diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index a87608054d..c1883e037f 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -228,11 +228,6 @@ redef record fa_file += { info: Info &optional; }; -redef record AnalyzerArgs += { - # This is used interally for the core file analyzer api. - tag: Files::Tag &optional; -}; - # Store the callbacks for protocol analyzers that have files. global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table(); @@ -275,14 +270,12 @@ function set_timeout_interval(f: fa_file, t: interval): bool function add_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool { - # This is to construct the correct args for the core API. - args$tag = tag; add f$info$analyzers[Files::analyzer_name(tag)]; if ( tag in analyzer_add_callbacks ) analyzer_add_callbacks[tag](f, args); - if ( ! __add_analyzer(f$id, args) ) + if ( ! __add_analyzer(f$id, tag, args) ) { Reporter::warning(fmt("Analyzer %s not added successfully to file %s.", tag, f$id)); return F; @@ -297,8 +290,7 @@ function register_analyzer_add_callback(tag: Files::Tag, callback: function(f: f function remove_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool { - args$tag = tag; - return __remove_analyzer(f$id, args); + return __remove_analyzer(f$id, tag, args); } function stop(f: fa_file): bool diff --git a/src/file_analysis/Analyzer.cc b/src/file_analysis/Analyzer.cc new file mode 100644 index 0000000000..d472f4c80c --- /dev/null +++ b/src/file_analysis/Analyzer.cc @@ -0,0 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Analyzer.h" +#include "Manager.h" + +file_analysis::Analyzer::~Analyzer() + { + DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %s", + file_mgr->GetAnalyzerName(tag)); + Unref(args); + } diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 0a5aa9e25c..e20e2802cf 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -5,14 +5,12 @@ #include "Val.h" #include "NetVar.h" -#include "analyzer/Tag.h" +#include "Tag.h" #include "file_analysis/file_analysis.bif.h" namespace file_analysis { -typedef int FA_Tag; - class File; /** @@ -25,11 +23,7 @@ public: * Destructor. Nothing special about it. Virtual since we definitely expect * to delete instances of derived classes via pointers to this class. */ - virtual ~Analyzer() - { - DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %d", tag); - Unref(args); - } + virtual ~Analyzer(); /** * Subclasses may override this metod to receive file data non-sequentially. @@ -76,7 +70,7 @@ public: /** * @return the analyzer type enum value. */ - FA_Tag Tag() const { return tag; } + file_analysis::Tag Tag() const { return tag; } /** * @return the AnalyzerArgs associated with the analyzer. @@ -88,18 +82,6 @@ public: */ File* GetFile() const { return file; } - /** - * Retrieves an analyzer tag field from full analyzer argument record. - * @param args an \c AnalyzerArgs (script-layer type) value. - * @return the analyzer tag equivalent of the 'tag' field from the - * \c AnalyzerArgs value \a args. - */ - static FA_Tag ArgsTag(const RecordVal* args) - { - using BifType::Record::Files::AnalyzerArgs; - return args->Lookup(AnalyzerArgs->FieldOffset("tag"))->AsEnum(); - } - protected: /** @@ -108,15 +90,15 @@ protected: * tunable options, if any, related to a particular analyzer type. * @param arg_file the file to which the the analyzer is being attached. */ - Analyzer(RecordVal* arg_args, File* arg_file) - : tag(file_analysis::Analyzer::ArgsTag(arg_args)), + Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file) + : tag(arg_tag), args(arg_args->Ref()->AsRecordVal()), file(arg_file) {} private: - FA_Tag tag; /**< The particular analyzer type of the analyzer instance. */ + file_analysis::Tag tag; /**< The particular type of the analyzer instance. */ RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ File* file; /**< The file to which the analyzer is attached. */ }; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index c710d8b085..befb676c87 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -15,6 +15,7 @@ static void analyzer_del_func(void* v) AnalyzerSet::AnalyzerSet(File* arg_file) : file(arg_file) { TypeList* t = new TypeList(); + t->Append(file_mgr->GetTagEnumType()); t->Append(BifType::Record::Files::AnalyzerArgs->Ref()); analyzer_hash = new CompositeHash(t); Unref(t); @@ -34,20 +35,20 @@ AnalyzerSet::~AnalyzerSet() delete analyzer_hash; } -bool AnalyzerSet::Add(RecordVal* args) +bool AnalyzerSet::Add(file_analysis::Tag tag, RecordVal* args) { - HashKey* key = GetKey(args); + HashKey* key = GetKey(tag, args); if ( analyzer_map.Lookup(key) ) { - DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %d skipped for file id" - " %s: already exists", file_analysis::Analyzer::ArgsTag(args), + DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s skipped for file id" + " %s: already exists", file_mgr->GetAnalyzerName(tag), file->GetID().c_str()); delete key; return true; } - file_analysis::Analyzer* a = InstantiateAnalyzer(args); + file_analysis::Analyzer* a = InstantiateAnalyzer(tag, args); if ( ! a ) { @@ -60,10 +61,10 @@ bool AnalyzerSet::Add(RecordVal* args) return true; } -bool AnalyzerSet::QueueAdd(RecordVal* args) +bool AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args) { - HashKey* key = GetKey(args); - file_analysis::Analyzer* a = InstantiateAnalyzer(args); + HashKey* key = GetKey(tag, args); + file_analysis::Analyzer* a = InstantiateAnalyzer(tag, args); if ( ! a ) { @@ -80,8 +81,9 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set) { if ( set->analyzer_map.Lookup(key) ) { - DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %d skipped for file id" - " %s: already exists", a->Tag(), a->GetFile()->GetID().c_str()); + DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s skipped for file id" + " %s: already exists", file_mgr->GetAnalyzerName(a->Tag()), + a->GetFile()->GetID().c_str()); Abort(); return true; @@ -91,12 +93,12 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set) return true; } -bool AnalyzerSet::Remove(const RecordVal* args) +bool AnalyzerSet::Remove(file_analysis::Tag tag, RecordVal* args) { - return Remove(file_analysis::Analyzer::ArgsTag(args), GetKey(args)); + return Remove(tag, GetKey(tag, args)); } -bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key) +bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key) { file_analysis::Analyzer* a = (file_analysis::Analyzer*) analyzer_map.Remove(key); @@ -105,22 +107,22 @@ bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key) if ( ! a ) { - DBG_LOG(DBG_FILE_ANALYSIS, "Skip remove analyzer %d for file id %s", - tag, file->GetID().c_str()); + DBG_LOG(DBG_FILE_ANALYSIS, "Skip remove analyzer %s for file id %s", + file_mgr->GetAnalyzerName(tag), file->GetID().c_str()); return false; } - DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %d for file id %s", a->Tag(), + DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %s for file id %s", + file_mgr->GetAnalyzerName(tag), file->GetID().c_str()); delete a; return true; } -bool AnalyzerSet::QueueRemove(const RecordVal* args) +bool AnalyzerSet::QueueRemove(file_analysis::Tag tag, RecordVal* args) { - HashKey* key = GetKey(args); - FA_Tag tag = file_analysis::Analyzer::ArgsTag(args); + HashKey* key = GetKey(tag, args); mod_queue.push(new RemoveMod(tag, key)); @@ -132,18 +134,22 @@ bool AnalyzerSet::RemoveMod::Perform(AnalyzerSet* set) return set->Remove(tag, key); } -HashKey* AnalyzerSet::GetKey(const RecordVal* args) const +HashKey* AnalyzerSet::GetKey(file_analysis::Tag t, RecordVal* args) const { - HashKey* key = analyzer_hash->ComputeHash(args, 1); + ListVal* lv = new ListVal(TYPE_ANY); + lv->Append(t.AsEnumVal()->Ref()); + lv->Append(args->Ref()); + HashKey* key = analyzer_hash->ComputeHash(lv, 1); + Unref(lv); if ( ! key ) reporter->InternalError("AnalyzerArgs type mismatch"); return key; } -file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(RecordVal* args) const +file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(Tag tag, + RecordVal* args) const { - FA_Tag tag = file_analysis::Analyzer::ArgsTag(args); file_analysis::Analyzer* a = file_mgr->InstantiateAnalyzer(tag, args, file); if ( ! a ) @@ -158,8 +164,8 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(RecordVal* args) const void AnalyzerSet::Insert(file_analysis::Analyzer* a, HashKey* key) { - DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %d for file id %s", a->Tag(), - file->GetID().c_str()); + DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s for file id %s", + file_mgr->GetAnalyzerName(a->Tag()), file->GetID().c_str()); analyzer_map.Insert(key, a); delete key; } diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index 6f14149e30..42a54f4943 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -9,6 +9,7 @@ #include "Dict.h" #include "CompHash.h" #include "Val.h" +#include "Tag.h" namespace file_analysis { @@ -38,31 +39,35 @@ public: /** * Attach an analyzer to #file immediately. + * @param tag the analyzer tag of the file analyzer to add. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer was instantiated/attached, else false. */ - bool Add(RecordVal* args); + bool Add(file_analysis::Tag tag, RecordVal* args); /** * Queue the attachment of an analyzer to #file. + * @param tag the analyzer tag of the file analyzer to add. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer was able to be instantiated, else false. */ - bool QueueAdd(RecordVal* args); + bool QueueAdd(file_analysis::Tag tag, RecordVal* args); /** * Remove an analyzer from #file immediately. + * @param tag the analyzer tag of the file analyzer to remove. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return false if analyzer didn't exist and so wasn't removed, else true. */ - bool Remove(const RecordVal* args); + bool Remove(file_analysis::Tag tag, RecordVal* args); /** * Queue the removal of an analyzer from #file. + * @param tag the analyzer tag of the file analyzer to remove. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer exists at time of call, else false; */ - bool QueueRemove(const RecordVal* args); + bool QueueRemove(file_analysis::Tag tag, RecordVal* args); /** * Perform all queued modifications to the current analyzer set. @@ -91,17 +96,20 @@ protected: /** * Get a hash key which represents an analyzer instance. + * @param tag the file analyzer tag. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return the hash key calculated from \a args */ - HashKey* GetKey(const RecordVal* args) const; + HashKey* GetKey(file_analysis::Tag tag, RecordVal* args) const; /** * Create an instance of a file analyzer. + * @param tag the tag of a file analyzer. * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return a new file analyzer instance. */ - file_analysis::Analyzer* InstantiateAnalyzer(RecordVal* args) const; + file_analysis::Analyzer* InstantiateAnalyzer(file_analysis::Tag tag, + RecordVal* args) const; /** * Insert an analyzer instance in to the set. @@ -116,7 +124,7 @@ protected: * just used for debugging messages. * @param key the hash key which represents the analyzer's \c AnalyzerArgs. */ - bool Remove(FA_Tag tag, HashKey* key); + bool Remove(file_analysis::Tag tag, HashKey* key); private: @@ -175,14 +183,14 @@ private: * @param arg_a an analyzer instance to add to an analyzer set. * @param arg_key hash key representing the analyzer's \c AnalyzerArgs. */ - RemoveMod(FA_Tag arg_tag, HashKey* arg_key) + RemoveMod(file_analysis::Tag arg_tag, HashKey* arg_key) : Modification(), tag(arg_tag), key(arg_key) {} virtual ~RemoveMod() {} virtual bool Perform(AnalyzerSet* set); virtual void Abort() { delete key; } protected: - FA_Tag tag; + file_analysis::Tag tag; HashKey* key; }; diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt index 709790cfaf..846fc4bf15 100644 --- a/src/file_analysis/CMakeLists.txt +++ b/src/file_analysis/CMakeLists.txt @@ -11,7 +11,7 @@ set(file_analysis_SRCS Manager.cc File.cc FileTimer.cc - Analyzer.h + Analyzer.cc AnalyzerSet.cc Component.cc Tag.cc diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 7189d90932..3db8ecdbee 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -230,14 +230,14 @@ void File::ScheduleInactivityTimer() const timer_mgr->Add(new FileTimer(network_time, id, GetTimeoutInterval())); } -bool File::AddAnalyzer(RecordVal* args) +bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args) { - return done ? false : analyzers.QueueAdd(args); + return done ? false : analyzers.QueueAdd(tag, args); } -bool File::RemoveAnalyzer(const RecordVal* args) +bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args) { - return done ? false : analyzers.QueueRemove(args); + return done ? false : analyzers.QueueRemove(tag, args); } bool File::BufferBOF(const u_char* data, uint64 len) @@ -320,7 +320,7 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset) while ( (a = analyzers.NextEntry(c)) ) { if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Args()); + analyzers.QueueRemove(a->Tag(), a->Args()); } analyzers.DrainModifications(); @@ -355,7 +355,7 @@ void File::DataIn(const u_char* data, uint64 len) { if ( ! a->DeliverStream(data, len) ) { - analyzers.QueueRemove(a->Args()); + analyzers.QueueRemove(a->Tag(), a->Args()); continue; } @@ -363,7 +363,7 @@ void File::DataIn(const u_char* data, uint64 len) LookupFieldDefaultCount(missing_bytes_idx); if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Args()); + analyzers.QueueRemove(a->Tag(), a->Args()); } analyzers.DrainModifications(); @@ -388,7 +388,7 @@ void File::EndOfFile() while ( (a = analyzers.NextEntry(c)) ) { if ( ! a->EndOfFile() ) - analyzers.QueueRemove(a->Args()); + analyzers.QueueRemove(a->Tag(), a->Args()); } FileEvent(file_state_remove); @@ -410,7 +410,7 @@ void File::Gap(uint64 offset, uint64 len) while ( (a = analyzers.NextEntry(c)) ) { if ( ! a->Undelivered(offset, len) ) - analyzers.QueueRemove(a->Args()); + analyzers.QueueRemove(a->Tag(), a->Args()); } if ( FileEventAvailable(file_gap) ) diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 794734d24b..12c1e061a8 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -10,6 +10,7 @@ #include "Conn.h" #include "Val.h" +#include "Tag.h" #include "AnalyzerSet.h" #include "BroString.h" @@ -94,17 +95,19 @@ public: /** * Queues attaching an analyzer. Only one analyzer per type can be attached * at a time unless the arguments differ. + * @param tag the analyzer tag of the file analyzer to add. * @param args an \c AnalyzerArgs value representing a file analyzer. * @return false if analyzer can't be instantiated, else true. */ - bool AddAnalyzer(RecordVal* args); + bool AddAnalyzer(file_analysis::Tag tag, RecordVal* args); /** * Queues removal of an analyzer. + * @param tag the analyzer tag of the file analyzer to remove. * @param args an \c AnalyzerArgs value representing a file analyzer. * @return true if analyzer was active at time of call, else false. */ - bool RemoveAnalyzer(const RecordVal* args); + bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args); /** * Pass in non-sequential data and deliver to attached analyzers. diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index fb74a409b4..c7fb1fc3b0 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -206,24 +206,26 @@ bool Manager::SetTimeoutInterval(const string& file_id, double interval) const return true; } -bool Manager::AddAnalyzer(const string& file_id, RecordVal* args) const +bool Manager::AddAnalyzer(const string& file_id, file_analysis::Tag tag, + RecordVal* args) const { File* file = Lookup(file_id); if ( ! file ) return false; - return file->AddAnalyzer(args); + return file->AddAnalyzer(tag, args); } -bool Manager::RemoveAnalyzer(const string& file_id, const RecordVal* args) const +bool Manager::RemoveAnalyzer(const string& file_id, file_analysis::Tag tag, + RecordVal* args) const { File* file = Lookup(file_id); if ( ! file ) return false; - return file->RemoveAnalyzer(args); + return file->RemoveAnalyzer(tag, args); } File* Manager::GetFile(const string& file_id, Connection* conn, @@ -367,13 +369,13 @@ bool Manager::IsDisabled(analyzer::Tag tag) return rval; } -Analyzer* Manager::InstantiateAnalyzer(int tag, RecordVal* args, File* f) const +Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const { - analyzer_map_by_val::const_iterator it = analyzers_by_val.find(tag); + analyzer_map_by_tag::const_iterator it = analyzers_by_tag.find(tag); - if ( it == analyzers_by_val.end() ) - reporter->InternalError("cannot instantiate unknown file analyzer: %d", - tag); + if ( it == analyzers_by_tag.end() ) + reporter->InternalError("cannot instantiate unknown file analyzer: %s", + tag.AsString().c_str()); Component* c = it->second; @@ -384,17 +386,43 @@ Analyzer* Manager::InstantiateAnalyzer(int tag, RecordVal* args, File* f) const return c->Factory()(args, f); } -const char* Manager::GetAnalyzerName(int tag) const +const char* Manager::GetAnalyzerName(Val* v) const { - analyzer_map_by_val::const_iterator it = analyzers_by_val.find(tag); + return GetAnalyzerName(file_analysis::Tag(v->AsEnumVal())); + } - if ( it == analyzers_by_val.end() ) - reporter->InternalError("cannot get name of unknown file analyzer: %d", - tag); +const char* Manager::GetAnalyzerName(file_analysis::Tag tag) const + { + analyzer_map_by_tag::const_iterator it = analyzers_by_tag.find(tag); + + if ( it == analyzers_by_tag.end() ) + reporter->InternalError("cannot get name of unknown file analyzer: %s", + tag.AsString().c_str()); return it->second->CanonicalName(); } +file_analysis::Tag Manager::GetAnalyzerTag(const char* name) const + { + analyzer_map_by_name::const_iterator it = analyzers_by_name.find(name); + + if ( it == analyzers_by_name.end() ) + return file_analysis::Tag(); + + return it->second->Tag(); + } + +file_analysis::Tag Manager::GetAnalyzerTag(Val* v) const + { + analyzer_map_by_val::const_iterator it = + analyzers_by_val.find(v->AsEnumVal()->InternalInt()); + + if ( it == analyzers_by_val.end() ) + return file_analysis::Tag(); + + return it->second->Tag(); + } + EnumType* Manager::GetTagEnumType() { return tag_enum_type; diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 55ff0896d7..9a37042669 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -177,18 +177,22 @@ public: * analyzers of a given type can be attached per file identifier at a time * as long as the arguments differ. * @param file_id the file identifier/hash. + * @param tag the analyzer tag of the file analyzer to add. * @param args a \c AnalyzerArgs value which describes a file analyzer. * @return false if the analyzer failed to be instantiated, else true. */ - bool AddAnalyzer(const string& file_id, RecordVal* args) const; + bool AddAnalyzer(const string& file_id, file_analysis::Tag tag, + RecordVal* args) const; /** * Queue removal of an analyzer for a given file identifier. * @param file_id the file identifier/hash. + * @param tag the analyzer tag of the file analyzer to remove. * @param args a \c AnalyzerArgs value which describes a file analyzer. * @return true if the analyzer is active at the time of call, else false. */ - bool RemoveAnalyzer(const string& file_id, const RecordVal* args) const; + bool RemoveAnalyzer(const string& file_id, file_analysis::Tag tag, + RecordVal* args) const; /** * Tells whether analysis for a file is active or ignored. @@ -204,15 +208,43 @@ public: * @param f The file analzer is to be associated with. * @return The new analyzer instance or null if tag is invalid. */ - Analyzer* InstantiateAnalyzer(int tag, RecordVal* args, File* f) const; + Analyzer* InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const; /** * Translates a script-level file analyzer tag in to corresponding file * analyzer name. - * @param tag The enum val of a file analyzer. + * @param v The enum val of a file analyzer. * @return The human-readable name of the file analyzer. */ - const char* GetAnalyzerName(int tag) const; + const char* GetAnalyzerName(Val* v) const; + + /** + * Translates a script-level file analyzer tag in to corresponding file + * analyzer name. + * @param tag The analyzer tag of a file analyzer. + * @return The human-readable name of the file analyzer. + */ + const char* GetAnalyzerName(file_analysis::Tag tag) const; + + /** + * Translates an analyzer name into the corresponding tag. + * + * @param name The name. + * + * @return The tag. If the name does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + file_analysis::Tag GetAnalyzerTag(const char* name) const; + + /** + * Translates an analyzer enum value into the corresponding tag. + * + * @param v the enum val of the file analyzer. + * + * @return The tag. If the val does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + file_analysis::Tag GetAnalyzerTag(Val* v) const; /** * Returns the enum type that corresponds to the script-level type diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc index 1b04111c44..44498f41e1 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.cc +++ b/src/file_analysis/analyzer/data_event/DataEvent.cc @@ -6,12 +6,15 @@ #include "EventRegistry.h" #include "Event.h" #include "util.h" +#include "file_analysis/Manager.h" using namespace file_analysis; DataEvent::DataEvent(RecordVal* args, File* file, EventHandlerPtr ce, EventHandlerPtr se) - : file_analysis::Analyzer(args, file), chunk_event(ce), stream_event(se) + : file_analysis::Analyzer(file_mgr->GetAnalyzerTag("DATA_EVENT"), + args, file), + chunk_event(ce), stream_event(se) { } diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index ef37425003..0de1402939 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -4,11 +4,13 @@ #include "Extract.h" #include "util.h" +#include "file_analysis/Manager.h" using namespace file_analysis; Extract::Extract(RecordVal* args, File* file, const string& arg_filename) - : file_analysis::Analyzer(args, file), filename(arg_filename) + : file_analysis::Analyzer(file_mgr->GetAnalyzerTag("EXTRACT"), args, file), + filename(arg_filename) { fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666); diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc index 9835f343b6..12463df8bf 100644 --- a/src/file_analysis/analyzer/hash/Hash.cc +++ b/src/file_analysis/analyzer/hash/Hash.cc @@ -5,11 +5,12 @@ #include "Hash.h" #include "util.h" #include "Event.h" +#include "file_analysis/Manager.h" using namespace file_analysis; Hash::Hash(RecordVal* args, File* file, HashVal* hv, const char* arg_kind) - : file_analysis::Analyzer(args, file), hash(hv), fed(false), kind(arg_kind) + : file_analysis::Analyzer(file_mgr->GetAnalyzerTag(to_upper(string(arg_kind)).c_str()), args, file), hash(hv), fed(false), kind(arg_kind) { hash->Init(); } diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index b6c80ac800..7e07ddf6bb 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -16,21 +16,23 @@ function Files::__set_timeout_interval%(file_id: string, t: interval%): bool %} ## :bro:see:`Files::add_analyzer`. -function Files::__add_analyzer%(file_id: string, args: any%): bool +function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->AddAnalyzer(file_id->CheckString(), rv); + bool result = file_mgr->AddAnalyzer(file_id->CheckString(), + file_mgr->GetAnalyzerTag(tag), rv); Unref(rv); return new Val(result, TYPE_BOOL); %} ## :bro:see:`Files::remove_analyzer`. -function Files::__remove_analyzer%(file_id: string, args: any%): bool +function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(), rv); + bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(), + file_mgr->GetAnalyzerTag(tag) , rv); Unref(rv); return new Val(result, TYPE_BOOL); %} @@ -45,7 +47,7 @@ function Files::__stop%(file_id: string%): bool ## :bro:see:`Files::analyzer_name`. function Files::__analyzer_name%(tag: Files::Tag%) : string %{ - return new StringVal(file_mgr->GetAnalyzerName(tag->InternalInt())); + return new StringVal(file_mgr->GetAnalyzerName(tag)); %} module GLOBAL;