.1f", request_version.ToDouble()))
}); );
}
} }
void HTTP_Analyzer::HTTP_Reply() void HTTP_Analyzer::HTTP_Reply()
{ {
if ( http_reply ) if ( http_reply )
{ EnqueueConnEvent(http_reply,
ConnectionEventFast(http_reply, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
new StringVal(fmt("%.1f", reply_version.ToDouble())), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
val_mgr->GetCount(reply_code),
reply_reason_phrase ? reply_reason_phrase ?
reply_reason_phrase->Ref() : IntrusivePtr{NewRef{}, reply_reason_phrase} :
new StringVal("<empty>"), make_intrusive<StringVal>("<empty>")
}); );
}
else else
{ {
Unref(reply_reason_phrase); Unref(reply_reason_phrase);
@ -1524,12 +1506,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
RemoveSupportAnalyzer(content_line_resp); RemoveSupportAnalyzer(content_line_resp);
if ( http_connection_upgrade ) if ( http_connection_upgrade )
{ EnqueueConnEvent(http_connection_upgrade,
ConnectionEventFast(http_connection_upgrade, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(upgrade_protocol)
new StringVal(upgrade_protocol), );
});
}
} }
reply_code = 0; reply_code = 0;
@ -1690,26 +1670,24 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time); DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEventFast(http_header, { EnqueueConnEvent(http_header,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
mime::new_string_val(h->get_name())->ToUpper(), IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
mime::new_string_val(h->get_value()), IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
}); );
} }
} }
void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data) void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
{ {
if ( http_entity_data ) if ( http_entity_data )
{ EnqueueConnEvent(http_entity_data,
ConnectionEventFast(http_entity_data, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
val_mgr->GetCount(entity_data->Len()), make_intrusive<StringVal>(entity_data)
new StringVal(entity_data), );
});
}
else else
delete entity_data; delete entity_data;
} }

146
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -202,22 +202,20 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
const IP_Hdr* ip_hdr) const IP_Hdr* ip_hdr)
{ {
if ( icmp_sent ) if ( icmp_sent )
{ EnqueueConnEvent(icmp_sent,
ConnectionEventFast(icmp_sent, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
BuildICMPVal(icmpp, len, icmpv6, ip_hdr), );
});
}
if ( icmp_sent_payload ) if ( icmp_sent_payload )
{ {
BroString* payload = new BroString(data, min(len, caplen), 0); BroString* payload = new BroString(data, min(len, caplen), 0);
ConnectionEventFast(icmp_sent_payload, { EnqueueConnEvent(icmp_sent_payload,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, icmpv6, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
new StringVal(payload), make_intrusive<StringVal>(payload)
}); );
} }
} }
@ -516,13 +514,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, 0); BroString* payload = new BroString(data, caplen, 0);
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
val_mgr->GetCount(iid), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
val_mgr->GetCount(iseq), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
new StringVal(payload), make_intrusive<StringVal>(payload)
}); );
} }
@ -544,21 +542,21 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans); int opt_offset = sizeof(reachable) + sizeof(retrans);
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds), make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
new IntervalVal((double)ntohl(reachable), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
new IntervalVal((double)ntohl(retrans), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset), IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
}); );
} }
@ -577,15 +575,15 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
new AddrVal(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset), IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
}); );
} }
@ -604,12 +602,12 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
new AddrVal(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset), IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
}); );
} }
@ -631,13 +629,13 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
new AddrVal(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
new AddrVal(dstaddr), make_intrusive<AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset), IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
}); );
} }
@ -649,11 +647,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
if ( ! f ) if ( ! f )
return; return;
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
BuildNDOptionsVal(caplen, data), IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
}); );
} }
@ -674,14 +672,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
} }
if ( f ) if ( f )
{ EnqueueConnEvent(f,
ConnectionEventFast(f, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
BuildICMPVal(icmpp, len, 0, ip_hdr), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->GetCount(icmpp->icmp_code), IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
ExtractICMP4Context(caplen, data), );
});
}
} }
@ -714,14 +710,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
} }
if ( f ) if ( f )
{ EnqueueConnEvent(f,
ConnectionEventFast(f, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
BuildICMPVal(icmpp, len, 1, ip_hdr), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->GetCount(icmpp->icmp_code), IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
ExtractICMP6Context(caplen, data), );
});
}
} }
VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)

36
src/analyzer/protocol/ident/Ident.cc
View file

@ -84,11 +84,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
Weird("ident_request_addendum", s.CheckString()); Weird("ident_request_addendum", s.CheckString());
} }
ConnectionEventFast(ident_request, { EnqueueConnEvent(ident_request,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetPort(local_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
val_mgr->GetPort(remote_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
}); );
did_deliver = true; did_deliver = true;
} }
@ -145,12 +145,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( is_error ) if ( is_error )
{ {
if ( ident_error ) if ( ident_error )
ConnectionEventFast(ident_error, { EnqueueConnEvent(ident_error,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetPort(local_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
val_mgr->GetPort(remote_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line)
}); );
} }
else else
@ -178,13 +178,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line); line = skip_whitespace(colon + 1, end_of_line);
ConnectionEventFast(ident_reply, { EnqueueConnEvent(ident_reply,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetPort(local_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
val_mgr->GetPort(remote_port, TRANSPORT_TCP), IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
new StringVal(sys_type_s), make_intrusive<StringVal>(sys_type_s)
}); );
} }
} }
} }

508
src/analyzer/protocol/irc/IRC.cc
View file

@ -233,13 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
ConnectionEventFast(irc_network_info, { EnqueueConnEvent(irc_network_info,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetInt(users), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
val_mgr->GetInt(services), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
val_mgr->GetInt(servers), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
}); );
} }
break; break;
@ -270,24 +270,23 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
TableVal* set = new TableVal({NewRef{}, string_set}); auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
if ( parts[i][0] == '@' ) if ( parts[i][0] == '@' )
parts[i] = parts[i].substr(1); parts[i] = parts[i].substr(1);
Val* idx = new StringVal(parts[i].c_str()); auto idx = make_intrusive<StringVal>(parts[i].c_str());
set->Assign(idx, 0); set->Assign(idx.get(), 0);
Unref(idx);
} }
ConnectionEventFast(irc_names_info, { EnqueueConnEvent(irc_names_info,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(type.c_str()), make_intrusive<StringVal>(type.c_str()),
new StringVal(channel.c_str()), make_intrusive<StringVal>(channel.c_str()),
set, std::move(set)
}); );
} }
break; break;
@ -315,13 +314,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
ConnectionEventFast(irc_server_info, { EnqueueConnEvent(irc_server_info,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetInt(users), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
val_mgr->GetInt(services), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
val_mgr->GetInt(servers), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
}); );
} }
break; break;
@ -337,11 +336,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[i] == ":channels" ) if ( parts[i] == ":channels" )
channels = atoi(parts[i - 1].c_str()); channels = atoi(parts[i - 1].c_str());
ConnectionEventFast(irc_channel_info, { EnqueueConnEvent(irc_channel_info,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetInt(channels), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
}); );
} }
break; break;
@ -369,12 +368,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
break; break;
} }
ConnectionEventFast(irc_global_users, { EnqueueConnEvent(irc_global_users,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(eop - prefix, prefix), make_intrusive<StringVal>(eop - prefix, prefix),
new StringVal(++msg), make_intrusive<StringVal>(++msg)
}); );
break; break;
} }
@ -394,12 +393,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list vl(6); zeek::Args vl;
vl.push_back(BuildConnVal()); vl.reserve(6);
vl.push_back(val_mgr->GetBool(orig)); vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.push_back(new StringVal(parts[0].c_str())); vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.push_back(new StringVal(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.push_back(new StringVal(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4); parts.erase(parts.begin(), parts.begin() + 4);
@ -410,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' ) if ( real_name[0] == ':' )
real_name = real_name.substr(1); real_name = real_name.substr(1);
vl.push_back(new StringVal(real_name.c_str())); vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
ConnectionEventFast(irc_whois_user_line, std::move(vl)); EnqueueConnEvent(irc_whois_user_line, std::move(vl));
} }
break; break;
@ -433,11 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
ConnectionEventFast(irc_whois_operator_line, { EnqueueConnEvent(irc_whois_operator_line,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str())
}); );
} }
break; break;
@ -463,21 +463,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
TableVal* set = new TableVal({NewRef{}, string_set}); auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
Val* idx = new StringVal(parts[i].c_str()); auto idx = make_intrusive<StringVal>(parts[i].c_str());
set->Assign(idx, 0); set->Assign(idx.get(), 0);
Unref(idx);
} }
ConnectionEventFast(irc_whois_channel_line, { EnqueueConnEvent(irc_whois_channel_line,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
set, std::move(set)
}); );
} }
break; break;
@ -503,12 +502,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( *t == ':' ) if ( *t == ':' )
++t; ++t;
ConnectionEventFast(irc_channel_topic, { EnqueueConnEvent(irc_channel_topic,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
new StringVal(t), make_intrusive<StringVal>(t)
}); );
} }
else else
{ {
@ -537,19 +536,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[7][0] == ':' ) if ( parts[7][0] == ':' )
parts[7] = parts[7].substr(1); parts[7] = parts[7].substr(1);
ConnectionEventFast(irc_who_line, { EnqueueConnEvent(irc_who_line,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
new StringVal(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
new StringVal(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
new StringVal(parts[3].c_str()), make_intrusive<StringVal>(parts[3].c_str()),
new StringVal(parts[4].c_str()), make_intrusive<StringVal>(parts[4].c_str()),
new StringVal(parts[5].c_str()), make_intrusive<StringVal>(parts[5].c_str()),
new StringVal(parts[6].c_str()), make_intrusive<StringVal>(parts[6].c_str()),
val_mgr->GetInt(atoi(parts[7].c_str())), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
new StringVal(parts[8].c_str()), make_intrusive<StringVal>(parts[8].c_str())
}); );
} }
break; break;
@ -559,25 +558,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 433: case 433:
case 436: case 436:
if ( irc_invalid_nick ) if ( irc_invalid_nick )
{ EnqueueConnEvent(irc_invalid_nick,
ConnectionEventFast(irc_invalid_nick, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
val_mgr->GetBool(orig), );
});
}
break; break;
// Operator responses. // Operator responses.
case 381: // User is operator case 381: // User is operator
case 491: // user is not operator case 491: // user is not operator
if ( irc_oper_response ) if ( irc_oper_response )
{ EnqueueConnEvent(irc_oper_response,
ConnectionEventFast(irc_oper_response, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
val_mgr->GetBool(code == 381), );
});
}
break; break;
case 670: case 670:
@ -588,13 +583,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// All other server replies. // All other server replies.
default: default:
if ( irc_reply ) if ( irc_reply )
ConnectionEventFast(irc_reply, { EnqueueConnEvent(irc_reply,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
val_mgr->GetCount(code), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
new StringVal(params.c_str()), make_intrusive<StringVal>(params.c_str())
}); );
break; break;
} }
return; return;
@ -659,31 +654,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message ) if ( irc_dcc_message )
ConnectionEventFast(irc_dcc_message, { EnqueueConnEvent(irc_dcc_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(target.c_str()), make_intrusive<StringVal>(target.c_str()),
new StringVal(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
new StringVal(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
new AddrVal(htonl(raw_ip)), make_intrusive<AddrVal>(htonl(raw_ip)),
val_mgr->GetCount(atoi(parts[4].c_str())), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
parts.size() >= 6 ? IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) : val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0), val_mgr->GetCount(0)}
}); );
} }
else else
{ {
if ( irc_privmsg_message ) if ( irc_privmsg_message )
ConnectionEventFast(irc_privmsg_message, { EnqueueConnEvent(irc_privmsg_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(target.c_str()), make_intrusive<StringVal>(target.c_str()),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
} }
@ -702,13 +697,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
ConnectionEventFast(irc_notice_message, { EnqueueConnEvent(irc_notice_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(target.c_str()), make_intrusive<StringVal>(target.c_str()),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
else if ( irc_squery_message && command == "SQUERY" ) else if ( irc_squery_message && command == "SQUERY" )
@ -726,34 +721,35 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
ConnectionEventFast(irc_squery_message, { EnqueueConnEvent(irc_squery_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(target.c_str()), make_intrusive<StringVal>(target.c_str()),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
else if ( irc_user_message && command == "USER" ) else if ( irc_user_message && command == "USER" )
{ {
// extract username and real name // extract username and real name
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
val_list vl(6); zeek::Args vl;
vl.push_back(BuildConnVal()); vl.reserve(6);
vl.push_back(val_mgr->GetBool(orig)); vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl.push_back(new StringVal(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.push_back(val_mgr->GetEmptyString()); else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl.push_back(new StringVal(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.push_back(val_mgr->GetEmptyString()); else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl.push_back(new StringVal(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.push_back(val_mgr->GetEmptyString()); else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
string realname; string realname;
for ( unsigned int i = 3; i < parts.size(); i++ ) for ( unsigned int i = 3; i < parts.size(); i++ )
@ -764,9 +760,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
const char* name = realname.c_str(); const char* name = realname.c_str();
vl.push_back(new StringVal(*name == ':' ? name + 1 : name)); vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
ConnectionEventFast(irc_user_message, std::move(vl)); EnqueueConnEvent(irc_user_message, std::move(vl));
} }
else if ( irc_oper_message && command == "OPER" ) else if ( irc_oper_message && command == "OPER" )
@ -774,14 +770,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// extract username and password // extract username and password
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 ) if ( parts.size() == 2 )
{ EnqueueConnEvent(irc_oper_message,
ConnectionEventFast(irc_oper_message, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), make_intrusive<StringVal>(parts[0].c_str()),
new StringVal(parts[0].c_str()), make_intrusive<StringVal>(parts[1].c_str())
new StringVal(parts[1].c_str()), );
});
}
else else
Weird("irc_invalid_oper_message_format"); Weird("irc_invalid_oper_message_format");
@ -797,12 +791,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list vl(6); zeek::Args vl;
vl.push_back(BuildConnVal()); vl.reserve(6);
vl.push_back(val_mgr->GetBool(orig)); vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.push_back(new StringVal(prefix.c_str())); vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.push_back(new StringVal(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.push_back(new StringVal(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
if ( parts.size() > 2 ) if ( parts.size() > 2 )
{ {
string comment = parts[2]; string comment = parts[2];
@ -812,12 +808,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' ) if ( comment[0] == ':' )
comment = comment.substr(1); comment = comment.substr(1);
vl.push_back(new StringVal(comment.c_str())); vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
} }
else else
vl.push_back(val_mgr->GetEmptyString()); vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
ConnectionEventFast(irc_kick_message, std::move(vl)); EnqueueConnEvent(irc_kick_message, std::move(vl));
} }
else if ( irc_join_message && command == "JOIN" ) else if ( irc_join_message && command == "JOIN" )
@ -841,7 +837,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
TableVal* list = new TableVal({NewRef{}, irc_join_list}); auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
vector<string> channels = SplitWords(parts[0], ','); vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords; vector<string> passwords;
@ -865,11 +861,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info); Unref(info);
} }
ConnectionEventFast(irc_join_message, { EnqueueConnEvent(irc_join_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
list, std::move(list)
}); );
} }
else if ( irc_join_message && command == "NJOIN" ) else if ( irc_join_message && command == "NJOIN" )
@ -886,13 +882,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ','); vector<string> users = SplitWords(parts[1], ',');
TableVal* list = new TableVal({NewRef{}, irc_join_list}); auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
string empty_string = ""; string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i ) for ( unsigned int i = 0; i < users.size(); ++i )
{ {
RecordVal* info = new RecordVal(irc_join_info); auto info = make_intrusive<RecordVal>(irc_join_info);
string nick = users[i]; string nick = users[i];
string mode = "none"; string mode = "none";
@ -922,15 +918,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str())); info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode: // User mode:
info->Assign(3, make_intrusive<StringVal>(mode.c_str())); info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
list->Assign(info, 0); list->Assign(info.get(), 0);
Unref(info);
} }
ConnectionEventFast(irc_join_message, { EnqueueConnEvent(irc_join_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
list, std::move(list)
}); );
} }
else if ( irc_part_message && command == "PART" ) else if ( irc_part_message && command == "PART" )
@ -957,22 +952,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(0, pos); nick = nick.substr(0, pos);
vector<string> channelList = SplitWords(channels, ','); vector<string> channelList = SplitWords(channels, ',');
TableVal* set = new TableVal({NewRef{}, string_set}); auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < channelList.size(); ++i ) for ( unsigned int i = 0; i < channelList.size(); ++i )
{ {
Val* idx = new StringVal(channelList[i].c_str()); auto idx = make_intrusive<StringVal>(channelList[i].c_str());
set->Assign(idx, 0); set->Assign(idx.get(), 0);
Unref(idx);
} }
ConnectionEventFast(irc_part_message, { EnqueueConnEvent(irc_part_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
set, std::move(set),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
else if ( irc_quit_message && command == "QUIT" ) else if ( irc_quit_message && command == "QUIT" )
@ -989,12 +983,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
ConnectionEventFast(irc_quit_message, { EnqueueConnEvent(irc_quit_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(nickname.c_str()), make_intrusive<StringVal>(nickname.c_str()),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
else if ( irc_nick_message && command == "NICK" ) else if ( irc_nick_message && command == "NICK" )
@ -1003,12 +997,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( nick[0] == ':' ) if ( nick[0] == ':' )
nick = nick.substr(1); nick = nick.substr(1);
ConnectionEventFast(irc_nick_message, { EnqueueConnEvent(irc_nick_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(nick.c_str()) make_intrusive<StringVal>(nick.c_str())
}); );
} }
else if ( irc_who_message && command == "WHO" ) else if ( irc_who_message && command == "WHO" )
@ -1028,14 +1022,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
ConnectionEventFast(irc_who_message, { EnqueueConnEvent(irc_who_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
parts.size() > 0 ? parts.size() > 0 ?
new StringVal(parts[0].c_str()) : make_intrusive<StringVal>(parts[0].c_str()) :
val_mgr->GetEmptyString(), IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
val_mgr->GetBool(oper), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
}); );
} }
else if ( irc_whois_message && command == "WHOIS" ) else if ( irc_whois_message && command == "WHOIS" )
@ -1058,12 +1052,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else else
users = parts[0]; users = parts[0];
ConnectionEventFast(irc_whois_message, { EnqueueConnEvent(irc_whois_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(server.c_str()), make_intrusive<StringVal>(server.c_str()),
new StringVal(users.c_str()), make_intrusive<StringVal>(users.c_str())
}); );
} }
else if ( irc_error_message && command == "ERROR" ) else if ( irc_error_message && command == "ERROR" )
@ -1071,12 +1065,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params[0] == ':' ) if ( params[0] == ':' )
params = params.substr(1); params = params.substr(1);
ConnectionEventFast(irc_error_message, { EnqueueConnEvent(irc_error_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(params.c_str()), make_intrusive<StringVal>(params.c_str())
}); );
} }
else if ( irc_invite_message && command == "INVITE" ) else if ( irc_invite_message && command == "INVITE" )
@ -1087,13 +1081,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[1].size() > 0 && parts[1][0] == ':' ) if ( parts[1].size() > 0 && parts[1][0] == ':' )
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
ConnectionEventFast(irc_invite_message, { EnqueueConnEvent(irc_invite_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
new StringVal(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str())
}); );
} }
else else
Weird("irc_invalid_invite_message_format"); Weird("irc_invalid_invite_message_format");
@ -1102,14 +1096,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_mode_message && command == "MODE" ) else if ( irc_mode_message && command == "MODE" )
{ {
if ( params.size() > 0 ) if ( params.size() > 0 )
{ EnqueueConnEvent(irc_mode_message,
ConnectionEventFast(irc_mode_message, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetBool(orig), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(prefix.c_str()), make_intrusive<StringVal>(params.c_str())
new StringVal(params.c_str()), );
});
}
else else
Weird("irc_invalid_mode_message_format"); Weird("irc_invalid_mode_message_format");
@ -1117,11 +1109,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" ) else if ( irc_password_message && command == "PASS" )
{ {
ConnectionEventFast(irc_password_message, { EnqueueConnEvent(irc_password_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(params.c_str()), make_intrusive<StringVal>(params.c_str())
}); );
} }
else if ( irc_squit_message && command == "SQUIT" ) else if ( irc_squit_message && command == "SQUIT" )
@ -1139,13 +1131,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1); message = message.substr(1);
} }
ConnectionEventFast(irc_squit_message, { EnqueueConnEvent(irc_squit_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(server.c_str()), make_intrusive<StringVal>(server.c_str()),
new StringVal(message.c_str()), make_intrusive<StringVal>(message.c_str())
}); );
} }
@ -1153,13 +1145,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_request ) if ( irc_request )
{ {
ConnectionEventFast(irc_request, { EnqueueConnEvent(irc_request,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(command.c_str()), make_intrusive<StringVal>(command.c_str()),
new StringVal(params.c_str()), make_intrusive<StringVal>(params.c_str())
}); );
} }
} }
@ -1167,13 +1159,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_message ) if ( irc_message )
{ {
ConnectionEventFast(irc_message, { EnqueueConnEvent(irc_message,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
new StringVal(command.c_str()), make_intrusive<StringVal>(command.c_str()),
new StringVal(params.c_str()), make_intrusive<StringVal>(params.c_str())
}); );
} }
} }
@ -1203,7 +1195,7 @@ void IRC_Analyzer::StartTLS()
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
if ( irc_starttls ) if ( irc_starttls )
ConnectionEventFast(irc_starttls, {BuildConnVal()}); EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
} }
vector<string> IRC_Analyzer::SplitWords(const string& input, char split) vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

79
src/analyzer/protocol/login/Login.cc
View file

@ -290,9 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
else if ( IsSkipAuthentication(line) ) else if ( IsSkipAuthentication(line) )
{ {
if ( authentication_skipped ) if ( authentication_skipped )
{ EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
ConnectionEventFast(authentication_skipped, {BuildConnVal()});
}
state = LOGIN_STATE_SKIP; state = LOGIN_STATE_SKIP;
SetSkip(1); SetSkip(1);
@ -333,28 +331,22 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
} }
else if ( login_terminal && streq(name, "TERM") ) else if ( login_terminal && streq(name, "TERM") )
{ EnqueueConnEvent(login_terminal,
ConnectionEventFast(login_terminal, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(val)
new StringVal(val), );
});
}
else if ( login_display && streq(name, "DISPLAY") ) else if ( login_display && streq(name, "DISPLAY") )
{ EnqueueConnEvent(login_display,
ConnectionEventFast(login_display, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(val)
new StringVal(val), );
});
}
else if ( login_prompt && streq(name, "TTYPROMPT") ) else if ( login_prompt && streq(name, "TTYPROMPT") )
{ EnqueueConnEvent(login_prompt,
ConnectionEventFast(login_prompt, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(val)
new StringVal(val), );
});
}
} }
delete [] name; delete [] name;
@ -427,13 +419,14 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
Val* password = HaveTypeahead() ? Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>"); PopUserTextVal() : new StringVal("<none>");
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
username->Ref(), IntrusivePtr{NewRef{}, username},
client_name ? client_name->Ref() : val_mgr->GetEmptyString(), client_name ? IntrusivePtr{NewRef{}, client_name}
password, : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
new StringVal(line), IntrusivePtr{AdoptRef{}, password},
}); make_intrusive<StringVal>(line)
);
} }
const char* Login_Analyzer::GetUsername(const char* line) const const char* Login_Analyzer::GetUsername(const char* line) const
@ -449,10 +442,10 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
if ( ! f ) if ( ! f )
return; return;
ConnectionEventFast(f, { EnqueueConnEvent(f,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
new StringVal(line), make_intrusive<StringVal>(line)
}); );
} }
@ -461,13 +454,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
state = LOGIN_STATE_CONFUSED; // to suppress further messages state = LOGIN_STATE_CONFUSED; // to suppress further messages
if ( login_confused ) if ( login_confused )
{ EnqueueConnEvent(login_confused,
ConnectionEventFast(login_confused, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(msg),
new StringVal(msg), make_intrusive<StringVal>(line)
new StringVal(line), );
});
}
if ( login_confused_text ) if ( login_confused_text )
{ {
@ -487,12 +478,10 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
void Login_Analyzer::ConfusionText(const char* line) void Login_Analyzer::ConfusionText(const char* line)
{ {
if ( login_confused_text ) if ( login_confused_text )
{ EnqueueConnEvent(login_confused_text,
ConnectionEventFast(login_confused_text, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(line)
new StringVal(line), );
});
}
} }
int Login_Analyzer::IsPloy(const char* line) int Login_Analyzer::IsPloy(const char* line)

10
src/analyzer/protocol/login/NVT.cc
View file

@ -462,12 +462,10 @@ const char* NVT_Analyzer::PeerAuthName() const
void NVT_Analyzer::SetTerminal(const u_char* terminal, int len) void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{ {
if ( login_terminal ) if ( login_terminal )
{ EnqueueConnEvent(login_terminal,
ConnectionEventFast(login_terminal, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(new BroString(terminal, len, 0))
new StringVal(new BroString(terminal, len, 0)), );
});
}
} }
void NVT_Analyzer::SetEncrypting(int mode) void NVT_Analyzer::SetEncrypting(int mode)

28
src/analyzer/protocol/login/RSH.cc
View file

@ -168,27 +168,37 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
return; return;
} }
val_list vl(4 + orig); zeek::Args vl;
vl.reserve(4 + orig);
const char* line = (const char*) data; const char* line = (const char*) data;
line = skip_whitespace(line); line = skip_whitespace(line);
vl.push_back(BuildConnVal()); vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.push_back(client_name ? client_name->Ref() : new StringVal("<none>"));
vl.push_back(username ? username->Ref() : new StringVal("<none>")); if ( client_name )
vl.push_back(new StringVal(line)); vl.emplace_back(NewRef{}, client_name);
else
vl.emplace_back(make_intrusive<StringVal>("<none>"));
if ( username )
vl.emplace_back(NewRef{}, username);
else
vl.emplace_back(make_intrusive<StringVal>("<none>"));
vl.emplace_back(make_intrusive<StringVal>(line));
if ( orig ) if ( orig )
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl.push_back(val_mgr->GetTrue()); vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
else else
vl.push_back(val_mgr->GetFalse()); vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
ConnectionEventFast(rsh_request, std::move(vl)); EnqueueConnEvent(rsh_request, std::move(vl));
} }
else else
ConnectionEventFast(rsh_reply, std::move(vl)); EnqueueConnEvent(rsh_reply, std::move(vl));
} }
void Rsh_Analyzer::ClientUserName(const char* s) void Rsh_Analyzer::ClientUserName(const char* s)

10
src/analyzer/protocol/login/Rlogin.cc
View file

@ -244,10 +244,8 @@ void Rlogin_Analyzer::ServerUserName(const char* s)
void Rlogin_Analyzer::TerminalType(const char* s) void Rlogin_Analyzer::TerminalType(const char* s)
{ {
if ( login_terminal ) if ( login_terminal )
{ EnqueueConnEvent(login_terminal,
ConnectionEventFast(login_terminal, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), make_intrusive<StringVal>(s)
new StringVal(s), );
});
}
} }

76
src/analyzer/protocol/mime/MIME.cc
View file

@ -1365,11 +1365,11 @@ void MIME_Mail::Done()
hash_final(md5_hash, digest); hash_final(md5_hash, digest);
md5_hash = nullptr; md5_hash = nullptr;
analyzer->ConnectionEventFast(mime_content_hash, { analyzer->EnqueueConnEvent(mime_content_hash,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetCount(content_hash_length), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
new StringVal(new BroString(1, digest, 16)), make_intrusive<StringVal>(new BroString(1, digest, 16))
}); );
} }
MIME_Message::Done(); MIME_Message::Done();
@ -1393,7 +1393,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear(); cur_entity_id.clear();
if ( mime_begin_entity ) if ( mime_begin_entity )
analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()}); analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
buffer_start = data_start = 0; buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0); ASSERT(entity_content.size() == 0);
@ -1405,11 +1405,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{ {
BroString* s = concatenate(entity_content); BroString* s = concatenate(entity_content);
analyzer->ConnectionEventFast(mime_entity_data, { analyzer->EnqueueConnEvent(mime_entity_data,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetCount(s->Len()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
new StringVal(s), make_intrusive<StringVal>(s)
}); );
if ( ! mime_all_data ) if ( ! mime_all_data )
delete_strings(entity_content); delete_strings(entity_content);
@ -1418,7 +1418,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
} }
if ( mime_end_entity ) if ( mime_end_entity )
analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()}); analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear(); cur_entity_id.clear();
@ -1427,23 +1427,19 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
void MIME_Mail::SubmitHeader(MIME_Header* h) void MIME_Mail::SubmitHeader(MIME_Header* h)
{ {
if ( mime_one_header ) if ( mime_one_header )
{ analyzer->EnqueueConnEvent(mime_one_header,
analyzer->ConnectionEventFast(mime_one_header, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
BuildHeaderVal(h), );
});
}
} }
void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist) void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{ {
if ( mime_all_headers ) if ( mime_all_headers )
{ analyzer->EnqueueConnEvent(mime_all_headers,
analyzer->ConnectionEventFast(mime_all_headers, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
BuildHeaderTable(hlist), );
});
}
} }
void MIME_Mail::SubmitData(int len, const char* buf) void MIME_Mail::SubmitData(int len, const char* buf)
@ -1476,11 +1472,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
const char* data = (char*) data_buffer->Bytes() + data_start; const char* data = (char*) data_buffer->Bytes() + data_start;
int data_len = (buf + len) - data; int data_len = (buf + len) - data;
analyzer->ConnectionEventFast(mime_segment_data, { analyzer->EnqueueConnEvent(mime_segment_data,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetCount(data_len), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
new StringVal(data_len, data), make_intrusive<StringVal>(data_len, data)
}); );
} }
cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1523,11 +1519,11 @@ void MIME_Mail::SubmitAllData()
BroString* s = concatenate(all_content); BroString* s = concatenate(all_content);
delete_strings(all_content); delete_strings(all_content);
analyzer->ConnectionEventFast(mime_all_data, { analyzer->EnqueueConnEvent(mime_all_data,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetCount(s->Len()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
new StringVal(s), make_intrusive<StringVal>(s)
}); );
} }
} }
@ -1551,11 +1547,9 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
} }
if ( mime_event ) if ( mime_event )
{ analyzer->EnqueueConnEvent(mime_event,
analyzer->ConnectionEventFast(mime_event, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), make_intrusive<StringVal>(category),
new StringVal(category), make_intrusive<StringVal>(detail)
new StringVal(detail), );
});
}
} }

33
src/analyzer/protocol/ncp/NCP.cc
View file

@ -62,26 +62,21 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
if ( f ) if ( f )
{ {
if ( frame->is_orig() ) if ( frame->is_orig() )
{ analyzer->EnqueueConnEvent(f,
analyzer->ConnectionEventFast(f, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
val_mgr->GetCount(frame->frame_type()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
val_mgr->GetCount(frame->body_length()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
val_mgr->GetCount(req_func), );
});
}
else else
{ analyzer->EnqueueConnEvent(f,
analyzer->ConnectionEventFast(f, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
val_mgr->GetCount(frame->frame_type()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
val_mgr->GetCount(frame->body_length()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
val_mgr->GetCount(req_frame_type), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
val_mgr->GetCount(req_func), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
val_mgr->GetCount(frame->reply()->completion_code()), );
});
}
} }
} }

34
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -59,14 +59,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, int is_query) const u_char* data, int len, int is_query)
{ {
if ( netbios_session_message ) if ( netbios_session_message )
{ analyzer->EnqueueConnEvent(netbios_session_message,
analyzer->ConnectionEventFast(netbios_session_message, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
val_mgr->GetBool(is_query), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
val_mgr->GetCount(type), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
val_mgr->GetCount(len), );
});
}
switch ( type ) { switch ( type ) {
case NETBIOS_SSN_MSG: case NETBIOS_SSN_MSG:
@ -331,18 +329,16 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
return; return;
if ( is_orig >= 0 ) if ( is_orig >= 0 )
{ analyzer->EnqueueConnEvent(event,
analyzer->ConnectionEventFast(event, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), make_intrusive<StringVal>(new BroString(data, len, 0))
new StringVal(new BroString(data, len, 0)), );
});
}
else else
analyzer->ConnectionEventFast(event, { analyzer->EnqueueConnEvent(event,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
new StringVal(new BroString(data, len, 0)), make_intrusive<StringVal>(new BroString(data, len, 0))
}); );
} }

16
src/analyzer/protocol/pop3/POP3.cc
View file

@ -830,7 +830,7 @@ void POP3_Analyzer::StartTLS()
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
if ( pop3_starttls ) if ( pop3_starttls )
ConnectionEventFast(pop3_starttls, {BuildConnVal()}); EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
} }
void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::AuthSuccessfull()
@ -920,14 +920,16 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
if ( ! event ) if ( ! event )
return; return;
val_list vl(2 + (bool)arg1 + (bool)arg2); zeek::Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));
vl.push_back(BuildConnVal());
vl.push_back(val_mgr->GetBool(is_orig));
if ( arg1 ) if ( arg1 )
vl.push_back(new StringVal(arg1)); vl.emplace_back(make_intrusive<StringVal>(arg1));
if ( arg2 ) if ( arg2 )
vl.push_back(new StringVal(arg2)); vl.emplace_back(make_intrusive<StringVal>(arg2));
ConnectionEventFast(event, std::move(vl)); EnqueueConnEvent(event, std::move(vl));
} }

23
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -96,7 +96,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
{ {
auto vl = event_common_vl(c, rpc_status, mount_status, auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len, 0); start_time, last_time, reply_len, 0);
analyzer->ConnectionEventFast(mount_reply_status, std::move(vl)); analyzer->EnqueueConnEvent(mount_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -169,19 +169,19 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
start_time, last_time, reply_len, (bool)request + (bool)reply); start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl.push_back(request); vl.emplace_back(AdoptRef{}, request);
if ( reply ) if ( reply )
vl.push_back(reply); vl.emplace_back(AdoptRef{}, reply);
analyzer->ConnectionEventFast(event, std::move(vl)); analyzer->EnqueueConnEvent(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
return 1; return 1;
} }
val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c, zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_start_time,
@ -189,16 +189,17 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
{ {
// Returns a new val_list that already has a conn_val, and mount3_info. // Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ... // These are the first parameters for each mount_* event ...
val_list vl(2 + extra_elements); zeek::Args vl;
vl.push_back(analyzer->BuildConnVal()); vl.reserve(2 + extra_elements);
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for (size_t i = 0; i < c->AuxGIDs().size(); ++i) for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
{ {
auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i])); auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
} }
RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status)); info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME)); info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -211,9 +212,9 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
info->Assign(9, val_mgr->GetCount(c->Gid())); info->Assign(9, val_mgr->GetCount(c->Gid()));
info->Assign(10, val_mgr->GetCount(c->Stamp())); info->Assign(10, val_mgr->GetCount(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName())); info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, std::move(auxgids));
vl.push_back(info); vl.emplace_back(std::move(info));
return vl; return vl;
} }

4
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -16,10 +16,10 @@ protected:
const u_char*& buf, int& n, double start_time, const u_char*& buf, int& n, double start_time,
double last_time, int reply_len) override; double last_time, int reply_len) override;
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new arg list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event // mount_status. These are the first parameters for each mount_* event
// ... // ...
val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len, int extra_elements); int reply_len, int extra_elements);

23
src/analyzer/protocol/rpc/NFS.cc
View file

@ -150,7 +150,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
{ {
auto vl = event_common_vl(c, rpc_status, nfs_status, auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len, 0); start_time, last_time, reply_len, 0);
analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl)); analyzer->EnqueueConnEvent(nfs_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -281,12 +281,12 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
start_time, last_time, reply_len, (bool)request + (bool)reply); start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl.push_back(request); vl.emplace_back(AdoptRef{}, request);
if ( reply ) if ( reply )
vl.push_back(reply); vl.emplace_back(AdoptRef{}, reply);
analyzer->ConnectionEventFast(event, std::move(vl)); analyzer->EnqueueConnEvent(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
@ -318,21 +318,22 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
return 0; return 0;
} }
val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len, int extra_elements) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and nfs3_info. // Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ... // These are the first parameters for each nfs_* event ...
val_list vl(2 + extra_elements); zeek::Args vl;
vl.push_back(analyzer->BuildConnVal()); vl.reserve(2 + extra_elements);
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); vl.emplace_back(IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i])); auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status)); info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status));
info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME)); info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -345,9 +346,9 @@ val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_st
info->Assign(9, val_mgr->GetCount(c->Gid())); info->Assign(9, val_mgr->GetCount(c->Gid()));
info->Assign(10, val_mgr->GetCount(c->Stamp())); info->Assign(10, val_mgr->GetCount(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName())); info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, std::move(auxgids));
vl.push_back(info); vl.emplace_back(std::move(info));
return vl; return vl;
} }

2
src/analyzer/protocol/rpc/NFS.h
View file

@ -20,7 +20,7 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event // nfs_status. These are the first parameters for each nfs_* event
// ... // ...
val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len, int extra_elements); int reply_len, int extra_elements);

23
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -261,10 +261,10 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
{ {
if ( pm_bad_port ) if ( pm_bad_port )
{ {
analyzer->ConnectionEventFast(pm_bad_port, { analyzer->EnqueueConnEvent(pm_bad_port,
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
val_mgr->GetCount(port), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
}); );
} }
port = 0; port = 0;
@ -282,25 +282,26 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
return; return;
} }
val_list vl; zeek::Args vl;
vl.push_back(analyzer->BuildConnVal()); vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
if ( status == BifEnum::RPC_SUCCESS ) if ( status == BifEnum::RPC_SUCCESS )
{ {
if ( request ) if ( request )
vl.push_back(request); vl.emplace_back(AdoptRef{}, request);
if ( reply ) if ( reply )
vl.push_back(reply); vl.emplace_back(AdoptRef{}, reply);
} }
else else
{ {
vl.push_back(BifType::Enum::rpc_status->GetVal(status).release()); vl.emplace_back(BifType::Enum::rpc_status->GetVal(status));
if ( request ) if ( request )
vl.push_back(request); vl.emplace_back(AdoptRef{}, request);
} }
analyzer->ConnectionEventFast(f, std::move(vl)); analyzer->EnqueueConnEvent(f, std::move(vl));
} }
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)

54
src/analyzer/protocol/rpc/RPC.cc
View file

@ -338,46 +338,40 @@ void RPC_Interpreter::Timeout()
void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len) void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
{ {
if ( rpc_dialogue ) if ( rpc_dialogue )
{ analyzer->EnqueueConnEvent(rpc_dialogue,
analyzer->ConnectionEventFast(rpc_dialogue, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
val_mgr->GetCount(c->Program()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
val_mgr->GetCount(c->Version()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
val_mgr->GetCount(c->Proc()), BifType::Enum::rpc_status->GetVal(status),
BifType::Enum::rpc_status->GetVal(status).release(), make_intrusive<Val>(c->StartTime(), TYPE_TIME),
new Val(c->StartTime(), TYPE_TIME), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())},
val_mgr->GetCount(c->CallLen()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
val_mgr->GetCount(reply_len), );
});
}
} }
void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c) void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
{ {
if ( rpc_call ) if ( rpc_call )
{ analyzer->EnqueueConnEvent(rpc_call,
analyzer->ConnectionEventFast(rpc_call, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->XID())},
val_mgr->GetCount(c->XID()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
val_mgr->GetCount(c->Program()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
val_mgr->GetCount(c->Version()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
val_mgr->GetCount(c->Proc()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())}
val_mgr->GetCount(c->CallLen()), );
});
}
} }
void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len) void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
{ {
if ( rpc_reply ) if ( rpc_reply )
{ analyzer->EnqueueConnEvent(rpc_reply,
analyzer->ConnectionEventFast(rpc_reply, { IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(xid)},
val_mgr->GetCount(xid), BifType::Enum::rpc_status->GetVal(status),
BifType::Enum::rpc_status->GetVal(status).release(), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
val_mgr->GetCount(reply_len), );
});
}
} }
void RPC_Interpreter::Weird(const char* msg, const char* addl) void RPC_Interpreter::Weird(const char* msg, const char* addl)

57
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -219,11 +219,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( smtp_data && ! skip_data ) if ( smtp_data && ! skip_data )
{ {
ConnectionEventFast(smtp_data, { EnqueueConnEvent(smtp_data,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
new StringVal(data_len, line), make_intrusive<StringVal>(data_len, line)
}); );
} }
} }
@ -349,14 +349,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
break; break;
} }
ConnectionEventFast(smtp_reply, { EnqueueConnEvent(smtp_reply,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
val_mgr->GetCount(reply_code), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
new StringVal(cmd), make_intrusive<StringVal>(cmd),
new StringVal(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
val_mgr->GetBool((pending_reply > 0)), IntrusivePtr{AdoptRef{}, val_mgr->GetBool((pending_reply > 0))}
}); );
} }
} }
@ -410,7 +410,7 @@ void SMTP_Analyzer::StartTLS()
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
if ( smtp_starttls ) if ( smtp_starttls )
ConnectionEventFast(smtp_starttls, {BuildConnVal()}); EnqueueConnEvent(smtp_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
} }
@ -854,12 +854,17 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
ProtocolConfirmation(); ProtocolConfirmation();
if ( smtp_request ) if ( smtp_request )
ConnectionEventFast(smtp_request, { {
BuildConnVal(), auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
val_mgr->GetBool(orig_is_sender), cmd_arg->ToUpper();
(new StringVal(cmd_len, cmd))->ToUpper(),
new StringVal(arg_len, arg), EnqueueConnEvent(smtp_request,
}); IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig_is_sender)},
std::move(cmd_arg),
make_intrusive<StringVal>(arg_len, arg)
);
}
} }
void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,12 +879,12 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
if ( ! orig_is_sender ) if ( ! orig_is_sender )
is_orig = ! is_orig; is_orig = ! is_orig;
ConnectionEventFast(smtp_unexpected, { EnqueueConnEvent(smtp_unexpected,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
new StringVal(msg), make_intrusive<StringVal>(msg),
new StringVal(detail_len, detail), make_intrusive<StringVal>(detail_len, detail)
}); );
} }
} }

16
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -135,10 +135,10 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
return; return;
if ( id2 >= 0 ) if ( id2 >= 0 )
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)}); endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id2)});
else else
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)}); endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)});
} }
void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
@ -146,11 +146,11 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
if ( ! stp_create_endp ) if ( ! stp_create_endp )
return; return;
endp->TCP()->ConnectionEventFast(stp_create_endp, { endp->TCP()->EnqueueConnEvent(stp_create_endp,
endp->TCP()->BuildConnVal(), IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
val_mgr->GetInt(stp_id), IntrusivePtr{AdoptRef{}, val_mgr->GetInt(stp_id)},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
}); );
} }
SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)

90
src/analyzer/protocol/tcp/TCP.cc
View file

@ -785,17 +785,17 @@ void TCP_Analyzer::GeneratePacketEvent(
const u_char* data, int len, int caplen, const u_char* data, int len, int caplen,
int is_orig, TCP_Flags flags) int is_orig, TCP_Flags flags)
{ {
ConnectionEventFast(tcp_packet, { EnqueueConnEvent(tcp_packet,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
new StringVal(flags.AsString()), make_intrusive<StringVal>(flags.AsString()),
val_mgr->GetCount(rel_seq), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(rel_seq)},
val_mgr->GetCount(flags.ACK() ? rel_ack : 0), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags.ACK() ? rel_ack : 0)},
val_mgr->GetCount(len), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
// We need the min() here because Ethernet padding can lead to // We need the min() here because Ethernet padding can lead to
// caplen > len. // caplen > len.
new StringVal(min(caplen, len), (const char*) data), make_intrusive<StringVal>(min(caplen, len), (const char*) data)
}); );
} }
int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen, int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1101,12 +1101,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
base_seq, ack_seq); base_seq, ack_seq);
if ( connection_SYN_packet ) if ( connection_SYN_packet )
{ EnqueueConnEvent(connection_SYN_packet,
ConnectionEventFast(connection_SYN_packet, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{NewRef{}, SYN_vals}
SYN_vals->Ref(), );
});
}
Unref(SYN_vals); Unref(SYN_vals);
} }
@ -1347,17 +1345,17 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
{ {
auto kind = o[0]; auto kind = o[0];
auto length = kind < 2 ? 1 : o[1]; auto length = kind < 2 ? 1 : o[1];
ConnectionEventFast(tcp_option, { EnqueueConnEvent(tcp_option,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetCount(kind), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(kind)},
val_mgr->GetCount(length), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(length)}
}); );
} }
if ( tcp_options ) if ( tcp_options )
{ {
auto option_list = new VectorVal(BifType::Vector::TCP::OptionList); auto option_list = make_intrusive<VectorVal>(BifType::Vector::TCP::OptionList);
auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen) auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen)
{ {
@ -1460,11 +1458,11 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
} }
} }
ConnectionEventFast(tcp_options, { EnqueueConnEvent(tcp_options,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
val_mgr->GetBool(is_orig), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
option_list, std::move(option_list)
}); );
} }
if ( options < opt_end ) if ( options < opt_end )
@ -1782,12 +1780,10 @@ int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
{ {
if ( connection_EOF ) if ( connection_EOF )
{ EnqueueConnEvent(connection_EOF,
ConnectionEventFast(connection_EOF, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())}
val_mgr->GetBool(endp->IsOrig()), );
});
}
const analyzer_list& children(GetChildren()); const analyzer_list& children(GetChildren());
LOOP_OVER_CONST_CHILDREN(i) LOOP_OVER_CONST_CHILDREN(i)
@ -2064,16 +2060,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caple
network_time, seq, len, max_top_seq, data_in_flight); network_time, seq, len, max_top_seq, data_in_flight);
if ( tcp_rexmit ) if ( tcp_rexmit )
{ endp->TCP()->EnqueueConnEvent(tcp_rexmit,
endp->TCP()->ConnectionEventFast(tcp_rexmit, { IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
endp->TCP()->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())},
val_mgr->GetBool(endp->IsOrig()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
val_mgr->GetCount(seq), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
val_mgr->GetCount(len), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_in_flight)},
val_mgr->GetCount(data_in_flight), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(endp->peer->window)}
val_mgr->GetCount(endp->peer->window), );
});
}
} }
else else
max_top_seq = top_seq; max_top_seq = top_seq;
@ -2121,11 +2115,11 @@ void TCPStats_Analyzer::Done()
TCP_ApplicationAnalyzer::Done(); TCP_ApplicationAnalyzer::Done();
if ( conn_stats ) if ( conn_stats )
ConnectionEventFast(conn_stats, { EnqueueConnEvent(conn_stats,
BuildConnVal(), IntrusivePtr{AdoptRef{}, BuildConnVal()},
orig_stats->BuildStats(), IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()},
resp_stats->BuildStats(), IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()}
}); );
} }
void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)

12
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -237,13 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
reporter->Error("TCP contents write failed: %s", buf); reporter->Error("TCP contents write failed: %s", buf);
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { IntrusivePtr{AdoptRef{}, Conn()->BuildConnVal()},
Conn()->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
val_mgr->GetBool(IsOrig()), make_intrusive<StringVal>(buf)
new StringVal(buf), );
});
}
} }
} }

64
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -151,14 +151,12 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
endp->Gap(seq, len); endp->Gap(seq, len);
if ( report_gap(endp, endp->peer) ) if ( report_gap(endp, endp->peer) )
{ dst_analyzer->EnqueueConnEvent(content_gap,
dst_analyzer->ConnectionEventFast(content_gap, { IntrusivePtr{AdoptRef{}, dst_analyzer->BuildConnVal()},
dst_analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
val_mgr->GetBool(IsOrig()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
val_mgr->GetCount(seq), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
val_mgr->GetCount(len), );
});
}
if ( type == Direct ) if ( type == Direct )
dst_analyzer->NextUndelivered(seq, len, IsOrig()); dst_analyzer->NextUndelivered(seq, len, IsOrig());
@ -363,13 +361,11 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, BroFile* f)
reporter->Error("TCP_Reassembler contents write failed"); reporter->Error("TCP_Reassembler contents write failed");
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
Endpoint()->Conn()->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
val_mgr->GetBool(IsOrig()), make_intrusive<StringVal>("TCP reassembler content write failure")
new StringVal("TCP reassembler content write failure"), );
});
}
} }
void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f) void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f)
@ -380,13 +376,11 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile*
reporter->Error("TCP_Reassembler contents gap write failed"); reporter->Error("TCP_Reassembler contents gap write failed");
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
Endpoint()->Conn()->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
val_mgr->GetBool(IsOrig()), make_intrusive<StringVal>("TCP reassembler gap write failure")
new StringVal("TCP reassembler gap write failure"), );
});
}
} }
void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it) void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it)
@ -462,12 +456,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n)
BroString* b1_s = new BroString((const u_char*) b1, n, 0); BroString* b1_s = new BroString((const u_char*) b1, n, 0);
BroString* b2_s = new BroString((const u_char*) b2, n, 0); BroString* b2_s = new BroString((const u_char*) b2, n, 0);
tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, { tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency,
tcp_analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
new StringVal(b1_s), make_intrusive<StringVal>(b1_s),
new StringVal(b2_s), make_intrusive<StringVal>(b2_s),
new StringVal(flags.AsString()), make_intrusive<StringVal>(flags.AsString())
}); );
} }
} }
@ -618,14 +612,12 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
} }
if ( deliver_tcp_contents ) if ( deliver_tcp_contents )
{ tcp_analyzer->EnqueueConnEvent(tcp_contents,
tcp_analyzer->ConnectionEventFast(tcp_contents, { IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
tcp_analyzer->BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
val_mgr->GetBool(IsOrig()), IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
val_mgr->GetCount(seq), make_intrusive<StringVal>(len, (const char*) data)
new StringVal(len, (const char*) data), );
});
}
// Q. Can we say this because it is already checked in DataSent()? // Q. Can we say this because it is already checked in DataSent()?
// ASSERT(!Conn()->Skipping() && !SkipDeliveries()); // ASSERT(!Conn()->Skipping() && !SkipDeliveries());

12
src/analyzer/protocol/udp/UDP.cc
View file

@ -153,13 +153,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
} }
if ( do_udp_contents ) if ( do_udp_contents )
{ EnqueueConnEvent(udp_contents,
ConnectionEventFast(udp_contents, { IntrusivePtr{AdoptRef{}, BuildConnVal()},
BuildConnVal(), IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
val_mgr->GetBool(is_orig), make_intrusive<StringVal>(len, (const char*) data)
new StringVal(len, (const char*) data), );
});
}
Unref(port_val); Unref(port_val);
} }