Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Deprecate Analyzer::ConnectionEvent()

Browse source 
And update usages to Analyzer::EnqueueConnEvent()
This commit is contained in:
Jon Siwek 2020-03-25 18:36:58 -07:00
parent e394ea38bc
commit 5e496e43b7
34 changed files with 954 additions and 1043 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -63,6 +63,10 @@ Deprecated Functionality
arguments are now deprecated, use the overload that takes a ``zeek::Args``
instead.
- The ``analyzer::Analyzer::ConnectionEvent()`` and
``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
``analyzer::Analyzer::EnqueueConnEvent()`` instead.
Zeek 3.1.0
==========

18
src/analyzer/Analyzer.h
View file

@ -10,6 +10,8 @@
#include <list>
#include <vector>
#include <tuple>
#include <type_traits>
#include <sys/types.h> // for u_char
@ -567,21 +569,21 @@ public:
* Convenience function that forwards directly to
* Connection::ConnectionEvent().
*/
// TODO: deprecate
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, val_list* vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEvent().
*/
// TODO: deprecate
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, val_list vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEventFast().
*/
// TODO: deprecate
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead.")]]
void ConnectionEventFast(EventHandlerPtr f, val_list vl);
/**
@ -590,6 +592,16 @@ public:
*/
void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args);
/**
* A version of EnqueueConnEvent() taking a variable number of arguments.
*/
template <class... Args>
std::enable_if_t<
std::is_convertible_v<
std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
EnqueueConnEvent(EventHandlerPtr h, Args&&... args)
{ return EnqueueConnEvent(h, zeek::Args{std::forward<Args>(args)...}); }
/**
* Convenience function that forwards directly to the corresponding
* Connection::Weird().

12
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -119,11 +119,9 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bittorrent_peer_weird )
{
ConnectionEventFast(bittorrent_peer_weird, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(msg),
});
}
EnqueueConnEvent(bittorrent_peer_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(msg)
);
}

46
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -246,13 +246,11 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bt_tracker_weird )
{
ConnectionEventFast(bt_tracker_weird, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(msg),
});
}
EnqueueConnEvent(bt_tracker_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(msg)
);
}
bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@ -349,11 +347,11 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
ProtocolConfirmation();
if ( bt_tracker_request )
ConnectionEventFast(bt_tracker_request, {
BuildConnVal(),
req_val_uri,
req_val_headers,
});
EnqueueConnEvent(bt_tracker_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, req_val_uri},
IntrusivePtr{AdoptRef{}, req_val_headers}
);
req_val_uri = 0;
req_val_headers = 0;
@ -403,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
if ( res_status != 200 )
{
if ( bt_tracker_response_not_ok )
ConnectionEventFast(bt_tracker_response_not_ok, {
BuildConnVal(),
val_mgr->GetCount(res_status),
res_val_headers,
});
EnqueueConnEvent(bt_tracker_response_not_ok,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
IntrusivePtr{AdoptRef{}, res_val_headers}
);
res_val_headers = 0;
res_buf_pos = res_buf + res_buf_len;
res_state = BTT_RES_DONE;
@ -790,13 +788,13 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
ProtocolConfirmation();
if ( bt_tracker_response )
ConnectionEventFast(bt_tracker_response, {
BuildConnVal(),
val_mgr->GetCount(res_status),
res_val_headers,
res_val_peers,
res_val_benc,
});
EnqueueConnEvent(bt_tracker_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
IntrusivePtr{AdoptRef{}, res_val_headers},
IntrusivePtr{AdoptRef{}, res_val_peers},
IntrusivePtr{AdoptRef{}, res_val_benc}
);
res_val_headers = 0;
res_val_peers = 0;

20
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -50,11 +50,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
if ( ! f )
return;
ConnectionEventFast(f, {
BuildConnVal(),
val_mgr->GetCount(threshold),
val_mgr->GetBool(is_orig),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
);
}
void ConnSize_Analyzer::CheckThresholds(bool is_orig)
@ -92,11 +92,11 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
{
if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed )
{
ConnectionEventFast(conn_duration_threshold_crossed, {
BuildConnVal(),
new Val(duration_thresh, TYPE_INTERVAL),
val_mgr->GetBool(is_orig),
});
EnqueueConnEvent(conn_duration_threshold_crossed,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
);
duration_thresh = 0;
}
}

277
src/analyzer/protocol/dns/DNS.cc
View file

@ -48,14 +48,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
first_message = false;
if ( dns_message )
{
analyzer->ConnectionEventFast(dns_message, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_query),
msg.BuildHdrVal(),
val_mgr->GetCount(len),
});
}
analyzer->EnqueueConnEvent(dns_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
);
// There is a great deal of non-DNS traffic that runs on port 53.
// This should weed out most of it.
@ -136,10 +134,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{
if ( dns_end )
analyzer->ConnectionEventFast(dns_end, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
});
analyzer->EnqueueConnEvent(dns_end,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
);
return 1;
}
@ -341,13 +339,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
default:
if ( dns_unknown_reply && ! msg->skip_event )
{
analyzer->ConnectionEventFast(dns_unknown_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
});
}
analyzer->EnqueueConnEvent(dns_unknown_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
);
analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
data += rdlength;
@ -556,14 +552,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
}
if ( reply_event && ! msg->skip_event )
{
analyzer->ConnectionEventFast(reply_event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new StringVal(new BroString(name, name_end - name, 1)),
});
}
analyzer->EnqueueConnEvent(reply_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, 1))
);
return 1;
}
@ -602,7 +596,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event )
{
RecordVal* r = new RecordVal(dns_soa);
auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1)));
r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1)));
r->Assign(2, val_mgr->GetCount(serial));
@ -611,12 +605,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->ConnectionEventFast(dns_SOA_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
r
});
analyzer->EnqueueConnEvent(dns_SOA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(r)
);
}
return 1;
@ -641,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch");
if ( dns_MX_reply && ! msg->skip_event )
{
analyzer->ConnectionEventFast(dns_MX_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new StringVal(new BroString(name, name_end - name, 1)),
val_mgr->GetCount(preference),
});
}
analyzer->EnqueueConnEvent(dns_MX_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
);
return 1;
}
@ -684,17 +676,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch");
if ( dns_SRV_reply && ! msg->skip_event )
{
analyzer->ConnectionEventFast(dns_SRV_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new StringVal(new BroString(name, name_end - name, 1)),
val_mgr->GetCount(priority),
val_mgr->GetCount(weight),
val_mgr->GetCount(port),
});
}
analyzer->EnqueueConnEvent(dns_SRV_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
);
return 1;
}
@ -707,13 +697,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
// out to the policy side of the house if rdlength > 0.
if ( dns_EDNS_addl && ! msg->skip_event )
{
analyzer->ConnectionEventFast(dns_EDNS_addl, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildEDNS_Val(),
});
}
analyzer->EnqueueConnEvent(dns_EDNS_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
);
// Currently EDNS supports the movement of type:data pairs
// in the RR_DATA section. Here's where we should put together
@ -786,11 +774,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
tsig.orig_id = orig_id;
tsig.rr_error = rr_error;
analyzer->ConnectionEventFast(dns_TSIG_addl, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildTSIG_Val(&tsig),
});
analyzer->EnqueueConnEvent(dns_TSIG_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
);
}
return 1;
@ -887,12 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signer_name = new BroString(name, name_end - name, 1);
rrsig.signature = sign;
analyzer->ConnectionEventFast(dns_RRSIG, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildRRSIG_Val(&rrsig),
});
analyzer->EnqueueConnEvent(dns_RRSIG,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
);
}
return 1;
@ -982,12 +970,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.dprotocol = dprotocol;
dnskey.public_key = key;
analyzer->ConnectionEventFast(dns_DNSKEY, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildDNSKEY_Val(&dnskey),
});
analyzer->EnqueueConnEvent(dns_DNSKEY,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
);
}
return 1;
@ -1014,7 +1002,7 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start);
VectorVal* char_strings = new VectorVal(string_vec);
auto char_strings = make_intrusive<VectorVal>(string_vec);
while ( typebitmaps_len > 0 && len > 0 )
{
@ -1034,15 +1022,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
}
if ( dns_NSEC )
analyzer->ConnectionEventFast(dns_NSEC, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new StringVal(new BroString(name, name_end - name, 1)),
char_strings,
});
else
Unref(char_strings);
analyzer->EnqueueConnEvent(dns_NSEC,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
std::move(char_strings)
);
return 1;
}
@ -1122,12 +1108,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.nsec_hash = hash_val;
nsec3.bitmaps = char_strings;
analyzer->ConnectionEventFast(dns_NSEC3, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildNSEC3_Val(&nsec3),
});
analyzer->EnqueueConnEvent(dns_NSEC3,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
);
}
else
Unref(char_strings);
@ -1182,12 +1168,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_type = ds_dtype;
ds.digest_val = ds_digest;
analyzer->ConnectionEventFast(dns_DS, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildDS_Val(&ds),
});
analyzer->EnqueueConnEvent(dns_DS,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
);
}
return 1;
@ -1205,14 +1191,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
uint32_t addr = ExtractLong(data, len);
if ( dns_A_reply && ! msg->skip_event )
{
analyzer->ConnectionEventFast(dns_A_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new AddrVal(htonl(addr)),
});
}
analyzer->EnqueueConnEvent(dns_A_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(htonl(addr))
);
return 1;
}
@ -1241,15 +1225,14 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
event = dns_AAAA_reply;
else
event = dns_A6_reply;
if ( event && ! msg->skip_event )
{
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new AddrVal(addr),
});
}
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(addr)
);
return 1;
}
@ -1311,21 +1294,19 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
return 1;
}
VectorVal* char_strings = new VectorVal(string_vec);
auto char_strings = make_intrusive<VectorVal>(string_vec);
StringVal* char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string);
if ( dns_TXT_reply )
analyzer->ConnectionEventFast(dns_TXT_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
char_strings,
});
else
Unref(char_strings);
analyzer->EnqueueConnEvent(dns_TXT_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
);
return rdlength == 0;
}
@ -1341,21 +1322,19 @@ int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
return 1;
}
VectorVal* char_strings = new VectorVal(string_vec);
auto char_strings = make_intrusive<VectorVal>(string_vec);
StringVal* char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string);
if ( dns_SPF_reply )
analyzer->ConnectionEventFast(dns_SPF_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
char_strings,
});
else
Unref(char_strings);
analyzer->EnqueueConnEvent(dns_SPF_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
);
return rdlength == 0;
}
@ -1391,14 +1370,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
rdlength -= value->Len();
if ( dns_CAA_reply )
analyzer->ConnectionEventFast(dns_CAA_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
val_mgr->GetCount(flags),
new StringVal(tag),
new StringVal(value),
});
analyzer->EnqueueConnEvent(dns_CAA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
make_intrusive<StringVal>(tag),
make_intrusive<StringVal>(value)
);
else
{
delete tag;
@ -1419,13 +1398,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
assert(event);
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
new StringVal(question_name),
val_mgr->GetCount(qtype),
val_mgr->GetCount(qclass),
});
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
make_intrusive<StringVal>(question_name),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
);
}

12
src/analyzer/protocol/file/File.cc
View file

@ -79,10 +79,10 @@ void File_Analyzer::Identify()
: *(matches.begin()->second.begin());
if ( file_transferred )
ConnectionEventFast(file_transferred, {
BuildConnVal(),
new StringVal(buffer_len, buffer),
new StringVal("<unknown>"),
new StringVal(match),
});
EnqueueConnEvent(file_transferred,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(buffer_len, buffer),
make_intrusive<StringVal>("<unknown>"),
make_intrusive<StringVal>(match)
);
}

22
src/analyzer/protocol/finger/Finger.cc
View file

@ -67,14 +67,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
host = at + 1;
if ( finger_request )
{
ConnectionEventFast(finger_request, {
BuildConnVal(),
val_mgr->GetBool(long_cnt),
new StringVal(at - line, line),
new StringVal(end_of_line - host, host),
});
}
EnqueueConnEvent(finger_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
make_intrusive<StringVal>(at - line, line),
make_intrusive<StringVal>(end_of_line - host, host)
);
Conn()->Match(Rule::FINGER, (const u_char *) line,
end_of_line - line, true, true, 1, true);
@ -87,9 +85,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_reply )
return;
ConnectionEventFast(finger_reply, {
BuildConnVal(),
new StringVal(end_of_line - line, line),
});
EnqueueConnEvent(finger_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(end_of_line - line, line)
);
}
}

22
src/analyzer/protocol/ftp/FTP.cc
View file

@ -75,7 +75,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it.
return;
val_list vl;
zeek::Args vl;
EventHandlerPtr f;
if ( orig )
@ -96,10 +96,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
else
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = val_list{
BuildConnVal(),
cmd_str,
new StringVal(end_of_line - line, line),
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, cmd_str},
make_intrusive<StringVal>(end_of_line - line, line),
};
f = ftp_request;
@ -175,17 +175,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
}
}
vl = val_list{
BuildConnVal(),
val_mgr->GetCount(reply_code),
new StringVal(end_of_line - line, line),
val_mgr->GetBool(cont_resp),
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
make_intrusive<StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
};
f = ftp_reply;
}
ConnectionEvent(f, std::move(vl));
EnqueueConnEvent(f, std::move(vl));
ForwardStream(length, data, orig);
}

62
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
if ( Established() && gnutella_establish )
ConnectionEventFast(gnutella_establish, {BuildConnVal()});
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
else if ( ! Established () && gnutella_not_establish )
ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
}
if ( gnutella_partial_binary_msg )
@ -71,14 +71,12 @@ void Gnutella_Analyzer::Done()
for ( int i = 0; i < 2; ++i, p = resp_msg_state )
{
if ( ! p->msg_sent && p->msg_pos )
{
ConnectionEventFast(gnutella_partial_binary_msg, {
BuildConnVal(),
new StringVal(p->msg),
val_mgr->GetBool((i == 0)),
val_mgr->GetCount(p->msg_pos),
});
}
EnqueueConnEvent(gnutella_partial_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(p->msg),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
);
else if ( ! p->msg_sent && p->payload_left )
SendEvents(p, (i == 0));
@ -120,9 +118,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
return 0;
if ( gnutella_http_notify )
{
ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
}
EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -180,13 +176,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
else
{
if ( gnutella_text_msg )
{
ConnectionEventFast(gnutella_text_msg, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(ms->headers.data()),
});
}
EnqueueConnEvent(gnutella_text_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(ms->headers.data())
);
ms->headers = "";
state |= new_state;
@ -195,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
sent_establish = 1;
ConnectionEventFast(gnutella_establish, {BuildConnVal()});
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
}
}
}
@ -220,20 +214,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
return;
if ( gnutella_binary_msg )
{
ConnectionEventFast(gnutella_binary_msg, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(p->msg_type),
val_mgr->GetCount(p->msg_ttl),
val_mgr->GetCount(p->msg_hops),
val_mgr->GetCount(p->msg_len),
new StringVal(p->payload),
val_mgr->GetCount(p->payload_len),
val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
val_mgr->GetBool((p->payload_left == 0)),
});
}
EnqueueConnEvent(gnutella_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
make_intrusive<StringVal>(p->payload),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
);
}

146
src/analyzer/protocol/http/HTTP.cc
View file

@ -649,13 +649,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
}
if ( http_message_done )
{
GetAnalyzer()->ConnectionEventFast(http_message_done, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
BuildMessageStat(interrupted, detail),
});
}
GetAnalyzer()->EnqueueConnEvent(http_message_done,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
);
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
}
@ -682,12 +680,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
current_entity = (HTTP_Entity*) entity;
if ( http_begin_entity )
{
analyzer->ConnectionEventFast(http_begin_entity, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
});
}
analyzer->EnqueueConnEvent(http_begin_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
);
}
void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
@ -699,12 +695,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
header_length += ((HTTP_Entity*) entity)->HeaderLength();
if ( http_end_entity )
{
analyzer->ConnectionEventFast(http_end_entity, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
});
}
analyzer->EnqueueConnEvent(http_end_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
);
current_entity = (HTTP_Entity*) entity->Parent();
@ -740,27 +734,23 @@ void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{
if ( http_all_headers )
{
analyzer->ConnectionEventFast(http_all_headers, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
BuildHeaderTable(hlist),
});
}
analyzer->EnqueueConnEvent(http_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
if ( http_content_type )
{
StringVal* ty = current_entity->ContentType();
StringVal* subty = current_entity->ContentSubType();
ty->Ref();
subty->Ref();
analyzer->ConnectionEventFast(http_content_type, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
ty,
subty,
});
analyzer->EnqueueConnEvent(http_content_type,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{NewRef{}, ty},
IntrusivePtr{NewRef{}, subty}
);
}
}
@ -1182,14 +1172,14 @@ void HTTP_Analyzer::GenStats()
{
if ( http_stats )
{
RecordVal* r = new RecordVal(http_stats_rec);
auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->GetCount(num_requests));
r->Assign(1, val_mgr->GetCount(num_replies));
r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time);
ConnectionEventFast(http_stats, {BuildConnVal(), r});
EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
}
}
@ -1387,16 +1377,14 @@ void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
{
if ( http_event )
{
// DEBUG_MSG("%.6f http_event\n", network_time);
ConnectionEventFast(http_event, {
BuildConnVal(),
new StringVal(category),
detail,
});
}
EnqueueConnEvent(http_event,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(category),
IntrusivePtr{AdoptRef{}, detail}
);
else
delete detail;
Unref(detail);
}
StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
@ -1428,33 +1416,27 @@ void HTTP_Analyzer::HTTP_Request()
connect_request = true;
if ( http_request )
{
Ref(request_method);
// DEBUG_MSG("%.6f http_request\n", network_time);
ConnectionEventFast(http_request, {
BuildConnVal(),
request_method,
TruncateURI(request_URI->AsStringVal()),
TruncateURI(unescaped_URI->AsStringVal()),
new StringVal(fmt("%.1f", request_version.ToDouble())),
});
}
EnqueueConnEvent(http_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{NewRef{}, request_method},
IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
make_intrusive<StringVal>(fmt("%.1f", request_version.ToDouble()))
);
}
void HTTP_Analyzer::HTTP_Reply()
{
if ( http_reply )
{
ConnectionEventFast(http_reply, {
BuildConnVal(),
new StringVal(fmt("%.1f", reply_version.ToDouble())),
val_mgr->GetCount(reply_code),
EnqueueConnEvent(http_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
reply_reason_phrase ?
reply_reason_phrase->Ref() :
new StringVal("<empty>"),
});
}
IntrusivePtr{NewRef{}, reply_reason_phrase} :
make_intrusive<StringVal>("<empty>")
);
else
{
Unref(reply_reason_phrase);
@ -1524,12 +1506,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
RemoveSupportAnalyzer(content_line_resp);
if ( http_connection_upgrade )
{
ConnectionEventFast(http_connection_upgrade, {
BuildConnVal(),
new StringVal(upgrade_protocol),
});
}
EnqueueConnEvent(http_connection_upgrade,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(upgrade_protocol)
);
}
reply_code = 0;
@ -1690,26 +1670,24 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEventFast(http_header, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
mime::new_string_val(h->get_name())->ToUpper(),
mime::new_string_val(h->get_value()),
});
EnqueueConnEvent(http_header,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
);
}
}
void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
{
if ( http_entity_data )
{
ConnectionEventFast(http_entity_data, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(entity_data->Len()),
new StringVal(entity_data),
});
}
EnqueueConnEvent(http_entity_data,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
make_intrusive<StringVal>(entity_data)
);
else
delete entity_data;
}

146
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -202,22 +202,20 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
const IP_Hdr* ip_hdr)
{
if ( icmp_sent )
{
ConnectionEventFast(icmp_sent, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
});
}
EnqueueConnEvent(icmp_sent,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
);
if ( icmp_sent_payload )
{
BroString* payload = new BroString(data, min(len, caplen), 0);
ConnectionEventFast(icmp_sent_payload, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
new StringVal(payload),
});
EnqueueConnEvent(icmp_sent_payload,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
make_intrusive<StringVal>(payload)
);
}
}
@ -516,13 +514,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, 0);
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
val_mgr->GetCount(iid),
val_mgr->GetCount(iseq),
new StringVal(payload),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
make_intrusive<StringVal>(payload)
);
}
@ -544,21 +542,21 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans);
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
new IntervalVal((double)ntohl(reachable), Milliseconds),
new IntervalVal((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
}
@ -577,15 +575,15 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
}
@ -604,12 +602,12 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
}
@ -631,13 +629,13 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr);
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
new AddrVal(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
}
@ -649,11 +647,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
if ( ! f )
return;
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
);
}
@ -674,14 +672,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
}
if ( f )
{
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr),
val_mgr->GetCount(icmpp->icmp_code),
ExtractICMP4Context(caplen, data),
});
}
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
);
}
@ -714,14 +710,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
}
if ( f )
{
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_code),
ExtractICMP6Context(caplen, data),
});
}
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
);
}
VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)

36
src/analyzer/protocol/ident/Ident.cc
View file

@ -84,11 +84,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
Weird("ident_request_addendum", s.CheckString());
}
ConnectionEventFast(ident_request, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),
});
EnqueueConnEvent(ident_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
);
did_deliver = true;
}
@ -145,12 +145,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( is_error )
{
if ( ident_error )
ConnectionEventFast(ident_error, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),
new StringVal(end_of_line - line, line),
});
EnqueueConnEvent(ident_error,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
make_intrusive<StringVal>(end_of_line - line, line)
);
}
else
@ -178,13 +178,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line);
ConnectionEventFast(ident_reply, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),
new StringVal(end_of_line - line, line),
new StringVal(sys_type_s),
});
EnqueueConnEvent(ident_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
make_intrusive<StringVal>(end_of_line - line, line),
make_intrusive<StringVal>(sys_type_s)
);
}
}
}

508
src/analyzer/protocol/irc/IRC.cc
View file

@ -233,13 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ###
}
ConnectionEventFast(irc_network_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(users),
val_mgr->GetInt(services),
val_mgr->GetInt(servers),
});
EnqueueConnEvent(irc_network_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
);
}
break;
@ -270,24 +270,23 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
TableVal* set = new TableVal({NewRef{}, string_set});
auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < parts.size(); ++i )
{
if ( parts[i][0] == '@' )
parts[i] = parts[i].substr(1);
Val* idx = new StringVal(parts[i].c_str());
set->Assign(idx, 0);
Unref(idx);
auto idx = make_intrusive<StringVal>(parts[i].c_str());
set->Assign(idx.get(), 0);
}
ConnectionEventFast(irc_names_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(type.c_str()),
new StringVal(channel.c_str()),
set,
});
EnqueueConnEvent(irc_names_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(type.c_str()),
make_intrusive<StringVal>(channel.c_str()),
std::move(set)
);
}
break;
@ -315,13 +314,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ###
}
ConnectionEventFast(irc_server_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(users),
val_mgr->GetInt(services),
val_mgr->GetInt(servers),
});
EnqueueConnEvent(irc_server_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
);
}
break;
@ -337,11 +336,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[i] == ":channels" )
channels = atoi(parts[i - 1].c_str());
ConnectionEventFast(irc_channel_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(channels),
});
EnqueueConnEvent(irc_channel_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
);
}
break;
@ -369,12 +368,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
break;
}
ConnectionEventFast(irc_global_users, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(eop - prefix, prefix),
new StringVal(++msg),
});
EnqueueConnEvent(irc_global_users,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(eop - prefix, prefix),
make_intrusive<StringVal>(++msg)
);
break;
}
@ -394,12 +393,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
val_list vl(6);
vl.push_back(BuildConnVal());
vl.push_back(val_mgr->GetBool(orig));
vl.push_back(new StringVal(parts[0].c_str()));
vl.push_back(new StringVal(parts[1].c_str()));
vl.push_back(new StringVal(parts[2].c_str()));
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4);
@ -410,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' )
real_name = real_name.substr(1);
vl.push_back(new StringVal(real_name.c_str()));
vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
ConnectionEventFast(irc_whois_user_line, std::move(vl));
EnqueueConnEvent(irc_whois_user_line, std::move(vl));
}
break;
@ -433,11 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
ConnectionEventFast(irc_whois_operator_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
});
EnqueueConnEvent(irc_whois_operator_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(parts[0].c_str())
);
}
break;
@ -463,21 +463,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
TableVal* set = new TableVal({NewRef{}, string_set});
auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < parts.size(); ++i )
{
Val* idx = new StringVal(parts[i].c_str());
set->Assign(idx, 0);
Unref(idx);
auto idx = make_intrusive<StringVal>(parts[i].c_str());
set->Assign(idx.get(), 0);
}
ConnectionEventFast(irc_whois_channel_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
set,
});
EnqueueConnEvent(irc_whois_channel_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(nick.c_str()),
std::move(set)
);
}
break;
@ -503,12 +502,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( *t == ':' )
++t;
ConnectionEventFast(irc_channel_topic, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[1].c_str()),
new StringVal(t),
});
EnqueueConnEvent(irc_channel_topic,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(t)
);
}
else
{
@ -537,19 +536,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[7][0] == ':' )
parts[7] = parts[7].substr(1);
ConnectionEventFast(irc_who_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new StringVal(parts[3].c_str()),
new StringVal(parts[4].c_str()),
new StringVal(parts[5].c_str()),
new StringVal(parts[6].c_str()),
val_mgr->GetInt(atoi(parts[7].c_str())),
new StringVal(parts[8].c_str()),
});
EnqueueConnEvent(irc_who_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<StringVal>(parts[3].c_str()),
make_intrusive<StringVal>(parts[4].c_str()),
make_intrusive<StringVal>(parts[5].c_str()),
make_intrusive<StringVal>(parts[6].c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
make_intrusive<StringVal>(parts[8].c_str())
);
}
break;
@ -559,25 +558,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 433:
case 436:
if ( irc_invalid_nick )
{
ConnectionEventFast(irc_invalid_nick, {
BuildConnVal(),
val_mgr->GetBool(orig),
});
}
EnqueueConnEvent(irc_invalid_nick,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
);
break;
// Operator responses.
case 381: // User is operator
case 491: // user is not operator
if ( irc_oper_response )
{
ConnectionEventFast(irc_oper_response, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetBool(code == 381),
});
}
EnqueueConnEvent(irc_oper_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
);
break;
case 670:
@ -588,13 +583,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// All other server replies.
default:
if ( irc_reply )
ConnectionEventFast(irc_reply, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
val_mgr->GetCount(code),
new StringVal(params.c_str()),
});
EnqueueConnEvent(irc_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
make_intrusive<StringVal>(params.c_str())
);
break;
}
return;
@ -659,31 +654,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message )
ConnectionEventFast(irc_dcc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new AddrVal(htonl(raw_ip)),
val_mgr->GetCount(atoi(parts[4].c_str())),
parts.size() >= 6 ?
EnqueueConnEvent(irc_dcc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<AddrVal>(htonl(raw_ip)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0),
});
val_mgr->GetCount(0)}
);
}
else
{
if ( irc_privmsg_message )
ConnectionEventFast(irc_privmsg_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_privmsg_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
}
@ -702,13 +697,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' )
message = message.substr(1);
ConnectionEventFast(irc_notice_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_notice_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
else if ( irc_squery_message && command == "SQUERY" )
@ -726,34 +721,35 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' )
message = message.substr(1);
ConnectionEventFast(irc_squery_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_squery_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
else if ( irc_user_message && command == "USER" )
{
// extract username and real name
vector<string> parts = SplitWords(params, ' ');
val_list vl(6);
vl.push_back(BuildConnVal());
vl.push_back(val_mgr->GetBool(orig));
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
if ( parts.size() > 0 )
vl.push_back(new StringVal(parts[0].c_str()));
else vl.push_back(val_mgr->GetEmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
if ( parts.size() > 1 )
vl.push_back(new StringVal(parts[1].c_str()));
else vl.push_back(val_mgr->GetEmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
if ( parts.size() > 2 )
vl.push_back(new StringVal(parts[2].c_str()));
else vl.push_back(val_mgr->GetEmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
string realname;
for ( unsigned int i = 3; i < parts.size(); i++ )
@ -764,9 +760,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
const char* name = realname.c_str();
vl.push_back(new StringVal(*name == ':' ? name + 1 : name));
vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
ConnectionEventFast(irc_user_message, std::move(vl));
EnqueueConnEvent(irc_user_message, std::move(vl));
}
else if ( irc_oper_message && command == "OPER" )
@ -774,14 +770,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// extract username and password
vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 )
{
ConnectionEventFast(irc_oper_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
new StringVal(parts[1].c_str()),
});
}
EnqueueConnEvent(irc_oper_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
else
Weird("irc_invalid_oper_message_format");
@ -797,12 +791,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
val_list vl(6);
vl.push_back(BuildConnVal());
vl.push_back(val_mgr->GetBool(orig));
vl.push_back(new StringVal(prefix.c_str()));
vl.push_back(new StringVal(parts[0].c_str()));
vl.push_back(new StringVal(parts[1].c_str()));
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
if ( parts.size() > 2 )
{
string comment = parts[2];
@ -812,12 +808,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' )
comment = comment.substr(1);
vl.push_back(new StringVal(comment.c_str()));
vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
}
else
vl.push_back(val_mgr->GetEmptyString());
vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
ConnectionEventFast(irc_kick_message, std::move(vl));
EnqueueConnEvent(irc_kick_message, std::move(vl));
}
else if ( irc_join_message && command == "JOIN" )
@ -841,7 +837,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos);
}
TableVal* list = new TableVal({NewRef{}, irc_join_list});
auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords;
@ -865,11 +861,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info);
}
ConnectionEventFast(irc_join_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
list,
});
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
std::move(list)
);
}
else if ( irc_join_message && command == "NJOIN" )
@ -886,13 +882,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ',');
TableVal* list = new TableVal({NewRef{}, irc_join_list});
auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i )
{
RecordVal* info = new RecordVal(irc_join_info);
auto info = make_intrusive<RecordVal>(irc_join_info);
string nick = users[i];
string mode = "none";
@ -922,15 +918,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode:
info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
list->Assign(info, 0);
Unref(info);
list->Assign(info.get(), 0);
}
ConnectionEventFast(irc_join_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
list,
});
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
std::move(list)
);
}
else if ( irc_part_message && command == "PART" )
@ -957,22 +952,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(0, pos);
vector<string> channelList = SplitWords(channels, ',');
TableVal* set = new TableVal({NewRef{}, string_set});
auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
for ( unsigned int i = 0; i < channelList.size(); ++i )
{
Val* idx = new StringVal(channelList[i].c_str());
set->Assign(idx, 0);
Unref(idx);
auto idx = make_intrusive<StringVal>(channelList[i].c_str());
set->Assign(idx.get(), 0);
}
ConnectionEventFast(irc_part_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
set,
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_part_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(nick.c_str()),
std::move(set),
make_intrusive<StringVal>(message.c_str())
);
}
else if ( irc_quit_message && command == "QUIT" )
@ -989,12 +983,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos);
}
ConnectionEventFast(irc_quit_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nickname.c_str()),
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_quit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(nickname.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
else if ( irc_nick_message && command == "NICK" )
@ -1003,12 +997,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( nick[0] == ':' )
nick = nick.substr(1);
ConnectionEventFast(irc_nick_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(nick.c_str())
});
EnqueueConnEvent(irc_nick_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(nick.c_str())
);
}
else if ( irc_who_message && command == "WHO" )
@ -1028,14 +1022,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
ConnectionEventFast(irc_who_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
EnqueueConnEvent(irc_who_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
parts.size() > 0 ?
new StringVal(parts[0].c_str()) :
val_mgr->GetEmptyString(),
val_mgr->GetBool(oper),
});
make_intrusive<StringVal>(parts[0].c_str()) :
IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
);
}
else if ( irc_whois_message && command == "WHOIS" )
@ -1058,12 +1052,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else
users = parts[0];
ConnectionEventFast(irc_whois_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(server.c_str()),
new StringVal(users.c_str()),
});
EnqueueConnEvent(irc_whois_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(users.c_str())
);
}
else if ( irc_error_message && command == "ERROR" )
@ -1071,12 +1065,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params[0] == ':' )
params = params.substr(1);
ConnectionEventFast(irc_error_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(params.c_str()),
});
EnqueueConnEvent(irc_error_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
else if ( irc_invite_message && command == "INVITE" )
@ -1087,13 +1081,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[1].size() > 0 && parts[1][0] == ':' )
parts[1] = parts[1].substr(1);
ConnectionEventFast(irc_invite_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(parts[0].c_str()),
new StringVal(parts[1].c_str()),
});
EnqueueConnEvent(irc_invite_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
}
else
Weird("irc_invalid_invite_message_format");
@ -1102,14 +1096,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_mode_message && command == "MODE" )
{
if ( params.size() > 0 )
{
ConnectionEventFast(irc_mode_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(params.c_str()),
});
}
EnqueueConnEvent(irc_mode_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
else
Weird("irc_invalid_mode_message_format");
@ -1117,11 +1109,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" )
{
ConnectionEventFast(irc_password_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(params.c_str()),
});
EnqueueConnEvent(irc_password_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(params.c_str())
);
}
else if ( irc_squit_message && command == "SQUIT" )
@ -1139,13 +1131,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
}
ConnectionEventFast(irc_squit_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(server.c_str()),
new StringVal(message.c_str()),
});
EnqueueConnEvent(irc_squit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
@ -1153,13 +1145,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_request )
{
ConnectionEventFast(irc_request, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(command.c_str()),
new StringVal(params.c_str()),
});
EnqueueConnEvent(irc_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
}
@ -1167,13 +1159,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_message )
{
ConnectionEventFast(irc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(command.c_str()),
new StringVal(params.c_str()),
});
EnqueueConnEvent(irc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
}
@ -1203,7 +1195,7 @@ void IRC_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( irc_starttls )
ConnectionEventFast(irc_starttls, {BuildConnVal()});
EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
}
vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

79
src/analyzer/protocol/login/Login.cc
View file

@ -290,9 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
else if ( IsSkipAuthentication(line) )
{
if ( authentication_skipped )
{
ConnectionEventFast(authentication_skipped, {BuildConnVal()});
}
EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
state = LOGIN_STATE_SKIP;
SetSkip(1);
@ -333,28 +331,22 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
}
else if ( login_terminal && streq(name, "TERM") )
{
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(val),
});
}
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(val)
);
else if ( login_display && streq(name, "DISPLAY") )
{
ConnectionEventFast(login_display, {
BuildConnVal(),
new StringVal(val),
});
}
EnqueueConnEvent(login_display,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(val)
);
else if ( login_prompt && streq(name, "TTYPROMPT") )
{
ConnectionEventFast(login_prompt, {
BuildConnVal(),
new StringVal(val),
});
}
EnqueueConnEvent(login_prompt,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(val)
);
}
delete [] name;
@ -427,13 +419,14 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>");
ConnectionEventFast(f, {
BuildConnVal(),
username->Ref(),
client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
password,
new StringVal(line),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{NewRef{}, username},
client_name ? IntrusivePtr{NewRef{}, client_name}
: IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
IntrusivePtr{AdoptRef{}, password},
make_intrusive<StringVal>(line)
);
}
const char* Login_Analyzer::GetUsername(const char* line) const
@ -449,10 +442,10 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
if ( ! f )
return;
ConnectionEventFast(f, {
BuildConnVal(),
new StringVal(line),
});
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(line)
);
}
@ -461,13 +454,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
state = LOGIN_STATE_CONFUSED; // to suppress further messages
if ( login_confused )
{
ConnectionEventFast(login_confused, {
BuildConnVal(),
new StringVal(msg),
new StringVal(line),
});
}
EnqueueConnEvent(login_confused,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(line)
);
if ( login_confused_text )
{
@ -487,12 +478,10 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
void Login_Analyzer::ConfusionText(const char* line)
{
if ( login_confused_text )
{
ConnectionEventFast(login_confused_text, {
BuildConnVal(),
new StringVal(line),
});
}
EnqueueConnEvent(login_confused_text,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(line)
);
}
int Login_Analyzer::IsPloy(const char* line)

10
src/analyzer/protocol/login/NVT.cc
View file

@ -462,12 +462,10 @@ const char* NVT_Analyzer::PeerAuthName() const
void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{
if ( login_terminal )
{
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(new BroString(terminal, len, 0)),
});
}
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(new BroString(terminal, len, 0))
);
}
void NVT_Analyzer::SetEncrypting(int mode)

28
src/analyzer/protocol/login/RSH.cc
View file

@ -168,27 +168,37 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
return;
}
val_list vl(4 + orig);
zeek::Args vl;
vl.reserve(4 + orig);
const char* line = (const char*) data;
line = skip_whitespace(line);
vl.push_back(BuildConnVal());
vl.push_back(client_name ? client_name->Ref() : new StringVal("<none>"));
vl.push_back(username ? username->Ref() : new StringVal("<none>"));
vl.push_back(new StringVal(line));
vl.emplace_back(AdoptRef{}, BuildConnVal());
if ( client_name )
vl.emplace_back(NewRef{}, client_name);
else
vl.emplace_back(make_intrusive<StringVal>("<none>"));
if ( username )
vl.emplace_back(NewRef{}, username);
else
vl.emplace_back(make_intrusive<StringVal>("<none>"));
vl.emplace_back(make_intrusive<StringVal>(line));
if ( orig )
{
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input
vl.push_back(val_mgr->GetTrue());
vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
else
vl.push_back(val_mgr->GetFalse());
vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
ConnectionEventFast(rsh_request, std::move(vl));
EnqueueConnEvent(rsh_request, std::move(vl));
}
else
ConnectionEventFast(rsh_reply, std::move(vl));
EnqueueConnEvent(rsh_reply, std::move(vl));
}
void Rsh_Analyzer::ClientUserName(const char* s)

10
src/analyzer/protocol/login/Rlogin.cc
View file

@ -244,10 +244,8 @@ void Rlogin_Analyzer::ServerUserName(const char* s)
void Rlogin_Analyzer::TerminalType(const char* s)
{
if ( login_terminal )
{
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(s),
});
}
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
make_intrusive<StringVal>(s)
);
}

76
src/analyzer/protocol/mime/MIME.cc
View file

@ -1365,11 +1365,11 @@ void MIME_Mail::Done()
hash_final(md5_hash, digest);
md5_hash = nullptr;
analyzer->ConnectionEventFast(mime_content_hash, {
analyzer->BuildConnVal(),
val_mgr->GetCount(content_hash_length),
new StringVal(new BroString(1, digest, 16)),
});
analyzer->EnqueueConnEvent(mime_content_hash,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
make_intrusive<StringVal>(new BroString(1, digest, 16))
);
}
MIME_Message::Done();
@ -1393,7 +1393,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear();
if ( mime_begin_entity )
analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0);
@ -1405,11 +1405,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{
BroString* s = concatenate(entity_content);
analyzer->ConnectionEventFast(mime_entity_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(s->Len()),
new StringVal(s),
});
analyzer->EnqueueConnEvent(mime_entity_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
make_intrusive<StringVal>(s)
);
if ( ! mime_all_data )
delete_strings(entity_content);
@ -1418,7 +1418,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
}
if ( mime_end_entity )
analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear();
@ -1427,23 +1427,19 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
void MIME_Mail::SubmitHeader(MIME_Header* h)
{
if ( mime_one_header )
{
analyzer->ConnectionEventFast(mime_one_header, {
analyzer->BuildConnVal(),
BuildHeaderVal(h),
});
}
analyzer->EnqueueConnEvent(mime_one_header,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
);
}
void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{
if ( mime_all_headers )
{
analyzer->ConnectionEventFast(mime_all_headers, {
analyzer->BuildConnVal(),
BuildHeaderTable(hlist),
});
}
analyzer->EnqueueConnEvent(mime_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
}
void MIME_Mail::SubmitData(int len, const char* buf)
@ -1476,11 +1472,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
const char* data = (char*) data_buffer->Bytes() + data_start;
int data_len = (buf + len) - data;
analyzer->ConnectionEventFast(mime_segment_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(data_len),
new StringVal(data_len, data),
});
analyzer->EnqueueConnEvent(mime_segment_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
make_intrusive<StringVal>(data_len, data)
);
}
cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1523,11 +1519,11 @@ void MIME_Mail::SubmitAllData()
BroString* s = concatenate(all_content);
delete_strings(all_content);
analyzer->ConnectionEventFast(mime_all_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(s->Len()),
new StringVal(s),
});
analyzer->EnqueueConnEvent(mime_all_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
make_intrusive<StringVal>(s)
);
}
}
@ -1551,11 +1547,9 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
}
if ( mime_event )
{
analyzer->ConnectionEventFast(mime_event, {
analyzer->BuildConnVal(),
new StringVal(category),
new StringVal(detail),
});
}
analyzer->EnqueueConnEvent(mime_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
make_intrusive<StringVal>(category),
make_intrusive<StringVal>(detail)
);
}

33
src/analyzer/protocol/ncp/NCP.cc
View file

@ -62,26 +62,21 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
if ( f )
{
if ( frame->is_orig() )
{
analyzer->ConnectionEventFast(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_func),
});
}
analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
);
else
{
analyzer->ConnectionEventFast(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_frame_type),
val_mgr->GetCount(req_func),
val_mgr->GetCount(frame->reply()->completion_code()),
});
}
analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
);
}
}

34
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -59,14 +59,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, int is_query)
{
if ( netbios_session_message )
{
analyzer->ConnectionEventFast(netbios_session_message, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_query),
val_mgr->GetCount(type),
val_mgr->GetCount(len),
});
}
analyzer->EnqueueConnEvent(netbios_session_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
);
switch ( type ) {
case NETBIOS_SSN_MSG:
@ -331,18 +329,16 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
return;
if ( is_orig >= 0 )
{
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(new BroString(data, len, 0)),
});
}
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
make_intrusive<StringVal>(new BroString(data, len, 0))
);
else
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
new StringVal(new BroString(data, len, 0)),
});
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
make_intrusive<StringVal>(new BroString(data, len, 0))
);
}

16
src/analyzer/protocol/pop3/POP3.cc
View file

@ -830,7 +830,7 @@ void POP3_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( pop3_starttls )
ConnectionEventFast(pop3_starttls, {BuildConnVal()});
EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
}
void POP3_Analyzer::AuthSuccessfull()
@ -920,14 +920,16 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
if ( ! event )
return;
val_list vl(2 + (bool)arg1 + (bool)arg2);
zeek::Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));
vl.push_back(BuildConnVal());
vl.push_back(val_mgr->GetBool(is_orig));
if ( arg1 )
vl.push_back(new StringVal(arg1));
vl.emplace_back(make_intrusive<StringVal>(arg1));
if ( arg2 )
vl.push_back(new StringVal(arg2));
vl.emplace_back(make_intrusive<StringVal>(arg2));
ConnectionEventFast(event, std::move(vl));
EnqueueConnEvent(event, std::move(vl));
}

23
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -96,7 +96,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
{
auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len, 0);
analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
analyzer->EnqueueConnEvent(mount_reply_status, std::move(vl));
}
if ( ! rpc_success )
@ -169,19 +169,19 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request )
vl.push_back(request);
vl.emplace_back(AdoptRef{}, request);
if ( reply )
vl.push_back(reply);
vl.emplace_back(AdoptRef{}, reply);
analyzer->ConnectionEventFast(event, std::move(vl));
analyzer->EnqueueConnEvent(event, std::move(vl));
}
else
Unref(reply);
return 1;
}
val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status,
double rep_start_time,
@ -189,16 +189,17 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
{
// Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ...
val_list vl(2 + extra_elements);
vl.push_back(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
zeek::Args vl;
vl.reserve(2 + extra_elements);
vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
{
auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
}
RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t);
auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -211,9 +212,9 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
info->Assign(9, val_mgr->GetCount(c->Gid()));
info->Assign(10, val_mgr->GetCount(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, auxgids);
info->Assign(12, std::move(auxgids));
vl.push_back(info);
vl.emplace_back(std::move(info));
return vl;
}

4
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -16,10 +16,10 @@ protected:
const u_char*& buf, int& n, double start_time,
double last_time, int reply_len) override;
// Returns a new val_list that already has a conn_val, rpc_status and
// Returns a new arg list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event
// ...
val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time,
int reply_len, int extra_elements);

23
src/analyzer/protocol/rpc/NFS.cc
View file

@ -150,7 +150,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
{
auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len, 0);
analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
analyzer->EnqueueConnEvent(nfs_reply_status, std::move(vl));
}
if ( ! rpc_success )
@ -281,12 +281,12 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request )
vl.push_back(request);
vl.emplace_back(AdoptRef{}, request);
if ( reply )
vl.push_back(reply);
vl.emplace_back(AdoptRef{}, reply);
analyzer->ConnectionEventFast(event, std::move(vl));
analyzer->EnqueueConnEvent(event, std::move(vl));
}
else
Unref(reply);
@ -318,21 +318,22 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
return 0;
}
val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status,
double rep_start_time,
double rep_last_time, int reply_len, int extra_elements)
{
// Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ...
val_list vl(2 + extra_elements);
vl.push_back(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
zeek::Args vl;
vl.reserve(2 + extra_elements);
vl.emplace_back(IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status));
info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -345,9 +346,9 @@ val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_st
info->Assign(9, val_mgr->GetCount(c->Gid()));
info->Assign(10, val_mgr->GetCount(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, auxgids);
info->Assign(12, std::move(auxgids));
vl.push_back(info);
vl.emplace_back(std::move(info));
return vl;
}

2
src/analyzer/protocol/rpc/NFS.h
View file

@ -20,7 +20,7 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event
// ...
val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time,
int reply_len, int extra_elements);

23
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -261,10 +261,10 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
{
if ( pm_bad_port )
{
analyzer->ConnectionEventFast(pm_bad_port, {
analyzer->BuildConnVal(),
val_mgr->GetCount(port),
});
analyzer->EnqueueConnEvent(pm_bad_port,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
);
}
port = 0;
@ -282,25 +282,26 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
return;
}
val_list vl;
zeek::Args vl;
vl.push_back(analyzer->BuildConnVal());
vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
if ( status == BifEnum::RPC_SUCCESS )
{
if ( request )
vl.push_back(request);
vl.emplace_back(AdoptRef{}, request);
if ( reply )
vl.push_back(reply);
vl.emplace_back(AdoptRef{}, reply);
}
else
{
vl.push_back(BifType::Enum::rpc_status->GetVal(status).release());
vl.emplace_back(BifType::Enum::rpc_status->GetVal(status));
if ( request )
vl.push_back(request);
vl.emplace_back(AdoptRef{}, request);
}
analyzer->ConnectionEventFast(f, std::move(vl));
analyzer->EnqueueConnEvent(f, std::move(vl));
}
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)

54
src/analyzer/protocol/rpc/RPC.cc
View file

@ -338,46 +338,40 @@ void RPC_Interpreter::Timeout()
void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
{
if ( rpc_dialogue )
{
analyzer->ConnectionEventFast(rpc_dialogue, {
analyzer->BuildConnVal(),
val_mgr->GetCount(c->Program()),
val_mgr->GetCount(c->Version()),
val_mgr->GetCount(c->Proc()),
BifType::Enum::rpc_status->GetVal(status).release(),
new Val(c->StartTime(), TYPE_TIME),
val_mgr->GetCount(c->CallLen()),
val_mgr->GetCount(reply_len),
});
}
analyzer->EnqueueConnEvent(rpc_dialogue,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
BifType::Enum::rpc_status->GetVal(status),
make_intrusive<Val>(c->StartTime(), TYPE_TIME),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
);
}
void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
{
if ( rpc_call )
{
analyzer->ConnectionEventFast(rpc_call, {
analyzer->BuildConnVal(),
val_mgr->GetCount(c->XID()),
val_mgr->GetCount(c->Program()),
val_mgr->GetCount(c->Version()),
val_mgr->GetCount(c->Proc()),
val_mgr->GetCount(c->CallLen()),
});
}
analyzer->EnqueueConnEvent(rpc_call,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->XID())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())}
);
}
void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
{
if ( rpc_reply )
{
analyzer->ConnectionEventFast(rpc_reply, {
analyzer->BuildConnVal(),
val_mgr->GetCount(xid),
BifType::Enum::rpc_status->GetVal(status).release(),
val_mgr->GetCount(reply_len),
});
}
analyzer->EnqueueConnEvent(rpc_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(xid)},
BifType::Enum::rpc_status->GetVal(status),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
);
}
void RPC_Interpreter::Weird(const char* msg, const char* addl)

57
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -219,11 +219,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( smtp_data && ! skip_data )
{
ConnectionEventFast(smtp_data, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(data_len, line),
});
EnqueueConnEvent(smtp_data,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
make_intrusive<StringVal>(data_len, line)
);
}
}
@ -349,14 +349,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
break;
}
ConnectionEventFast(smtp_reply, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetCount(reply_code),
new StringVal(cmd),
new StringVal(end_of_line - line, line),
val_mgr->GetBool((pending_reply > 0)),
});
EnqueueConnEvent(smtp_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
make_intrusive<StringVal>(cmd),
make_intrusive<StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((pending_reply > 0))}
);
}
}
@ -410,7 +410,7 @@ void SMTP_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( smtp_starttls )
ConnectionEventFast(smtp_starttls, {BuildConnVal()});
EnqueueConnEvent(smtp_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
}
@ -854,12 +854,17 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
ProtocolConfirmation();
if ( smtp_request )
ConnectionEventFast(smtp_request, {
BuildConnVal(),
val_mgr->GetBool(orig_is_sender),
(new StringVal(cmd_len, cmd))->ToUpper(),
new StringVal(arg_len, arg),
});
{
auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
cmd_arg->ToUpper();
EnqueueConnEvent(smtp_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig_is_sender)},
std::move(cmd_arg),
make_intrusive<StringVal>(arg_len, arg)
);
}
}
void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,12 +879,12 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
if ( ! orig_is_sender )
is_orig = ! is_orig;
ConnectionEventFast(smtp_unexpected, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(msg),
new StringVal(detail_len, detail),
});
EnqueueConnEvent(smtp_unexpected,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(detail_len, detail)
);
}
}

16
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -135,10 +135,10 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
return;
if ( id2 >= 0 )
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id2)});
else
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)});
}
void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
@ -146,11 +146,11 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
if ( ! stp_create_endp )
return;
endp->TCP()->ConnectionEventFast(stp_create_endp, {
endp->TCP()->BuildConnVal(),
val_mgr->GetInt(stp_id),
val_mgr->GetBool(is_orig),
});
endp->TCP()->EnqueueConnEvent(stp_create_endp,
IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(stp_id)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
);
}
SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)

90
src/analyzer/protocol/tcp/TCP.cc
View file

@ -785,17 +785,17 @@ void TCP_Analyzer::GeneratePacketEvent(
const u_char* data, int len, int caplen,
int is_orig, TCP_Flags flags)
{
ConnectionEventFast(tcp_packet, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(flags.AsString()),
val_mgr->GetCount(rel_seq),
val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
val_mgr->GetCount(len),
EnqueueConnEvent(tcp_packet,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
make_intrusive<StringVal>(flags.AsString()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(rel_seq)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags.ACK() ? rel_ack : 0)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
// We need the min() here because Ethernet padding can lead to
// caplen > len.
new StringVal(min(caplen, len), (const char*) data),
});
make_intrusive<StringVal>(min(caplen, len), (const char*) data)
);
}
int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1101,12 +1101,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
base_seq, ack_seq);
if ( connection_SYN_packet )
{
ConnectionEventFast(connection_SYN_packet, {
BuildConnVal(),
SYN_vals->Ref(),
});
}
EnqueueConnEvent(connection_SYN_packet,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{NewRef{}, SYN_vals}
);
Unref(SYN_vals);
}
@ -1347,17 +1345,17 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
{
auto kind = o[0];
auto length = kind < 2 ? 1 : o[1];
ConnectionEventFast(tcp_option, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(kind),
val_mgr->GetCount(length),
});
EnqueueConnEvent(tcp_option,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(kind)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(length)}
);
}
if ( tcp_options )
{
auto option_list = new VectorVal(BifType::Vector::TCP::OptionList);
auto option_list = make_intrusive<VectorVal>(BifType::Vector::TCP::OptionList);
auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen)
{
@ -1460,11 +1458,11 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
}
}
ConnectionEventFast(tcp_options, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
option_list,
});
EnqueueConnEvent(tcp_options,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
std::move(option_list)
);
}
if ( options < opt_end )
@ -1782,12 +1780,10 @@ int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
{
if ( connection_EOF )
{
ConnectionEventFast(connection_EOF, {
BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
});
}
EnqueueConnEvent(connection_EOF,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())}
);
const analyzer_list& children(GetChildren());
LOOP_OVER_CONST_CHILDREN(i)
@ -2064,16 +2060,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caple
network_time, seq, len, max_top_seq, data_in_flight);
if ( tcp_rexmit )
{
endp->TCP()->ConnectionEventFast(tcp_rexmit, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(seq),
val_mgr->GetCount(len),
val_mgr->GetCount(data_in_flight),
val_mgr->GetCount(endp->peer->window),
});
}
endp->TCP()->EnqueueConnEvent(tcp_rexmit,
IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_in_flight)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(endp->peer->window)}
);
}
else
max_top_seq = top_seq;
@ -2121,11 +2115,11 @@ void TCPStats_Analyzer::Done()
TCP_ApplicationAnalyzer::Done();
if ( conn_stats )
ConnectionEventFast(conn_stats, {
BuildConnVal(),
orig_stats->BuildStats(),
resp_stats->BuildStats(),
});
EnqueueConnEvent(conn_stats,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()},
IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()}
);
}
void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)

12
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -237,13 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
reporter->Error("TCP contents write failed: %s", buf);
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal(buf),
});
}
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
IntrusivePtr{AdoptRef{}, Conn()->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
make_intrusive<StringVal>(buf)
);
}
}

64
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -151,14 +151,12 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
endp->Gap(seq, len);
if ( report_gap(endp, endp->peer) )
{
dst_analyzer->ConnectionEventFast(content_gap, {
dst_analyzer->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
val_mgr->GetCount(seq),
val_mgr->GetCount(len),
});
}
dst_analyzer->EnqueueConnEvent(content_gap,
IntrusivePtr{AdoptRef{}, dst_analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
);
if ( type == Direct )
dst_analyzer->NextUndelivered(seq, len, IsOrig());
@ -363,13 +361,11 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, BroFile* f)
reporter->Error("TCP_Reassembler contents write failed");
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Endpoint()->Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal("TCP reassembler content write failure"),
});
}
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
make_intrusive<StringVal>("TCP reassembler content write failure")
);
}
void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f)
@ -380,13 +376,11 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile*
reporter->Error("TCP_Reassembler contents gap write failed");
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Endpoint()->Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal("TCP reassembler gap write failure"),
});
}
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
make_intrusive<StringVal>("TCP reassembler gap write failure")
);
}
void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it)
@ -462,12 +456,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n)
BroString* b1_s = new BroString((const u_char*) b1, n, 0);
BroString* b2_s = new BroString((const u_char*) b2, n, 0);
tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
tcp_analyzer->BuildConnVal(),
new StringVal(b1_s),
new StringVal(b2_s),
new StringVal(flags.AsString()),
});
tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency,
IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
make_intrusive<StringVal>(b1_s),
make_intrusive<StringVal>(b2_s),
make_intrusive<StringVal>(flags.AsString())
);
}
}
@ -618,14 +612,12 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
}
if ( deliver_tcp_contents )
{
tcp_analyzer->ConnectionEventFast(tcp_contents, {
tcp_analyzer->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
val_mgr->GetCount(seq),
new StringVal(len, (const char*) data),
});
}
tcp_analyzer->EnqueueConnEvent(tcp_contents,
IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
make_intrusive<StringVal>(len, (const char*) data)
);
// Q. Can we say this because it is already checked in DataSent()?
// ASSERT(!Conn()->Skipping() && !SkipDeliveries());

12
src/analyzer/protocol/udp/UDP.cc
View file

@ -153,13 +153,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
}
if ( do_udp_contents )
{
ConnectionEventFast(udp_contents, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(len, (const char*) data),
});
}
EnqueueConnEvent(udp_contents,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
make_intrusive<StringVal>(len, (const char*) data)
);
Unref(port_val);
}