Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

migration to using new differentiated methods for setting record fields

Browse source
This commit is contained in:
Vern Paxson 2021-02-25 16:59:26 -08:00
parent 4213245633
commit 62bab66114
74 changed files with 982 additions and 988 deletions
Download patch file Download diff file Expand all files Collapse all files

32
src/Conn.cc
View file

@ -343,23 +343,23 @@ const RecordValPtr& Connection::ConnVal()
id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type)); id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = make_intrusive<RecordVal>(id::endpoint); auto orig_endp = make_intrusive<RecordVal>(id::endpoint);
orig_endp->Assign(0, val_mgr->Count(0)); orig_endp->Assign(0, 0);
orig_endp->Assign(1, val_mgr->Count(0)); orig_endp->Assign(1, 0);
orig_endp->Assign(4, val_mgr->Count(orig_flow_label)); orig_endp->Assign(4, orig_flow_label);
const int l2_len = sizeof(orig_l2_addr); const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{}; char null[l2_len]{};
if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 ) if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 )
orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len))); orig_endp->Assign(5, fmt_mac(orig_l2_addr, l2_len));
auto resp_endp = make_intrusive<RecordVal>(id::endpoint); auto resp_endp = make_intrusive<RecordVal>(id::endpoint);
resp_endp->Assign(0, val_mgr->Count(0)); resp_endp->Assign(0, 0);
resp_endp->Assign(1, val_mgr->Count(0)); resp_endp->Assign(1, 0);
resp_endp->Assign(4, val_mgr->Count(resp_flow_label)); resp_endp->Assign(4, resp_flow_label);
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 ) if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len))); resp_endp->Assign(5, fmt_mac(resp_l2_addr, l2_len));
conn_val->Assign(0, std::move(id_val)); conn_val->Assign(0, std::move(id_val));
conn_val->Assign(1, std::move(orig_endp)); conn_val->Assign(1, std::move(orig_endp));
@ -371,25 +371,25 @@ const RecordValPtr& Connection::ConnVal()
if ( ! uid ) if ( ! uid )
uid.Set(zeek::detail::bits_per_uid); uid.Set(zeek::detail::bits_per_uid);
conn_val->Assign(7, make_intrusive<StringVal>(uid.Base62("C").c_str())); conn_val->Assign(7, uid.Base62("C"));
if ( encapsulation && encapsulation->Depth() > 0 ) if ( encapsulation && encapsulation->Depth() > 0 )
conn_val->Assign(8, encapsulation->ToVal()); conn_val->Assign(8, encapsulation->ToVal());
if ( vlan != 0 ) if ( vlan != 0 )
conn_val->Assign(9, val_mgr->Int(vlan)); conn_val->Assign(9, vlan);
if ( inner_vlan != 0 ) if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->Int(inner_vlan)); conn_val->Assign(10, inner_vlan);
} }
if ( root_analyzer ) if ( root_analyzer )
root_analyzer->UpdateConnVal(conn_val.get()); root_analyzer->UpdateConnVal(conn_val.get());
conn_val->Assign(3, make_intrusive<TimeVal>(start_time)); // ### conn_val->AssignTime(3, start_time); // ###
conn_val->Assign(4, make_intrusive<IntervalVal>(last_time - start_time)); conn_val->AssignInterval(4, last_time - start_time);
conn_val->Assign(6, make_intrusive<StringVal>(history.c_str())); conn_val->Assign(6, history);
conn_val->SetOrigin(this); conn_val->SetOrigin(this);
@ -418,7 +418,7 @@ void Connection::AppendAddl(const char* str)
const char* old = cv->GetFieldAs<StringVal>(6)->CheckString(); const char* old = cv->GetFieldAs<StringVal>(6)->CheckString();
const char* format = *old ? "%s %s" : "%s%s"; const char* format = *old ? "%s %s" : "%s%s";
cv->Assign(6, make_intrusive<StringVal>(util::fmt(format, old, str))); cv->Assign(6, util::fmt(format, old, str));
} }
// Returns true if the character at s separates a version number. // Returns true if the character at s separates a version number.
@ -632,7 +632,7 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
if ( conn_val ) if ( conn_val )
{ {
RecordVal* endp = conn_val->GetFieldAs<RecordVal>(is_orig ? 1 : 2); RecordVal* endp = conn_val->GetFieldAs<RecordVal>(is_orig ? 1 : 2);
endp->Assign(4, val_mgr->Count(flow_label)); endp->Assign(4, flow_label);
} }
if ( connection_flow_label_changed && if ( connection_flow_label_changed &&

6
src/DNS_Mgr.cc
View file

@ -718,10 +718,10 @@ ValPtr DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
{ {
auto r = make_intrusive<RecordVal>(dm_rec); auto r = make_intrusive<RecordVal>(dm_rec);
r->Assign(0, make_intrusive<TimeVal>(dm->CreationTime())); r->AssignTime(0, dm->CreationTime());
r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : "")); r->Assign(1, dm->ReqHost() ? dm->ReqHost() : "");
r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr())); r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->Bool(dm->Valid())); r->Assign(3, dm->Valid());
auto h = dm->Host(); auto h = dm->Host();
r->Assign(4, h ? std::move(h) : make_intrusive<StringVal>("<none>")); r->Assign(4, h ? std::move(h) : make_intrusive<StringVal>("<none>"));

2
src/File.cc
View file

@ -290,7 +290,7 @@ RecordVal* File::Rotate()
return nullptr; return nullptr;
} }
info->Assign<TimeVal>(2, open_time); info->AssignTime(2, open_time);
Unlink(); Unlink();

155
src/IP.cc
View file

@ -24,12 +24,12 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
static auto ip6_option_type = id::find_type<RecordType>("ip6_option"); static auto ip6_option_type = id::find_type<RecordType>("ip6_option");
const struct ip6_opt* opt = (const struct ip6_opt*) data; const struct ip6_opt* opt = (const struct ip6_opt*) data;
auto rv = make_intrusive<RecordVal>(ip6_option_type); auto rv = make_intrusive<RecordVal>(ip6_option_type);
rv->Assign(0, val_mgr->Count(opt->ip6o_type)); rv->Assign(0, opt->ip6o_type);
if ( opt->ip6o_type == 0 ) if ( opt->ip6o_type == 0 )
{ {
// Pad1 option // Pad1 option
rv->Assign(1, val_mgr->Count(0)); rv->Assign(1, 0);
rv->Assign(2, val_mgr->EmptyString()); rv->Assign(2, val_mgr->EmptyString());
data += sizeof(uint8_t); data += sizeof(uint8_t);
len -= sizeof(uint8_t); len -= sizeof(uint8_t);
@ -38,9 +38,8 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
{ {
// PadN or other option // PadN or other option
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->Count(opt->ip6o_len)); rv->Assign(1, opt->ip6o_len);
rv->Assign(2, make_intrusive<StringVal>( rv->Assign(2, new String(data + off, opt->ip6o_len, true));
new String(data + off, opt->ip6o_len, true)));
data += opt->ip6o_len + off; data += opt->ip6o_len + off;
len -= opt->ip6o_len + off; len -= opt->ip6o_len + off;
} }
@ -61,11 +60,11 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_hdr_type = id::find_type<RecordType>("ip6_hdr"); static auto ip6_hdr_type = id::find_type<RecordType>("ip6_hdr");
rv = make_intrusive<RecordVal>(ip6_hdr_type); rv = make_intrusive<RecordVal>(ip6_hdr_type);
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data; const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20)); rv->Assign(0, (ntohl(ip6->ip6_flow) & 0x0ff00000)>>20);
rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff)); rv->Assign(1, ntohl(ip6->ip6_flow) & 0x000fffff);
rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen))); rv->Assign(2, ntohs(ip6->ip6_plen));
rv->Assign(3, val_mgr->Count(ip6->ip6_nxt)); rv->Assign(3, ip6->ip6_nxt);
rv->Assign(4, val_mgr->Count(ip6->ip6_hlim)); rv->Assign(4, ip6->ip6_hlim);
rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src))); rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst))); rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain ) if ( ! chain )
@ -80,8 +79,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_hopopts_type = id::find_type<RecordType>("ip6_hopopts"); static auto ip6_hopopts_type = id::find_type<RecordType>("ip6_hopopts");
rv = make_intrusive<RecordVal>(ip6_hopopts_type); rv = make_intrusive<RecordVal>(ip6_hopopts_type);
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data; const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt)); rv->Assign(0, hbh->ip6h_nxt);
rv->Assign(1, val_mgr->Count(hbh->ip6h_len)); rv->Assign(1, hbh->ip6h_len);
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -93,8 +92,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_dstopts_type = id::find_type<RecordType>("ip6_dstopts"); static auto ip6_dstopts_type = id::find_type<RecordType>("ip6_dstopts");
rv = make_intrusive<RecordVal>(ip6_dstopts_type); rv = make_intrusive<RecordVal>(ip6_dstopts_type);
const struct ip6_dest* dst = (const struct ip6_dest*)data; const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->Count(dst->ip6d_nxt)); rv->Assign(0, dst->ip6d_nxt);
rv->Assign(1, val_mgr->Count(dst->ip6d_len)); rv->Assign(1, dst->ip6d_len);
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
} }
@ -105,12 +104,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_routing_type = id::find_type<RecordType>("ip6_routing"); static auto ip6_routing_type = id::find_type<RecordType>("ip6_routing");
rv = make_intrusive<RecordVal>(ip6_routing_type); rv = make_intrusive<RecordVal>(ip6_routing_type);
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data; const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->Count(rt->ip6r_nxt)); rv->Assign(0, rt->ip6r_nxt);
rv->Assign(1, val_mgr->Count(rt->ip6r_len)); rv->Assign(1, rt->ip6r_len);
rv->Assign(2, val_mgr->Count(rt->ip6r_type)); rv->Assign(2, rt->ip6r_type);
rv->Assign(3, val_mgr->Count(rt->ip6r_segleft)); rv->Assign(3, rt->ip6r_segleft);
uint16_t off = 4 * sizeof(uint8_t); uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, make_intrusive<StringVal>(new String(data + off, Length() - off, true))); rv->Assign(4, new String(data + off, Length() - off, true));
} }
break; break;
@ -119,12 +118,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_fragment_type = id::find_type<RecordType>("ip6_fragment"); static auto ip6_fragment_type = id::find_type<RecordType>("ip6_fragment");
rv = make_intrusive<RecordVal>(ip6_fragment_type); rv = make_intrusive<RecordVal>(ip6_fragment_type);
const struct ip6_frag* frag = (const struct ip6_frag*)data; const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->Count(frag->ip6f_nxt)); rv->Assign(0, frag->ip6f_nxt);
rv->Assign(1, val_mgr->Count(frag->ip6f_reserved)); rv->Assign(1, frag->ip6f_reserved);
rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3)); rv->Assign(2, (ntohs(frag->ip6f_offlg) & 0xfff8)>>3);
rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1)); rv->Assign(3, (ntohs(frag->ip6f_offlg) & 0x0006)>>1);
rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001)); rv->Assign(4, bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident))); rv->Assign(5, ntohl(frag->ip6f_ident));
} }
break; break;
@ -132,18 +131,18 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
{ {
static auto ip6_ah_type = id::find_type<RecordType>("ip6_ah"); static auto ip6_ah_type = id::find_type<RecordType>("ip6_ah");
rv = make_intrusive<RecordVal>(ip6_ah_type); rv = make_intrusive<RecordVal>(ip6_ah_type);
rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt)); rv->Assign(0, ((ip6_ext*)data)->ip6e_nxt);
rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len)); rv->Assign(1, ((ip6_ext*)data)->ip6e_len);
rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1]))); rv->Assign(2, ntohs(((uint16_t*)data)[1]));
rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1]))); rv->Assign(3, ntohl(((uint32_t*)data)[1]));
if ( Length() >= 12 ) if ( Length() >= 12 )
{ {
// Sequence Number and ICV fields can only be extracted if // Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header. // Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2]))); rv->Assign(4, ntohl(((uint32_t*)data)[2]));
uint16_t off = 3 * sizeof(uint32_t); uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, make_intrusive<StringVal>(new String(data + off, Length() - off, true))); rv->Assign(5, new String(data + off, Length() - off, true));
} }
} }
break; break;
@ -153,8 +152,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_esp_type = id::find_type<RecordType>("ip6_esp"); static auto ip6_esp_type = id::find_type<RecordType>("ip6_esp");
rv = make_intrusive<RecordVal>(ip6_esp_type); rv = make_intrusive<RecordVal>(ip6_esp_type);
const uint32_t* esp = (const uint32_t*)data; const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->Count(ntohl(esp[0]))); rv->Assign(0, ntohl(esp[0]));
rv->Assign(1, val_mgr->Count(ntohl(esp[1]))); rv->Assign(1, ntohl(esp[1]));
} }
break; break;
@ -164,15 +163,15 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_mob_type = id::find_type<RecordType>("ip6_mobility_hdr"); static auto ip6_mob_type = id::find_type<RecordType>("ip6_mobility_hdr");
rv = make_intrusive<RecordVal>(ip6_mob_type); rv = make_intrusive<RecordVal>(ip6_mob_type);
const struct ip6_mobility* mob = (const struct ip6_mobility*) data; const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->Count(mob->ip6mob_payload)); rv->Assign(0, mob->ip6mob_payload);
rv->Assign(1, val_mgr->Count(mob->ip6mob_len)); rv->Assign(1, mob->ip6mob_len);
rv->Assign(2, val_mgr->Count(mob->ip6mob_type)); rv->Assign(2, mob->ip6mob_type);
rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv)); rv->Assign(3, mob->ip6mob_rsv);
rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum))); rv->Assign(4, ntohs(mob->ip6mob_chksum));
static auto ip6_mob_msg_type = id::find_type<RecordType>("ip6_mobility_msg"); static auto ip6_mob_msg_type = id::find_type<RecordType>("ip6_mobility_msg");
auto msg = make_intrusive<RecordVal>(ip6_mob_msg_type); auto msg = make_intrusive<RecordVal>(ip6_mob_msg_type);
msg->Assign(0, val_mgr->Count(mob->ip6mob_type)); msg->Assign(0, mob->ip6mob_type);
uint16_t off = sizeof(ip6_mobility); uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off; const u_char* msg_data = data + off;
@ -190,7 +189,7 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 0: case 0:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_brr_type); auto m = make_intrusive<RecordVal>(ip6_mob_brr_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data)));
off += sizeof(uint16_t); off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off)); m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, std::move(m)); msg->Assign(1, std::move(m));
@ -200,8 +199,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 1: case 1:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_hoti_type); auto m = make_intrusive<RecordVal>(ip6_mob_hoti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, std::move(m)); msg->Assign(2, std::move(m));
@ -211,8 +210,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 2: case 2:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_coti_type); auto m = make_intrusive<RecordVal>(ip6_mob_coti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, std::move(m)); msg->Assign(3, std::move(m));
@ -222,9 +221,9 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 3: case 3:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_hot_type); auto m = make_intrusive<RecordVal>(ip6_mob_hot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, std::move(m)); msg->Assign(4, std::move(m));
@ -234,9 +233,9 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 4: case 4:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_cot_type); auto m = make_intrusive<RecordVal>(ip6_mob_cot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, std::move(m)); msg->Assign(5, std::move(m));
@ -246,12 +245,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 5: case 5:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_bu_type); auto m = make_intrusive<RecordVal>(ip6_mob_bu_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000)); m->Assign(1, bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000)); m->Assign(2, bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000)); m->Assign(3, bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000)); m->Assign(4, bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(5, ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off)); m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, std::move(m)); msg->Assign(6, std::move(m));
@ -261,10 +260,10 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 6: case 6:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_back_type); auto m = make_intrusive<RecordVal>(ip6_mob_back_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data))); m->Assign(0, *((uint8_t*)msg_data));
m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80)); m->Assign(1, bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(2, ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(3, ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off)); m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, std::move(m)); msg->Assign(7, std::move(m));
@ -274,7 +273,7 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 7: case 7:
{ {
auto m = make_intrusive<RecordVal>(ip6_mob_be_type); auto m = make_intrusive<RecordVal>(ip6_mob_be_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data))); m->Assign(0, *((uint8_t*)msg_data));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t)); const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa))); m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr); off += sizeof(uint16_t) + sizeof(in6_addr);
@ -331,12 +330,12 @@ RecordValPtr IP_Hdr::ToIPHdrVal() const
{ {
static auto ip4_hdr_type = id::find_type<RecordType>("ip4_hdr"); static auto ip4_hdr_type = id::find_type<RecordType>("ip4_hdr");
rval = make_intrusive<RecordVal>(ip4_hdr_type); rval = make_intrusive<RecordVal>(ip4_hdr_type);
rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4)); rval->Assign(0, ip4->ip_hl * 4);
rval->Assign(1, val_mgr->Count(ip4->ip_tos)); rval->Assign(1, ip4->ip_tos);
rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len))); rval->Assign(2, ntohs(ip4->ip_len));
rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id))); rval->Assign(3, ntohs(ip4->ip_id));
rval->Assign(4, val_mgr->Count(ip4->ip_ttl)); rval->Assign(4, ip4->ip_ttl);
rval->Assign(5, val_mgr->Count(ip4->ip_p)); rval->Assign(5, ip4->ip_p);
rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr)); rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr)); rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
} }
@ -380,13 +379,13 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP)); tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP)); tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq)))); tcp_hdr->Assign(2, uint32_t(ntohl(tp->th_seq)));
tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack)))); tcp_hdr->Assign(3, uint32_t(ntohl(tp->th_ack)));
tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len)); tcp_hdr->Assign(4, tcp_hdr_len);
tcp_hdr->Assign(5, val_mgr->Count(data_len)); tcp_hdr->Assign(5, data_len);
tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2)); tcp_hdr->Assign(6, tp->th_x2);
tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags)); tcp_hdr->Assign(7, tp->th_flags);
tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win))); tcp_hdr->Assign(8, ntohs(tp->th_win));
pkt_hdr->Assign(sindex + 2, std::move(tcp_hdr)); pkt_hdr->Assign(sindex + 2, std::move(tcp_hdr));
break; break;
@ -399,7 +398,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP)); udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP)); udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen))); udp_hdr->Assign(2, ntohs(up->uh_ulen));
pkt_hdr->Assign(sindex + 3, std::move(udp_hdr)); pkt_hdr->Assign(sindex + 3, std::move(udp_hdr));
break; break;
@ -410,7 +409,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
const struct icmp* icmpp = (const struct icmp *) data; const struct icmp* icmpp = (const struct icmp *) data;
auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type); auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type)); icmp_hdr->Assign(0, icmpp->icmp_type);
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr)); pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break; break;
@ -421,7 +420,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data; const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type); auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type)); icmp_hdr->Assign(0, icmpp->icmp6_type);
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr)); pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break; break;
@ -675,7 +674,7 @@ VectorValPtr IPv6_Hdr_Chain::ToVal() const
auto v = chain[i]->ToVal(); auto v = chain[i]->ToVal();
auto ext_hdr = make_intrusive<RecordVal>(ip6_ext_hdr_type); auto ext_hdr = make_intrusive<RecordVal>(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type(); uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->Count(type)); ext_hdr->Assign(0, type);
switch (type) { switch (type) {
case IPPROTO_HOPOPTS: case IPPROTO_HOPOPTS:

6
src/RuleMatcher.cc
View file

@ -86,10 +86,10 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
{ {
static auto signature_state = id::find_type<RecordType>("signature_state"); static auto signature_state = id::find_type<RecordType>("signature_state");
auto* val = new RecordVal(signature_state); auto* val = new RecordVal(signature_state);
val->Assign(0, make_intrusive<StringVal>(rule->ID())); val->Assign(0, rule->ID());
val->Assign(1, state->GetAnalyzer()->ConnVal()); val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->Bool(state->is_orig)); val->Assign(2, state->is_orig);
val->Assign(3, val_mgr->Count(state->payload_size)); val->Assign(3, state->payload_size);
return val; return val;
} }

8
src/SmithWaterman.cc
View file

@ -74,7 +74,7 @@ VectorVal* Substring::VecToPolicy(Vec* vec)
Substring* bst = (*vec)[i]; Substring* bst = (*vec)[i];
auto st_val = make_intrusive<RecordVal>(sw_substring_type); auto st_val = make_intrusive<RecordVal>(sw_substring_type);
st_val->Assign(0, make_intrusive<StringVal>(new String(*bst))); st_val->Assign(0, new String(*bst));
auto aligns = make_intrusive<VectorVal>(sw_align_vec_type); auto aligns = make_intrusive<VectorVal>(sw_align_vec_type);
@ -83,14 +83,14 @@ VectorVal* Substring::VecToPolicy(Vec* vec)
const BSSAlign& align = (bst->GetAlignments())[j]; const BSSAlign& align = (bst->GetAlignments())[j];
auto align_val = make_intrusive<RecordVal>(sw_align_type); auto align_val = make_intrusive<RecordVal>(sw_align_type);
align_val->Assign(0, make_intrusive<StringVal>(new String(*align.string))); align_val->Assign(0, new String(*align.string));
align_val->Assign(1, val_mgr->Count(align.index)); align_val->Assign(1, align.index);
aligns->Assign(j, std::move(align_val)); aligns->Assign(j, std::move(align_val));
} }
st_val->Assign(1, std::move(aligns)); st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment())); st_val->Assign(2, bst->IsNewAlignment());
result->Assign(i, std::move(st_val)); result->Assign(i, std::move(st_val));
} }
} }

2
src/Stmt.cc
View file

@ -297,7 +297,7 @@ static void print_log(const std::vector<ValPtr>& vals)
vec->Assign(vec->Size(), make_intrusive<StringVal>(d.Description())); vec->Assign(vec->Size(), make_intrusive<StringVal>(d.Description()));
} }
record->Assign(0, make_intrusive<TimeVal>(run_state::network_time)); record->AssignTime(0, run_state::network_time);
record->Assign(1, std::move(vec)); record->Assign(1, std::move(vec));
log_mgr->Write(plval.get(), record.get()); log_mgr->Write(plval.get(), record.get());
} }

2
src/TunnelEncapsulation.cc
View file

@ -30,7 +30,7 @@ RecordValPtr EncapsulatingConn::ToVal() const
rv->Assign(0, std::move(id_val)); rv->Assign(0, std::move(id_val));
rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type)); rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type));
rv->Assign(2, make_intrusive<StringVal>(uid.Base62("C").c_str())); rv->Assign(2, uid.Base62("C"));
return rv; return rv;
} }

4
src/Type.cc
View file

@ -987,8 +987,8 @@ TableValPtr RecordType::GetRecordFieldsVal(const RecordVal* rv) const
auto nr = make_intrusive<RecordVal>(record_field); auto nr = make_intrusive<RecordVal>(record_field);
string s = container_type_name(ft.get()); string s = container_type_name(ft.get());
nr->Assign(0, make_intrusive<StringVal>(s)); nr->Assign(0, s);
nr->Assign(1, val_mgr->Bool(logged)); nr->Assign(1, logged);
nr->Assign(2, std::move(fv)); nr->Assign(2, std::move(fv));
nr->Assign(3, FieldDefault(i)); nr->Assign(3, FieldDefault(i));
auto field_name = make_intrusive<StringVal>(FieldName(i)); auto field_name = make_intrusive<StringVal>(FieldName(i));

4
src/ZeekArgs.cc
View file

@ -32,12 +32,12 @@ VectorValPtr MakeCallArgumentVector(const Args& vals,
static auto call_argument = id::find_type<RecordType>("call_argument"); static auto call_argument = id::find_type<RecordType>("call_argument");
auto rec = make_intrusive<RecordVal>(call_argument); auto rec = make_intrusive<RecordVal>(call_argument);
rec->Assign(0, make_intrusive<StringVal>(fname)); rec->Assign(0, fname);
ODesc d; ODesc d;
d.SetShort(); d.SetShort();
ftype->Describe(&d); ftype->Describe(&d);
rec->Assign(1, make_intrusive<StringVal>(d.Description())); rec->Assign(1, d.Description());
if ( fdefault ) if ( fdefault )
rec->Assign(2, std::move(fdefault)); rec->Assign(2, std::move(fdefault));

2
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -500,7 +500,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value); auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
auto name_ = make_intrusive<StringVal>(name_len, name); auto name_ = make_intrusive<StringVal>(name_len, name);
benc_value->Assign(type, val_mgr->Int(value)); benc_value->Assign(type, int(value));
res_val_benc->Assign(std::move(name_), std::move(benc_value)); res_val_benc->Assign(std::move(name_), std::move(benc_value));
} }

8
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -184,10 +184,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
if ( bytesidx < 0 ) if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts)); orig_endp->Assign(pktidx, orig_pkts);
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes)); orig_endp->Assign(bytesidx, orig_bytes);
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts)); resp_endp->Assign(pktidx, resp_pkts);
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes)); resp_endp->Assign(bytesidx, resp_bytes);
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
} }

12
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -54,16 +54,16 @@ refine flow DHCP_Flow += {
double secs = static_cast<double>(${msg.secs}); double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::Msg); auto dhcp_msg_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, zeek::val_mgr->Count(${msg.op})); dhcp_msg_val->Assign(0, ${msg.op});
dhcp_msg_val->Assign(1, zeek::val_mgr->Count(${msg.type})); dhcp_msg_val->Assign(1, ${msg.type});
dhcp_msg_val->Assign(2, zeek::val_mgr->Count(${msg.xid})); dhcp_msg_val->Assign(2, ${msg.xid});
dhcp_msg_val->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(secs)); dhcp_msg_val->AssignInterval(3, secs);
dhcp_msg_val->Assign(4, zeek::val_mgr->Count(${msg.flags})); dhcp_msg_val->Assign(4, ${msg.flags});
dhcp_msg_val->Assign(5, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.ciaddr}))); dhcp_msg_val->Assign(5, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.yiaddr}))); dhcp_msg_val->Assign(6, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.siaddr}))); dhcp_msg_val->Assign(7, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.siaddr})));
dhcp_msg_val->Assign(8, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.giaddr}))); dhcp_msg_val->Assign(8, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.giaddr})));
dhcp_msg_val->Assign(9, zeek::make_intrusive<zeek::StringVal>(mac_str)); dhcp_msg_val->Assign(9, mac_str);
int last_non_null = 0; int last_non_null = 0;

24
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool function process_time_offset_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(25, zeek::val_mgr->Int(${v.time_offset})); ${context.flow}->options->Assign(25, int(${v.time_offset}));
return true; return true;
%} %}
}; };
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool function process_forwarding_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(6, zeek::val_mgr->Bool(${v.forwarding} == 0 ? false : true)); ${context.flow}->options->Assign(6, ${v.forwarding} == 0 ? false : true);
return true; return true;
%} %}
@ -414,7 +414,7 @@ refine flow DHCP_Flow += {
function process_lease_option(v: OptionValue): bool function process_lease_option(v: OptionValue): bool
%{ %{
double lease = static_cast<double>(${v.lease}); double lease = static_cast<double>(${v.lease});
${context.flow}->options->Assign(11, zeek::make_intrusive<zeek::IntervalVal>(lease)); ${context.flow}->options->AssignInterval(11, lease);
return true; return true;
%} %}
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool function process_max_message_size_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(15, zeek::val_mgr->Count(${v.max_msg_size})); ${context.flow}->options->Assign(15, ${v.max_msg_size});
return true; return true;
%} %}
@ -546,7 +546,7 @@ refine flow DHCP_Flow += {
function process_renewal_time_option(v: OptionValue): bool function process_renewal_time_option(v: OptionValue): bool
%{ %{
double renewal_time = static_cast<double>(${v.renewal_time}); double renewal_time = static_cast<double>(${v.renewal_time});
${context.flow}->options->Assign(16, zeek::make_intrusive<zeek::IntervalVal>(renewal_time)); ${context.flow}->options->AssignInterval(16, renewal_time);
return true; return true;
%} %}
@ -571,7 +571,7 @@ refine flow DHCP_Flow += {
function process_rebinding_time_option(v: OptionValue): bool function process_rebinding_time_option(v: OptionValue): bool
%{ %{
double rebinding_time = static_cast<double>(${v.rebinding_time}); double rebinding_time = static_cast<double>(${v.rebinding_time});
${context.flow}->options->Assign(17, zeek::make_intrusive<zeek::IntervalVal>(rebinding_time)); ${context.flow}->options->AssignInterval(17, rebinding_time);
return true; return true;
%} %}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool function process_client_id_option(v: OptionValue): bool
%{ %{
auto client_id = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientID); auto client_id = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientID);
client_id->Assign(0, zeek::val_mgr->Count(${v.client_id.hwtype})); client_id->Assign(0, ${v.client_id.hwtype});
zeek::StringValPtr sv; zeek::StringValPtr sv;
if ( ${v.client_id.hwtype} == 0 ) if ( ${v.client_id.hwtype} == 0 )
@ -695,9 +695,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool function process_client_fqdn_option(v: OptionValue): bool
%{ %{
auto client_fqdn = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientFQDN); auto client_fqdn = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, zeek::val_mgr->Count(${v.client_fqdn.flags})); client_fqdn->Assign(0, ${v.client_fqdn.flags});
client_fqdn->Assign(1, zeek::val_mgr->Count(${v.client_fqdn.rcode1})); client_fqdn->Assign(1, ${v.client_fqdn.rcode1});
client_fqdn->Assign(2, zeek::val_mgr->Count(${v.client_fqdn.rcode2})); client_fqdn->Assign(2, ${v.client_fqdn.rcode2});
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin()); const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, zeek::make_intrusive<zeek::StringVal>(${v.client_fqdn.domain_name}.length(), domain_name)); client_fqdn->Assign(3, zeek::make_intrusive<zeek::StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -760,7 +760,7 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt ) ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::SubOpt); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::SubOpt);
r->Assign(0, zeek::val_mgr->Count((*ptrsubopt)->code())); r->Assign(0, (*ptrsubopt)->code());
r->Assign(1, to_stringval((*ptrsubopt)->value())); r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, std::move(r)); relay_agent_sub_opt->Assign(i, std::move(r));
@ -790,7 +790,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool function process_auto_config_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(23, zeek::val_mgr->Bool(${v.auto_config} == 0 ? false : true)); ${context.flow}->options->Assign(23, ${v.auto_config} == 0 ? false : true);
return true; return true;
%} %}

202
src/analyzer/protocol/dns/DNS.cc
View file

@ -622,13 +622,13 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg,
{ {
static auto dns_soa = id::find_type<RecordType>("dns_soa"); static auto dns_soa = id::find_type<RecordType>("dns_soa");
auto r = make_intrusive<RecordVal>(dns_soa); auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new String(mname, mname_end - mname, true))); r->Assign(0, new String(mname, mname_end - mname, true));
r->Assign(1, make_intrusive<StringVal>(new String(rname, rname_end - rname, true))); r->Assign(1, new String(rname, rname_end - rname, true));
r->Assign(2, val_mgr->Count(serial)); r->Assign(2, serial);
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds)); r->AssignInterval(3, double(refresh));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds)); r->AssignInterval(4, double(retry));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds)); r->AssignInterval(5, double(expire));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds)); r->AssignInterval(6, double(minimum));
analyzer->EnqueueConnEvent(dns_SOA_reply, analyzer->EnqueueConnEvent(dns_SOA_reply,
analyzer->ConnVal(), analyzer->ConnVal(),
@ -1849,19 +1849,19 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal()
static auto dns_msg = id::find_type<RecordType>("dns_msg"); static auto dns_msg = id::find_type<RecordType>("dns_msg");
auto r = make_intrusive<RecordVal>(dns_msg); auto r = make_intrusive<RecordVal>(dns_msg);
r->Assign(0, val_mgr->Count(id)); r->Assign(0, id);
r->Assign(1, val_mgr->Count(opcode)); r->Assign(1, opcode);
r->Assign(2, val_mgr->Count(rcode)); r->Assign(2, rcode);
r->Assign(3, val_mgr->Bool(QR)); r->Assign(3, bool(QR));
r->Assign(4, val_mgr->Bool(AA)); r->Assign(4, bool(AA));
r->Assign(5, val_mgr->Bool(TC)); r->Assign(5, bool(TC));
r->Assign(6, val_mgr->Bool(RD)); r->Assign(6, bool(RD));
r->Assign(7, val_mgr->Bool(RA)); r->Assign(7, bool(RA));
r->Assign(8, val_mgr->Count(Z)); r->Assign(8, Z);
r->Assign(9, val_mgr->Count(qdcount)); r->Assign(9, qdcount);
r->Assign(10, val_mgr->Count(ancount)); r->Assign(10, ancount);
r->Assign(11, val_mgr->Count(nscount)); r->Assign(11, nscount);
r->Assign(12, val_mgr->Count(arcount)); r->Assign(12, arcount);
return r; return r;
} }
@ -1871,11 +1871,11 @@ RecordValPtr DNS_MsgInfo::BuildAnswerVal()
static auto dns_answer = id::find_type<RecordType>("dns_answer"); static auto dns_answer = id::find_type<RecordType>("dns_answer");
auto r = make_intrusive<RecordVal>(dns_answer); auto r = make_intrusive<RecordVal>(dns_answer);
r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(0, int(answer_type));
r->Assign(1, query_name); r->Assign(1, query_name);
r->Assign(2, val_mgr->Count(atype)); r->Assign(2, atype);
r->Assign(3, val_mgr->Count(aclass)); r->Assign(3, aclass);
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds)); r->AssignInterval(4, double(ttl));
return r; return r;
} }
@ -1887,14 +1887,14 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
static auto dns_edns_additional = id::find_type<RecordType>("dns_edns_additional"); static auto dns_edns_additional = id::find_type<RecordType>("dns_edns_additional");
auto r = make_intrusive<RecordVal>(dns_edns_additional); auto r = make_intrusive<RecordVal>(dns_edns_additional);
r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(0, uint64_t(answer_type));
r->Assign(1, query_name); r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS // type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->Count(atype)); r->Assign(2, atype);
// sender's UDP payload size, per RFC 2671 4.3 // sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->Count(aclass)); r->Assign(3, aclass);
// Need to break the TTL field into three components: // Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------] // initial: [------------- ttl (32) ---------------------]
@ -1907,11 +1907,11 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode; unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->Count(return_error)); r->Assign(4, return_error);
r->Assign(5, val_mgr->Count(version)); r->Assign(5, version);
r->Assign(6, val_mgr->Count(z)); r->Assign(6, z);
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds)); r->AssignInterval(7, double(ttl));
r->Assign(8, val_mgr->Count(is_query)); r->Assign(8, is_query);
return r; return r;
} }
@ -1922,8 +1922,8 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt)
auto r = make_intrusive<RecordVal>(dns_edns_ecs); auto r = make_intrusive<RecordVal>(dns_edns_ecs);
r->Assign(0, opt->ecs_family); r->Assign(0, opt->ecs_family);
r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len)); r->Assign(1, opt->ecs_src_pfx_len);
r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len)); r->Assign(2, opt->ecs_scp_pfx_len);
r->Assign(3, opt->ecs_addr); r->Assign(3, opt->ecs_addr);
return r; return r;
@ -1934,8 +1934,8 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt)
static auto dns_edns_tcp_keepalive = id::find_type<RecordType>("dns_edns_tcp_keepalive"); static auto dns_edns_tcp_keepalive = id::find_type<RecordType>("dns_edns_tcp_keepalive");
auto r = make_intrusive<RecordVal>(dns_edns_tcp_keepalive); auto r = make_intrusive<RecordVal>(dns_edns_tcp_keepalive);
r->Assign(0, val_mgr->Bool(opt->keepalive_timeout_omitted)); r->Assign(0, bool(opt->keepalive_timeout_omitted));
r->Assign(1, val_mgr->Count(opt->keepalive_timeout)); r->Assign(1, opt->keepalive_timeout);
return r; return r;
} }
@ -1945,9 +1945,9 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
static auto dns_edns_cookie = id::find_type<RecordType>("dns_edns_cookie"); static auto dns_edns_cookie = id::find_type<RecordType>("dns_edns_cookie");
auto r = make_intrusive<RecordVal>(dns_edns_cookie); auto r = make_intrusive<RecordVal>(dns_edns_cookie);
r->Assign(0, make_intrusive<StringVal>(opt->client_cookie)); r->Assign(0, opt->client_cookie);
if (opt->server_cookie != nullptr) { if (opt->server_cookie != nullptr) {
r->Assign(1, make_intrusive<StringVal>(opt->server_cookie)); r->Assign(1, opt->server_cookie);
} }
return r; return r;
@ -1959,16 +1959,16 @@ RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
auto r = make_intrusive<RecordVal>(dns_tsig_additional); auto r = make_intrusive<RecordVal>(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0; double rtime = tsig->time_s + tsig->time_ms / 1000.0;
// r->Assign(0, val_mgr->Count(int(answer_type))); // r->Assign(0, uint64_t(answer_type));
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name)); r->Assign(2, tsig->alg_name);
r->Assign(3, make_intrusive<StringVal>(tsig->sig)); r->Assign(3, tsig->sig);
r->Assign(4, make_intrusive<TimeVal>(rtime)); r->AssignTime(4, rtime);
r->Assign(5, make_intrusive<TimeVal>(double(tsig->fudge))); r->AssignTime(5, double(tsig->fudge));
r->Assign(6, val_mgr->Count(tsig->orig_id)); r->Assign(6, tsig->orig_id);
r->Assign(7, val_mgr->Count(tsig->rr_error)); r->Assign(7, tsig->rr_error);
r->Assign(8, val_mgr->Count(is_query)); r->Assign(8, is_query);
return r; return r;
} }
@ -1979,17 +1979,17 @@ RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
auto r = make_intrusive<RecordVal>(dns_rrsig_rr); auto r = make_intrusive<RecordVal>(dns_rrsig_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(rrsig->type_covered)); r->Assign(2, rrsig->type_covered);
r->Assign(3, val_mgr->Count(rrsig->algorithm)); r->Assign(3, rrsig->algorithm);
r->Assign(4, val_mgr->Count(rrsig->labels)); r->Assign(4, rrsig->labels);
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds)); r->AssignInterval(5, double(rrsig->orig_ttl));
r->Assign(6, make_intrusive<TimeVal>(double(rrsig->sig_exp))); r->AssignTime(6, double(rrsig->sig_exp));
r->Assign(7, make_intrusive<TimeVal>(double(rrsig->sig_incep))); r->AssignTime(7, double(rrsig->sig_incep));
r->Assign(8, val_mgr->Count(rrsig->key_tag)); r->Assign(8, rrsig->key_tag);
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name)); r->Assign(9, rrsig->signer_name);
r->Assign(10, make_intrusive<StringVal>(rrsig->signature)); r->Assign(10, rrsig->signature);
r->Assign(11, val_mgr->Count(is_query)); r->Assign(11, is_query);
return r; return r;
} }
@ -2000,12 +2000,12 @@ RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
auto r = make_intrusive<RecordVal>(dns_dnskey_rr); auto r = make_intrusive<RecordVal>(dns_dnskey_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(dnskey->dflags)); r->Assign(2, dnskey->dflags);
r->Assign(3, val_mgr->Count(dnskey->dprotocol)); r->Assign(3, dnskey->dprotocol);
r->Assign(4, val_mgr->Count(dnskey->dalgorithm)); r->Assign(4, dnskey->dalgorithm);
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key)); r->Assign(5, dnskey->public_key);
r->Assign(6, val_mgr->Count(is_query)); r->Assign(6, is_query);
return r; return r;
} }
@ -2016,16 +2016,16 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
auto r = make_intrusive<RecordVal>(dns_nsec3_rr); auto r = make_intrusive<RecordVal>(dns_nsec3_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags)); r->Assign(2, nsec3->nsec_flags);
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo)); r->Assign(3, nsec3->nsec_hash_algo);
r->Assign(4, val_mgr->Count(nsec3->nsec_iter)); r->Assign(4, nsec3->nsec_iter);
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len)); r->Assign(5, nsec3->nsec_salt_len);
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt)); r->Assign(6, nsec3->nsec_salt);
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen)); r->Assign(7, nsec3->nsec_hlen);
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash)); r->Assign(8, nsec3->nsec_hash);
r->Assign(9, std::move(nsec3->bitmaps)); r->Assign(9, std::move(nsec3->bitmaps));
r->Assign(10, val_mgr->Count(is_query)); r->Assign(10, is_query);
return r; return r;
} }
@ -2036,13 +2036,13 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3PARAM_Val(NSEC3PARAM_DATA* nsec3param)
auto r = make_intrusive<RecordVal>(dns_nsec3param_rr); auto r = make_intrusive<RecordVal>(dns_nsec3param_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(nsec3param->nsec_flags)); r->Assign(2, nsec3param->nsec_flags);
r->Assign(3, val_mgr->Count(nsec3param->nsec_hash_algo)); r->Assign(3, nsec3param->nsec_hash_algo);
r->Assign(4, val_mgr->Count(nsec3param->nsec_iter)); r->Assign(4, nsec3param->nsec_iter);
r->Assign(5, val_mgr->Count(nsec3param->nsec_salt_len)); r->Assign(5, nsec3param->nsec_salt_len);
r->Assign(6, make_intrusive<StringVal>(nsec3param->nsec_salt)); r->Assign(6, nsec3param->nsec_salt);
r->Assign(7, val_mgr->Count(is_query)); r->Assign(7, is_query);
return r; return r;
} }
@ -2053,12 +2053,12 @@ RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
auto r = make_intrusive<RecordVal>(dns_ds_rr); auto r = make_intrusive<RecordVal>(dns_ds_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(ds->key_tag)); r->Assign(2, ds->key_tag);
r->Assign(3, val_mgr->Count(ds->algorithm)); r->Assign(3, ds->algorithm);
r->Assign(4, val_mgr->Count(ds->digest_type)); r->Assign(4, ds->digest_type);
r->Assign(5, make_intrusive<StringVal>(ds->digest_val)); r->Assign(5, ds->digest_val);
r->Assign(6, val_mgr->Count(is_query)); r->Assign(6, is_query);
return r; return r;
} }
@ -2069,12 +2069,12 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds)
auto r = make_intrusive<RecordVal>(dns_binds_rr); auto r = make_intrusive<RecordVal>(dns_binds_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(binds->algorithm)); r->Assign(2, binds->algorithm);
r->Assign(3, val_mgr->Count(binds->key_id)); r->Assign(3, binds->key_id);
r->Assign(4, val_mgr->Count(binds->removal_flag)); r->Assign(4, binds->removal_flag);
r->Assign(5, make_intrusive<StringVal>(binds->complete_flag)); r->Assign(5, binds->complete_flag);
r->Assign(6, val_mgr->Count(is_query)); r->Assign(6, is_query);
return r; return r;
} }
@ -2085,15 +2085,15 @@ RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
auto r = make_intrusive<RecordVal>(dns_loc_rr); auto r = make_intrusive<RecordVal>(dns_loc_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, uint64_t(answer_type));
r->Assign(2, val_mgr->Count(loc->version)); r->Assign(2, loc->version);
r->Assign(3, val_mgr->Count(loc->size)); r->Assign(3, loc->size);
r->Assign(4, val_mgr->Count(loc->horiz_pre)); r->Assign(4, loc->horiz_pre);
r->Assign(5, val_mgr->Count(loc->vert_pre)); r->Assign(5, loc->vert_pre);
r->Assign(6, val_mgr->Count(loc->latitude)); r->Assign(6, uint64_t(loc->latitude));
r->Assign(7, val_mgr->Count(loc->longitude)); r->Assign(7, uint64_t(loc->longitude));
r->Assign(8, val_mgr->Count(loc->altitude)); r->Assign(8, uint64_t(loc->altitude));
r->Assign(9, val_mgr->Count(is_query)); r->Assign(9, is_query);
return r; return r;
} }

6
src/analyzer/protocol/ftp/functions.bif
View file

@ -35,13 +35,13 @@ static zeek::ValPtr parse_port(const char* line)
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(htonl(addr))); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(htonl(addr)));
r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->Bool(good)); r->Assign(2, good);
} }
else else
{ {
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(uint32_t(0))); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(uint32_t(0)));
r->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->False()); r->Assign(2, false);
} }
return r; return r;
@ -111,7 +111,7 @@ static zeek::ValPtr parse_eftp(const char* line)
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(addr)); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(addr));
r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->Bool(good)); r->Assign(2, good);
return r; return r;
} }

49
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -9,21 +9,21 @@ zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
rv->Assign(0, zeek::val_mgr->Count(pdu->version())); rv->Assign(0, pdu->version());
rv->Assign(1, zeek::val_mgr->Bool(pdu->pt_flag())); rv->Assign(1, bool(pdu->pt_flag()));
rv->Assign(2, zeek::val_mgr->Bool(pdu->rsv())); rv->Assign(2, bool(pdu->rsv()));
rv->Assign(3, zeek::val_mgr->Bool(pdu->e_flag())); rv->Assign(3, bool(pdu->e_flag()));
rv->Assign(4, zeek::val_mgr->Bool(pdu->s_flag())); rv->Assign(4, bool(pdu->s_flag()));
rv->Assign(5, zeek::val_mgr->Bool(pdu->pn_flag())); rv->Assign(5, bool(pdu->pn_flag()));
rv->Assign(6, zeek::val_mgr->Count(pdu->msg_type())); rv->Assign(6, pdu->msg_type());
rv->Assign(7, zeek::val_mgr->Count(pdu->length())); rv->Assign(7, pdu->length());
rv->Assign(8, zeek::val_mgr->Count(pdu->teid())); rv->Assign(8, pdu->teid());
if ( pdu->has_opt() ) if ( pdu->has_opt() )
{ {
rv->Assign(9, zeek::val_mgr->Count(pdu->opt_hdr()->seq())); rv->Assign(9, pdu->opt_hdr()->seq());
rv->Assign(10, zeek::val_mgr->Count(pdu->opt_hdr()->n_pdu())); rv->Assign(10, pdu->opt_hdr()->n_pdu());
rv->Assign(11, zeek::val_mgr->Count(pdu->opt_hdr()->next_type())); rv->Assign(11, pdu->opt_hdr()->next_type());
} }
return rv; return rv;
@ -37,10 +37,10 @@ static zeek::ValPtr BuildIMSI(const InformationElement* ie)
static zeek::ValPtr BuildRAI(const InformationElement* ie) static zeek::ValPtr BuildRAI(const InformationElement* ie)
{ {
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai); auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
ev->Assign(0, zeek::val_mgr->Count(ie->rai()->mcc())); ev->Assign(0, ie->rai()->mcc());
ev->Assign(1, zeek::val_mgr->Count(ie->rai()->mnc())); ev->Assign(1, ie->rai()->mnc());
ev->Assign(2, zeek::val_mgr->Count(ie->rai()->lac())); ev->Assign(2, ie->rai()->lac());
ev->Assign(3, zeek::val_mgr->Count(ie->rai()->rac())); ev->Assign(3, ie->rai()->rac());
return ev; return ev;
} }
@ -87,8 +87,8 @@ static zeek::ValPtr BuildTraceType(const InformationElement* ie)
zeek::ValPtr BuildEndUserAddr(const InformationElement* ie) zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
{ {
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr); auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
ev->Assign(0, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_org())); ev->Assign(0, ie->end_user_addr()->pdp_type_org());
ev->Assign(1, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_num())); ev->Assign(1, ie->end_user_addr()->pdp_type_num());
int len = ie->end_user_addr()->pdp_addr().length(); int len = ie->end_user_addr()->pdp_addr().length();
@ -106,8 +106,7 @@ zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network))); zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
break; break;
default: default:
ev->Assign(3, zeek::make_intrusive<zeek::StringVal>( ev->Assign(3, new zeek::String((const u_char*) d, len, false));
new zeek::String((const u_char*) d, len, false)));
break; break;
} }
} }
@ -143,7 +142,7 @@ zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>( ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network))); zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
else else
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false))); ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev; return ev;
} }
@ -162,8 +161,8 @@ zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data(); const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length(); int len = ie->qos_profile()->data().length();
ev->Assign(0, zeek::val_mgr->Count(ie->qos_profile()->alloc_retention_priority())); ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false))); ev->Assign(1, new zeek::String(d, len, false));
return ev; return ev;
} }
@ -196,8 +195,8 @@ zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data(); const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length(); int len = ie->private_ext()->value().length();
ev->Assign(0, zeek::val_mgr->Count(ie->private_ext()->id())); ev->Assign(0, ie->private_ext()->id());
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false))); ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev; return ev;
} }

20
src/analyzer/protocol/http/HTTP.cc
View file

@ -626,12 +626,12 @@ RecordValPtr HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
static auto http_message_stat = id::find_type<RecordType>("http_message_stat"); static auto http_message_stat = id::find_type<RecordType>("http_message_stat");
auto stat = make_intrusive<RecordVal>(http_message_stat); auto stat = make_intrusive<RecordVal>(http_message_stat);
int field = 0; int field = 0;
stat->Assign(field++, make_intrusive<TimeVal>(start_time)); stat->AssignTime(field++, start_time);
stat->Assign(field++, val_mgr->Bool(interrupted)); stat->Assign(field++, bool(interrupted));
stat->Assign(field++, make_intrusive<StringVal>(msg)); stat->Assign(field++, msg);
stat->Assign(field++, val_mgr->Count(body_length)); stat->Assign(field++, uint64_t(body_length));
stat->Assign(field++, val_mgr->Count(content_gap_length)); stat->Assign(field++, uint64_t(content_gap_length));
stat->Assign(field++, val_mgr->Count(header_length)); stat->Assign(field++, uint64_t(header_length));
return stat; return stat;
} }
@ -1165,10 +1165,10 @@ void HTTP_Analyzer::GenStats()
{ {
static auto http_stats_rec = id::find_type<RecordType>("http_stats_rec"); static auto http_stats_rec = id::find_type<RecordType>("http_stats_rec");
auto r = make_intrusive<RecordVal>(http_stats_rec); auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->Count(num_requests)); r->Assign(0, num_requests);
r->Assign(1, val_mgr->Count(num_replies)); r->Assign(1, num_replies);
r->Assign(2, make_intrusive<DoubleVal>(request_version.ToDouble())); r->Assign(2, request_version.ToDouble());
r->Assign(3, make_intrusive<DoubleVal>(reply_version.ToDouble())); r->Assign(3, reply_version.ToDouble());
// DEBUG_MSG("%.6f http_stats\n", run_state::network_time); // DEBUG_MSG("%.6f http_stats\n", run_state::network_time);
EnqueueConnEvent(http_stats, ConnVal(), std::move(r)); EnqueueConnEvent(http_stats, ConnVal(), std::move(r));

66
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -224,11 +224,11 @@ RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
{ {
static auto icmp_info = id::find_type<RecordType>("icmp_info"); static auto icmp_info = id::find_type<RecordType>("icmp_info");
auto rval = make_intrusive<RecordVal>(icmp_info); auto rval = make_intrusive<RecordVal>(icmp_info);
rval->Assign(0, val_mgr->Bool(icmpv6)); rval->Assign(0, bool(icmpv6));
rval->Assign(1, val_mgr->Count(icmpp->icmp_type)); rval->Assign(1, uint32_t(icmpp->icmp_type));
rval->Assign(2, val_mgr->Count(icmpp->icmp_code)); rval->Assign(2, uint32_t(icmpp->icmp_code));
rval->Assign(3, val_mgr->Count(len)); rval->Assign(3, uint32_t(len));
rval->Assign(4, val_mgr->Count(ip_hdr->TTL())); rval->Assign(4, uint32_t(ip_hdr->TTL()));
return rval; return rval;
} }
@ -355,13 +355,13 @@ RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
id_val->Assign(3, val_mgr->Port(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len)); iprec->Assign(1, uint32_t(ip_len));
iprec->Assign(2, val_mgr->Count(proto)); iprec->Assign(2, uint32_t(proto));
iprec->Assign(3, val_mgr->Count(frag_offset)); iprec->Assign(3, uint32_t(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum)); iprec->Assign(5, bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF)); iprec->Assign(6, bool(MF));
iprec->Assign(7, val_mgr->Bool(DF)); iprec->Assign(7, bool(DF));
return iprec; return iprec;
} }
@ -415,14 +415,14 @@ RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
id_val->Assign(3, val_mgr->Port(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len)); iprec->Assign(1, uint32_t(ip_len));
iprec->Assign(2, val_mgr->Count(proto)); iprec->Assign(2, uint32_t(proto));
iprec->Assign(3, val_mgr->Count(frag_offset)); iprec->Assign(3, uint32_t(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum. // bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->False()); iprec->Assign(5, false);
iprec->Assign(6, val_mgr->Bool(MF)); iprec->Assign(6, bool(MF));
iprec->Assign(7, val_mgr->Bool(DF)); iprec->Assign(7, bool(DF));
return iprec; return iprec;
} }
@ -472,14 +472,14 @@ void ICMP_Analyzer::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, val_mgr->Count(0)); endp->Assign(0, 0);
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE))); endp->Assign(1, int(ICMP_INACTIVE));
} }
else else
{ {
endp->Assign(0, val_mgr->Count(size)); endp->Assign(0, size);
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE))); endp->Assign(1, int(ICMP_ACTIVE));
} }
} }
@ -743,8 +743,8 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
} }
auto rv = make_intrusive<RecordVal>(icmp6_nd_option_type); auto rv = make_intrusive<RecordVal>(icmp6_nd_option_type);
rv->Assign(0, val_mgr->Count(type)); rv->Assign(0, type);
rv->Assign(1, val_mgr->Count(length)); rv->Assign(1, length);
// Adjust length to be in units of bytes, exclude type/length fields. // Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2; length = length * 8 - 2;
@ -763,7 +763,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
if ( caplen >= length ) if ( caplen >= length )
{ {
String* link_addr = new String(data, length, false); String* link_addr = new String(data, length, false);
rv->Assign(2, make_intrusive<StringVal>(link_addr)); rv->Assign(2, link_addr);
} }
else else
set_payload_field = true; set_payload_field = true;
@ -783,11 +783,11 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
uint32_t valid_life = *((const uint32_t*)(data + 2)); uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6)); uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14)); in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->Count(prefix_len)); info->Assign(0, prefix_len);
info->Assign(1, val_mgr->Bool(L_flag)); info->Assign(1, L_flag);
info->Assign(2, val_mgr->Bool(A_flag)); info->Assign(2, A_flag);
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds)); info->AssignInterval(3, double(ntohl(valid_life)));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds)); info->AssignInterval(4, double(ntohl(prefer_life)));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix))); info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info)); rv->Assign(3, std::move(info));
} }
@ -816,7 +816,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
// MTU option // MTU option
{ {
if ( caplen >= 6 ) if ( caplen >= 6 )
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2))))); rv->Assign(5, uint32_t(ntohl(*((const uint32_t*)(data + 2)))));
else else
set_payload_field = true; set_payload_field = true;
@ -833,7 +833,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
if ( set_payload_field ) if ( set_payload_field )
{ {
String* payload = new String(data, std::min((int)length, caplen), false); String* payload = new String(data, std::min((int)length, caplen), false);
rv->Assign(6, make_intrusive<StringVal>(payload)); rv->Assign(6, payload);
} }
data += length; data += length;

18
src/analyzer/protocol/irc/IRC.cc
View file

@ -841,14 +841,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
for ( size_t i = 0; i < channels.size(); ++i ) for ( size_t i = 0; i < channels.size(); ++i )
{ {
auto info = make_intrusive<RecordVal>(irc_join_info); auto info = make_intrusive<RecordVal>(irc_join_info);
info->Assign(0, make_intrusive<StringVal>(nickname.c_str())); info->Assign(0, nickname);
info->Assign(1, make_intrusive<StringVal>(channels[i].c_str())); info->Assign(1, channels[i]);
if ( i < passwords.size() ) if ( i < passwords.size() )
info->Assign(2, make_intrusive<StringVal>(passwords[i].c_str())); info->Assign(2, passwords[i]);
else else
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str())); info->Assign(2, empty_string);
// User mode. // User mode.
info->Assign(3, make_intrusive<StringVal>(empty_string.c_str())); info->Assign(3, empty_string);
list->Assign(std::move(info), nullptr); list->Assign(std::move(info), nullptr);
} }
@ -903,12 +903,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
mode = "voice"; mode = "voice";
} }
info->Assign(0, make_intrusive<StringVal>(nick.c_str())); info->Assign(0, nick);
info->Assign(1, make_intrusive<StringVal>(channel.c_str())); info->Assign(1, channel);
// Password: // Password:
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str())); info->Assign(2, empty_string);
// User mode: // User mode:
info->Assign(3, make_intrusive<StringVal>(mode.c_str())); info->Assign(3, mode);
list->Assign(std::move(info), nullptr); list->Assign(std::move(info), nullptr);
} }

30
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Options); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Options);
rv->Assign(0, zeek::val_mgr->Bool(opts->forwardable())); rv->Assign(0, bool(opts->forwardable()));
rv->Assign(1, zeek::val_mgr->Bool(opts->forwarded())); rv->Assign(1, bool(opts->forwarded()));
rv->Assign(2, zeek::val_mgr->Bool(opts->proxiable())); rv->Assign(2, bool(opts->proxiable()));
rv->Assign(3, zeek::val_mgr->Bool(opts->proxy())); rv->Assign(3, bool(opts->proxy()));
rv->Assign(4, zeek::val_mgr->Bool(opts->allow_postdate())); rv->Assign(4, bool(opts->allow_postdate()));
rv->Assign(5, zeek::val_mgr->Bool(opts->postdated())); rv->Assign(5, bool(opts->postdated()));
rv->Assign(6, zeek::val_mgr->Bool(opts->renewable())); rv->Assign(6, bool(opts->renewable()));
rv->Assign(7, zeek::val_mgr->Bool(opts->opt_hardware_auth())); rv->Assign(7, bool(opts->opt_hardware_auth()));
rv->Assign(8, zeek::val_mgr->Bool(opts->disable_transited_check())); rv->Assign(8, bool(opts->disable_transited_check()));
rv->Assign(9, zeek::val_mgr->Bool(opts->renewable_ok())); rv->Assign(9, bool(opts->renewable_ok()));
rv->Assign(10, zeek::val_mgr->Bool(opts->enc_tkt_in_skey())); rv->Assign(10, bool(opts->enc_tkt_in_skey()));
rv->Assign(11, zeek::val_mgr->Bool(opts->renew())); rv->Assign(11, bool(opts->renew()));
rv->Assign(12, zeek::val_mgr->Bool(opts->validate())); rv->Assign(12, bool(opts->validate()));
return rv; return rv;
} }
@ -259,8 +259,8 @@ refine connection KRB_Conn += {
if ( krb_ap_request ) if ( krb_ap_request )
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
rv->Assign(0, zeek::val_mgr->Bool(${msg.ap_options.use_session_key})); rv->Assign(0, bool(${msg.ap_options.use_session_key}));
rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required})); rv->Assign(1, bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket}); auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo( auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo(

8
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -37,7 +37,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_PW_SALT: case PA_PW_SALT:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type())); type_val->Assign(0, uint64_t(data_type));
type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -45,7 +45,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_ENCTYPE_INFO: case PA_ENCTYPE_INFO:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type())); type_val->Assign(0, uint64_t(data_type));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -53,7 +53,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_ENCTYPE_INFO2: case PA_ENCTYPE_INFO2:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type())); type_val->Assign(0, uint64_t(data_type));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -113,7 +113,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 ) if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type())); type_val->Assign(0, uint64_t(data_type));
type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
} }

8
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -30,10 +30,10 @@
zeek::RecordValPtr HeaderToVal(ModbusTCP_TransportHeader* header) zeek::RecordValPtr HeaderToVal(ModbusTCP_TransportHeader* header)
{ {
auto modbus_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusHeaders); auto modbus_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusHeaders);
modbus_header->Assign(0, zeek::val_mgr->Count(header->tid())); modbus_header->Assign(0, header->tid());
modbus_header->Assign(1, zeek::val_mgr->Count(header->pid())); modbus_header->Assign(1, header->pid());
modbus_header->Assign(2, zeek::val_mgr->Count(header->uid())); modbus_header->Assign(2, header->uid());
modbus_header->Assign(3, zeek::val_mgr->Count(header->fc())); modbus_header->Assign(3, header->fc());
return modbus_header; return modbus_header;
} }

4
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -16,8 +16,8 @@ refine flow MQTT_Flow += {
if ( mqtt_connack ) if ( mqtt_connack )
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, zeek::val_mgr->Count(${msg.return_code})); m->Assign(0, ${msg.return_code});
m->Assign(1, zeek::val_mgr->Bool(${msg.session_present})); m->Assign(1, bool(${msg.session_present}));
zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(m)); std::move(m));

10
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -47,14 +47,14 @@ refine flow MQTT_Flow += {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectMsg);
m->Assign(0, zeek::make_intrusive<zeek::StringVal>(${msg.protocol_name.str}.length(), m->Assign(0, zeek::make_intrusive<zeek::StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin()))); reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, zeek::val_mgr->Count(${msg.protocol_version})); m->Assign(1, ${msg.protocol_version});
m->Assign(2, zeek::make_intrusive<zeek::StringVal>(${msg.client_id.str}.length(), m->Assign(2, zeek::make_intrusive<zeek::StringVal>(${msg.client_id.str}.length(),
reinterpret_cast<const char*>(${msg.client_id.str}.begin()))); reinterpret_cast<const char*>(${msg.client_id.str}.begin())));
m->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(${msg.keep_alive}), Seconds)); m->AssignInterval(3, double(${msg.keep_alive}));
m->Assign(4, zeek::val_mgr->Bool(${msg.clean_session})); m->Assign(4, bool(${msg.clean_session}));
m->Assign(5, zeek::val_mgr->Bool(${msg.will_retain})); m->Assign(5, bool(${msg.will_retain}));
m->Assign(6, zeek::val_mgr->Count(${msg.will_qos})); m->Assign(6, ${msg.will_qos});
if ( ${msg.will_flag} ) if ( ${msg.will_flag} )
{ {

8
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -24,9 +24,9 @@ refine flow MQTT_Flow += {
if ( mqtt_publish ) if ( mqtt_publish )
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::PublishMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::PublishMsg);
m->Assign(0, zeek::val_mgr->Bool(${msg.dup})); m->Assign(0, bool(${msg.dup}));
m->Assign(1, zeek::val_mgr->Count(${msg.qos})); m->Assign(1, ${msg.qos});
m->Assign(2, zeek::val_mgr->Bool(${msg.retain})); m->Assign(2, bool(${msg.retain}));
m->Assign<zeek::StringVal>(3, ${msg.topic.str}.length(), m->Assign<zeek::StringVal>(3, ${msg.topic.str}.length(),
reinterpret_cast<const char*>(${msg.topic.str}.begin())); reinterpret_cast<const char*>(${msg.topic.str}.begin()));
@ -40,7 +40,7 @@ refine flow MQTT_Flow += {
m->Assign<zeek::StringVal>(4, len, m->Assign<zeek::StringVal>(4, len,
reinterpret_cast<const char*>(${msg.payload}.begin())); reinterpret_cast<const char*>(${msg.payload}.begin()));
m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length())); m->Assign(5, ${msg.payload}.length());
zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),

56
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -20,10 +20,10 @@
zeek::RecordValPtr build_version_record(NTLM_Version* val) zeek::RecordValPtr build_version_record(NTLM_Version* val)
{ {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Version); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Version);
result->Assign(0, zeek::val_mgr->Count(${val.major_version})); result->Assign(0, ${val.major_version});
result->Assign(1, zeek::val_mgr->Count(${val.minor_version})); result->Assign(1, ${val.minor_version});
result->Assign(2, zeek::val_mgr->Count(${val.build_number})); result->Assign(2, ${val.build_number});
result->Assign(3, zeek::val_mgr->Count(${val.ntlm_revision})); result->Assign(3, ${val.ntlm_revision});
return result; return result;
} }
@ -31,28 +31,28 @@
zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val) zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val)
{ {
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::NegotiateFlags); auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::NegotiateFlags);
flags->Assign(0, zeek::val_mgr->Bool(${val.negotiate_56})); flags->Assign(0, bool(${val.negotiate_56}));
flags->Assign(1, zeek::val_mgr->Bool(${val.negotiate_key_exch})); flags->Assign(1, bool(${val.negotiate_key_exch}));
flags->Assign(2, zeek::val_mgr->Bool(${val.negotiate_128})); flags->Assign(2, bool(${val.negotiate_128}));
flags->Assign(3, zeek::val_mgr->Bool(${val.negotiate_version})); flags->Assign(3, bool(${val.negotiate_version}));
flags->Assign(4, zeek::val_mgr->Bool(${val.negotiate_target_info})); flags->Assign(4, bool(${val.negotiate_target_info}));
flags->Assign(5, zeek::val_mgr->Bool(${val.request_non_nt_session_key})); flags->Assign(5, bool(${val.request_non_nt_session_key}));
flags->Assign(6, zeek::val_mgr->Bool(${val.negotiate_identify})); flags->Assign(6, bool(${val.negotiate_identify}));
flags->Assign(7, zeek::val_mgr->Bool(${val.negotiate_extended_sessionsecurity})); flags->Assign(7, bool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, zeek::val_mgr->Bool(${val.target_type_server})); flags->Assign(8, bool(${val.target_type_server}));
flags->Assign(9, zeek::val_mgr->Bool(${val.target_type_domain})); flags->Assign(9, bool(${val.target_type_domain}));
flags->Assign(10, zeek::val_mgr->Bool(${val.negotiate_always_sign})); flags->Assign(10, bool(${val.negotiate_always_sign}));
flags->Assign(11, zeek::val_mgr->Bool(${val.negotiate_oem_workstation_supplied})); flags->Assign(11, bool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, zeek::val_mgr->Bool(${val.negotiate_oem_domain_supplied})); flags->Assign(12, bool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, zeek::val_mgr->Bool(${val.negotiate_anonymous_connection})); flags->Assign(13, bool(${val.negotiate_anonymous_connection}));
flags->Assign(14, zeek::val_mgr->Bool(${val.negotiate_ntlm})); flags->Assign(14, bool(${val.negotiate_ntlm}));
flags->Assign(15, zeek::val_mgr->Bool(${val.negotiate_lm_key})); flags->Assign(15, bool(${val.negotiate_lm_key}));
flags->Assign(16, zeek::val_mgr->Bool(${val.negotiate_datagram})); flags->Assign(16, bool(${val.negotiate_datagram}));
flags->Assign(17, zeek::val_mgr->Bool(${val.negotiate_seal})); flags->Assign(17, bool(${val.negotiate_seal}));
flags->Assign(18, zeek::val_mgr->Bool(${val.negotiate_sign})); flags->Assign(18, bool(${val.negotiate_sign}));
flags->Assign(19, zeek::val_mgr->Bool(${val.request_target})); flags->Assign(19, bool(${val.request_target}));
flags->Assign(20, zeek::val_mgr->Bool(${val.negotiate_oem})); flags->Assign(20, bool(${val.negotiate_oem}));
flags->Assign(21, zeek::val_mgr->Bool(${val.negotiate_unicode})); flags->Assign(21, bool(${val.negotiate_unicode}));
return flags; return flags;
} }
@ -96,13 +96,13 @@ refine connection NTLM_Conn += {
result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break; break;
case 6: case 6:
result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth})); result->Assign(5, bool(${val.pairs[i].constrained_auth}));
break; break;
case 7: case 7:
result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp})); result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp}));
break; break;
case 8: case 8:
result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id})); result->Assign(7, ${val.pairs[i].single_host.machine_id});
break; break;
case 9: case 9:
result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data})); result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data}));

42
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -36,9 +36,9 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::StandardMessage); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::StandardMessage);
rv->Assign(0, zeek::val_mgr->Count(${nsm.stratum})); rv->Assign(0, ${nsm.stratum});
rv->Assign(1, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.poll}))); rv->AssignInterval(1, pow(2, ${nsm.poll}));
rv->Assign(2, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.precision}))); rv->AssignInterval(2, pow(2, ${nsm.precision}));
rv->Assign(3, proc_ntp_short(${nsm.root_delay})); rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
rv->Assign(4, proc_ntp_short(${nsm.root_dispersion})); rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
@ -66,19 +66,19 @@
if ( ${nsm.mac_len} == 20 ) if ( ${nsm.mac_len} == 20 )
{ {
rv->Assign(12, zeek::val_mgr->Count(${nsm.mac.key_id})); rv->Assign(12, ${nsm.mac.key_id});
rv->Assign(13, to_stringval(${nsm.mac.digest})); rv->Assign(13, to_stringval(${nsm.mac.digest}));
} }
else if ( ${nsm.mac_len} == 24 ) else if ( ${nsm.mac_len} == 24 )
{ {
rv->Assign(12, zeek::val_mgr->Count(${nsm.mac_ext.key_id})); rv->Assign(12, ${nsm.mac_ext.key_id});
rv->Assign(13, to_stringval(${nsm.mac_ext.digest})); rv->Assign(13, to_stringval(${nsm.mac_ext.digest}));
} }
if ( ${nsm.has_exts} ) if ( ${nsm.has_exts} )
{ {
// TODO: add extension fields // TODO: add extension fields
rv->Assign(14, zeek::val_mgr->Count((uint32) ${nsm.exts}->size())); rv->Assign(14, (uint32) ${nsm.exts}->size());
} }
return rv; return rv;
@ -89,20 +89,20 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::ControlMessage); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::ControlMessage);
rv->Assign(0, zeek::val_mgr->Count(${ncm.OpCode})); rv->Assign(0, ${ncm.OpCode});
rv->Assign(1, zeek::val_mgr->Bool(${ncm.R})); rv->Assign(1, bool(${ncm.R}));
rv->Assign(2, zeek::val_mgr->Bool(${ncm.E})); rv->Assign(2, bool(${ncm.E}));
rv->Assign(3, zeek::val_mgr->Bool(${ncm.M})); rv->Assign(3, bool(${ncm.M}));
rv->Assign(4, zeek::val_mgr->Count(${ncm.sequence})); rv->Assign(4, ${ncm.sequence});
rv->Assign(5, zeek::val_mgr->Count(${ncm.status})); rv->Assign(5, ${ncm.status});
rv->Assign(6, zeek::val_mgr->Count(${ncm.association_id})); rv->Assign(6, ${ncm.association_id});
if ( ${ncm.c} > 0 ) if ( ${ncm.c} > 0 )
rv->Assign(7, to_stringval(${ncm.data})); rv->Assign(7, to_stringval(${ncm.data}));
if ( ${ncm.has_control_mac} ) if ( ${ncm.has_control_mac} )
{ {
rv->Assign(8, zeek::val_mgr->Count(${ncm.mac.key_id})); rv->Assign(8, ${ncm.mac.key_id});
rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum})); rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum}));
} }
@ -114,11 +114,11 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Mode7Message); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Mode7Message);
rv->Assign(0, zeek::val_mgr->Count(${m7.request_code})); rv->Assign(0, ${m7.request_code});
rv->Assign(1, zeek::val_mgr->Bool(${m7.auth_bit})); rv->Assign(1, bool(${m7.auth_bit}));
rv->Assign(2, zeek::val_mgr->Count(${m7.sequence})); rv->Assign(2, ${m7.sequence});
rv->Assign(3, zeek::val_mgr->Count(${m7.implementation})); rv->Assign(3, ${m7.implementation});
rv->Assign(4, zeek::val_mgr->Count(${m7.error_code})); rv->Assign(4, ${m7.error_code});
if ( ${m7.data_len} > 0 ) if ( ${m7.data_len} > 0 )
rv->Assign(5, to_stringval(${m7.data})); rv->Assign(5, to_stringval(${m7.data}));
@ -139,8 +139,8 @@ refine flow NTP_Flow += {
return false; return false;
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Message); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Message);
rv->Assign(0, zeek::val_mgr->Count(${msg.version})); rv->Assign(0, ${msg.version});
rv->Assign(1, zeek::val_mgr->Count(${msg.mode})); rv->Assign(1, ${msg.mode});
// The standard record // The standard record
if ( ${msg.mode} >=1 && ${msg.mode} <= 5 ) if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )

4
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -8,8 +8,8 @@ refine flow RADIUS_Flow += {
return false; return false;
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RADIUS::Message); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RADIUS::Message);
result->Assign(0, zeek::val_mgr->Count(${msg.code})); result->Assign(0, ${msg.code});
result->Assign(1, zeek::val_mgr->Count(${msg.trans_id})); result->Assign(1, ${msg.trans_id});
result->Assign(2, to_stringval(${msg.authenticator})); result->Assign(2, to_stringval(${msg.authenticator}));
if ( ${msg.attributes}->size() ) if ( ${msg.attributes}->size() )

90
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -66,35 +66,35 @@ refine flow RDP_Flow += {
if ( rdp_client_core_data ) if ( rdp_client_core_data )
{ {
auto ec_flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::EarlyCapabilityFlags); auto ec_flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::EarlyCapabilityFlags);
ec_flags->Assign(0, zeek::val_mgr->Bool(${ccore.SUPPORT_ERRINFO_PDU})); ec_flags->Assign(0, bool(${ccore.SUPPORT_ERRINFO_PDU}));
ec_flags->Assign(1, zeek::val_mgr->Bool(${ccore.WANT_32BPP_SESSION})); ec_flags->Assign(1, bool(${ccore.WANT_32BPP_SESSION}));
ec_flags->Assign(2, zeek::val_mgr->Bool(${ccore.SUPPORT_STATUSINFO_PDU})); ec_flags->Assign(2, bool(${ccore.SUPPORT_STATUSINFO_PDU}));
ec_flags->Assign(3, zeek::val_mgr->Bool(${ccore.STRONG_ASYMMETRIC_KEYS})); ec_flags->Assign(3, bool(${ccore.STRONG_ASYMMETRIC_KEYS}));
ec_flags->Assign(4, zeek::val_mgr->Bool(${ccore.SUPPORT_MONITOR_LAYOUT_PDU})); ec_flags->Assign(4, bool(${ccore.SUPPORT_MONITOR_LAYOUT_PDU}));
ec_flags->Assign(5, zeek::val_mgr->Bool(${ccore.SUPPORT_NETCHAR_AUTODETECT})); ec_flags->Assign(5, bool(${ccore.SUPPORT_NETCHAR_AUTODETECT}));
ec_flags->Assign(6, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNVC_GFX_PROTOCOL})); ec_flags->Assign(6, bool(${ccore.SUPPORT_DYNVC_GFX_PROTOCOL}));
ec_flags->Assign(7, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE})); ec_flags->Assign(7, bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE}));
ec_flags->Assign(8, zeek::val_mgr->Bool(${ccore.SUPPORT_HEARTBEAT_PDU})); ec_flags->Assign(8, bool(${ccore.SUPPORT_HEARTBEAT_PDU}));
auto ccd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientCoreData); auto ccd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientCoreData);
ccd->Assign(0, zeek::val_mgr->Count(${ccore.version_major})); ccd->Assign(0, ${ccore.version_major});
ccd->Assign(1, zeek::val_mgr->Count(${ccore.version_minor})); ccd->Assign(1, ${ccore.version_minor});
ccd->Assign(2, zeek::val_mgr->Count(${ccore.desktop_width})); ccd->Assign(2, ${ccore.desktop_width});
ccd->Assign(3, zeek::val_mgr->Count(${ccore.desktop_height})); ccd->Assign(3, ${ccore.desktop_height});
ccd->Assign(4, zeek::val_mgr->Count(${ccore.color_depth})); ccd->Assign(4, ${ccore.color_depth});
ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence})); ccd->Assign(5, ${ccore.sas_sequence});
ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout})); ccd->Assign(6, ${ccore.keyboard_layout});
ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build})); ccd->Assign(7, ${ccore.client_build});
ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name})); ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type})); ccd->Assign(9, ${ccore.keyboard_type});
ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub})); ccd->Assign(10, ${ccore.keyboard_sub});
ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key})); ccd->Assign(11, ${ccore.keyboard_function_key});
ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name})); ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth})); ccd->Assign(13, ${ccore.post_beta2_color_depth});
ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id})); ccd->Assign(14, ${ccore.client_product_id});
ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number})); ccd->Assign(15, ${ccore.serial_number});
ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth})); ccd->Assign(16, ${ccore.high_color_depth});
ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths})); ccd->Assign(17, ${ccore.supported_color_depths});
ccd->Assign(18, std::move(ec_flags)); ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id})); ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id}));
@ -112,8 +112,8 @@ refine flow RDP_Flow += {
return false; return false;
auto csd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientSecurityData); auto csd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientSecurityData);
csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods})); csd->Assign(0, ${csec.encryption_methods});
csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods})); csd->Assign(1, ${csec.ext_encryption_methods});
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
@ -135,19 +135,19 @@ refine flow RDP_Flow += {
auto channel_def = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientChannelDef); auto channel_def = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientChannelDef);
channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name})); channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(1, zeek::val_mgr->Count(${cnetwork.channel_def_array[i].options})); channel_def->Assign(1, ${cnetwork.channel_def_array[i].options});
channel_def->Assign(2, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED})); channel_def->Assign(2, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
channel_def->Assign(3, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP})); channel_def->Assign(3, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
channel_def->Assign(4, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC})); channel_def->Assign(4, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
channel_def->Assign(5, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS})); channel_def->Assign(5, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
channel_def->Assign(6, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH})); channel_def->Assign(6, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
channel_def->Assign(7, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED})); channel_def->Assign(7, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
channel_def->Assign(8, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW})); channel_def->Assign(8, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
channel_def->Assign(9, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP})); channel_def->Assign(9, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
channel_def->Assign(10, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS})); channel_def->Assign(10, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
channel_def->Assign(11, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL})); channel_def->Assign(11, bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
channel_def->Assign(12, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT})); channel_def->Assign(12, bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
channels->Assign(channels->Size(), std::move(channel_def)); channels->Assign(channels->Size(), std::move(channel_def));
} }
@ -166,12 +166,12 @@ refine flow RDP_Flow += {
return false; return false;
auto ccld = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientClusterData); auto ccld = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientClusterData);
ccld->Assign(0, zeek::val_mgr->Count(${ccluster.flags})); ccld->Assign(0, ${ccluster.flags});
ccld->Assign(1, zeek::val_mgr->Count(${ccluster.redir_session_id})); ccld->Assign(1, ${ccluster.redir_session_id});
ccld->Assign(2, zeek::val_mgr->Bool(${ccluster.REDIRECTION_SUPPORTED})); ccld->Assign(2, bool(${ccluster.REDIRECTION_SUPPORTED}));
ccld->Assign(3, zeek::val_mgr->Count(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK})); ccld->Assign(3, ${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK});
ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); ccld->Assign(4, bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD})); ccld->Assign(5, bool(${ccluster.REDIRECTED_SMARTCARD}));
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),

22
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -188,16 +188,16 @@ Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status)); info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime())); info->AssignTime(2, c->StartTime());
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime() - c->StartTime())); info->AssignInterval(3, c->LastTime() - c->StartTime());
info->Assign(4, val_mgr->Count(c->RPCLen())); info->Assign(4, c->RPCLen());
info->Assign(5, make_intrusive<TimeVal>(rep_start_time)); info->AssignTime(5, rep_start_time);
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time - rep_start_time)); info->AssignInterval(6, rep_last_time - rep_start_time);
info->Assign(7, val_mgr->Count(reply_len)); info->Assign(7, reply_len);
info->Assign(8, val_mgr->Count(c->Uid())); info->Assign(8, c->Uid());
info->Assign(9, val_mgr->Count(c->Gid())); info->Assign(9, c->Gid());
info->Assign(10, val_mgr->Count(c->Stamp())); info->Assign(10, c->Stamp());
info->Assign(11, make_intrusive<StringVal>(c->MachineName())); info->Assign(11, c->MachineName());
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info)); vl.emplace_back(std::move(info));
@ -259,7 +259,7 @@ RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
auth_flavors_count = max_auth_flavors; auth_flavors_count = max_auth_flavors;
} }
auto enum_vector = make_intrusive<VectorType>(base_type(TYPE_ENUM)); auto enum_vector = make_intrusive<VectorType>(BifType::Enum::MOUNT3::auth_flavor_t);
auto auth_flavors = make_intrusive<VectorVal>(std::move(enum_vector)); auto auth_flavors = make_intrusive<VectorVal>(std::move(enum_vector));
for ( auto i = 0u; i < auth_flavors_count; ++i ) for ( auto i = 0u; i < auth_flavors_count; ++i )

50
src/analyzer/protocol/rpc/NFS.cc
View file

@ -321,16 +321,16 @@ Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status
auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status)); info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime())); info->AssignTime(2, c->StartTime());
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime()-c->StartTime())); info->AssignInterval(3, c->LastTime()-c->StartTime());
info->Assign(4, val_mgr->Count(c->RPCLen())); info->Assign(4, c->RPCLen());
info->Assign(5, make_intrusive<TimeVal>(rep_start_time)); info->AssignTime(5, rep_start_time);
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time-rep_start_time)); info->AssignInterval(6, rep_last_time-rep_start_time);
info->Assign(7, val_mgr->Count(reply_len)); info->Assign(7, reply_len);
info->Assign(8, val_mgr->Count(c->Uid())); info->Assign(8, c->Uid());
info->Assign(9, val_mgr->Count(c->Gid())); info->Assign(9, c->Gid());
info->Assign(10, val_mgr->Count(c->Stamp())); info->Assign(10, c->Stamp());
info->Assign(11, make_intrusive<StringVal>(c->MachineName())); info->Assign(11, c->MachineName());
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info)); vl.emplace_back(std::move(info));
@ -554,7 +554,7 @@ RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NF
rep->Assign(0, nfs3_post_op_attr(buf, n)); rep->Assign(0, nfs3_post_op_attr(buf, n));
bytes_read = extract_XDR_uint32(buf, n); bytes_read = extract_XDR_uint32(buf, n);
rep->Assign(1, val_mgr->Count(bytes_read)); rep->Assign(1, bytes_read);
rep->Assign(2, ExtractBool(buf, n)); rep->Assign(2, ExtractBool(buf, n));
rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read)); rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
} }
@ -637,9 +637,9 @@ RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
writeargs->Assign(0, nfs3_fh(buf, n)); writeargs->Assign(0, nfs3_fh(buf, n));
offset = extract_XDR_uint64(buf, n); offset = extract_XDR_uint64(buf, n);
writeargs->Assign(1, val_mgr->Count(offset)); // offset writeargs->Assign(1, offset); // offset
bytes = extract_XDR_uint32(buf, n); bytes = extract_XDR_uint32(buf, n);
writeargs->Assign(2, val_mgr->Count(bytes)); // size writeargs->Assign(2, bytes); // size
writeargs->Assign(3, nfs3_stable_how(buf, n)); writeargs->Assign(3, nfs3_stable_how(buf, n));
writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes)); writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
@ -722,7 +722,7 @@ RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n
{ {
auto args = make_intrusive<RecordVal>(BifType::Record::NFS3::readdirargs_t); auto args = make_intrusive<RecordVal>(BifType::Record::NFS3::readdirargs_t);
args->Assign(0, val_mgr->Bool(isplus)); args->Assign(0, isplus);
args->Assign(1, nfs3_fh(buf, n)); args->Assign(1, nfs3_fh(buf, n));
args->Assign(2, ExtractUint64(buf,n)); // cookie args->Assign(2, ExtractUint64(buf,n)); // cookie
args->Assign(3, ExtractUint64(buf,n)); // cookieverf args->Assign(3, ExtractUint64(buf,n)); // cookieverf
@ -739,7 +739,7 @@ RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
{ {
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readdir_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readdir_reply_t);
rep->Assign(0, val_mgr->Bool(isplus)); rep->Assign(0, isplus);
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -779,29 +779,29 @@ RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
return rep; return rep;
} }
ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n) uint32_t NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
{ {
return val_mgr->Count(extract_XDR_uint32(buf, n)); return extract_XDR_uint32(buf, n);
} }
ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n) uint64_t NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
{ {
return val_mgr->Count(extract_XDR_uint64(buf, n)); return extract_XDR_uint64(buf, n);
} }
ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n) double NFS_Interp::ExtractTime(const u_char*& buf, int& n)
{ {
return make_intrusive<TimeVal>(extract_XDR_time(buf, n)); return extract_XDR_time(buf, n);
} }
ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n) double NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
{ {
return make_intrusive<IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0); return double(extract_XDR_uint32(buf, n));
} }
ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) bool NFS_Interp::ExtractBool(const u_char*& buf, int& n)
{ {
return val_mgr->Bool(extract_XDR_uint32(buf, n)); return extract_XDR_uint32(buf, n);
} }
} // namespace detail } // namespace detail

10
src/analyzer/protocol/rpc/NFS.h
View file

@ -73,11 +73,11 @@ protected:
// * size is the amount of bytes read (or requested to be written), // * size is the amount of bytes read (or requested to be written),
StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size); StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
ValPtr ExtractUint32(const u_char*& buf, int& n); uint32_t ExtractUint32(const u_char*& buf, int& n);
ValPtr ExtractUint64(const u_char*& buf, int& n); uint64_t ExtractUint64(const u_char*& buf, int& n);
ValPtr ExtractTime(const u_char*& buf, int& n); double ExtractTime(const u_char*& buf, int& n);
ValPtr ExtractInterval(const u_char*& buf, int& n); double ExtractInterval(const u_char*& buf, int& n);
ValPtr ExtractBool(const u_char*& buf, int& n); bool ExtractBool(const u_char*& buf, int& n);
}; };
} // namespace detail } // namespace detail

18
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -195,8 +195,8 @@ ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
static auto pm_mapping = id::find_type<RecordType>("pm_mapping"); static auto pm_mapping = id::find_type<RecordType>("pm_mapping");
auto mapping = make_intrusive<RecordVal>(pm_mapping); auto mapping = make_intrusive<RecordVal>(pm_mapping);
mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(0, extract_XDR_uint32(buf, len));
mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(1, extract_XDR_uint32(buf, len));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32_t port = extract_XDR_uint32(buf, len); uint32_t port = extract_XDR_uint32(buf, len);
@ -213,11 +213,11 @@ ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
static auto pm_port_request = id::find_type<RecordType>("pm_port_request"); static auto pm_port_request = id::find_type<RecordType>("pm_port_request");
auto pr = make_intrusive<RecordVal>(pm_port_request); auto pr = make_intrusive<RecordVal>(pm_port_request);
pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(0, extract_XDR_uint32(buf, len));
pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(1, extract_XDR_uint32(buf, len));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
pr->Assign(2, val_mgr->Bool(is_tcp)); pr->Assign(2, bool(is_tcp));
(void) extract_XDR_uint32(buf, len); // consume the bogus port (void) extract_XDR_uint32(buf, len); // consume the bogus port
if ( ! buf ) if ( ! buf )
@ -231,13 +231,13 @@ ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
static auto pm_callit_request = id::find_type<RecordType>("pm_callit_request"); static auto pm_callit_request = id::find_type<RecordType>("pm_callit_request");
auto c = make_intrusive<RecordVal>(pm_callit_request); auto c = make_intrusive<RecordVal>(pm_callit_request);
c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(0, extract_XDR_uint32(buf, len));
c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(1, extract_XDR_uint32(buf, len));
c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(2, extract_XDR_uint32(buf, len));
int arg_n; int arg_n;
(void) extract_XDR_opaque(buf, len, arg_n); (void) extract_XDR_opaque(buf, len, arg_n);
c->Assign(3, val_mgr->Count(arg_n)); c->Assign(3, arg_n);
if ( ! buf ) if ( ! buf )
return nullptr; return nullptr;

14
src/analyzer/protocol/smb/smb-time.pac
View file

@ -1,21 +1,20 @@
%header{ %header{
zeek::ValPtr filetime2zeektime(uint64_t ts); double filetime2zeektime(uint64_t ts);
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz); double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change); uint64_t create, uint64_t change);
%} %}
%code{ %code{
zeek::ValPtr filetime2zeektime(uint64_t ts) double filetime2zeektime(uint64_t ts)
{ {
// Zeek can't support times back to the 1600's // Zeek can't support times back to the 1600's
// so we subtract a lot of seconds. // so we subtract a lot of seconds.
double secs = (ts / 10000000.0L) - 11644473600.0L; return (ts / 10000000.0L) - 11644473600.0L;
return zeek::make_intrusive<zeek::TimeVal>(secs);
} }
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz) double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
{ {
tm lTime; tm lTime;
lTime.tm_sec = ${t.two_seconds} * 2; lTime.tm_sec = ${t.two_seconds} * 2;
@ -25,8 +24,7 @@ zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
lTime.tm_mon = ${d.month}; lTime.tm_mon = ${d.month};
lTime.tm_year = 1980 + ${d.year}; lTime.tm_year = 1980 + ${d.year};
lTime.tm_isdst = -1; lTime.tm_isdst = -1;
double lResult = mktime(&lTime); return mktime(&lTime) + tz;
return zeek::make_intrusive<zeek::TimeVal>(lResult + tz);
} }
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,

80
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -42,7 +42,7 @@ refine connection SMB_Conn += {
case 0x01: case 0x01:
{ {
auto core = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseCore); auto core = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseCore);
core->Assign(0, zeek::val_mgr->Count(${val.dialect_index})); core->Assign(0, ${val.dialect_index});
response->Assign(0, std::move(core)); response->Assign(0, std::move(core));
} }
@ -51,23 +51,23 @@ refine connection SMB_Conn += {
case 0x0d: case 0x0d:
{ {
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity); auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, zeek::val_mgr->Bool(${val.lanman.security_user_level})); security->Assign(0, bool(${val.lanman.security_user_level}));
security->Assign(1, zeek::val_mgr->Bool(${val.lanman.security_challenge_response})); security->Assign(1, bool(${val.lanman.security_challenge_response}));
auto raw = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateRawMode); auto raw = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateRawMode);
raw->Assign(0, zeek::val_mgr->Bool(${val.lanman.raw_read_supported})); raw->Assign(0, bool(${val.lanman.raw_read_supported}));
raw->Assign(1, zeek::val_mgr->Bool(${val.lanman.raw_write_supported})); raw->Assign(1, bool(${val.lanman.raw_write_supported}));
auto lanman = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseLANMAN); auto lanman = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseLANMAN);
lanman->Assign(0, zeek::val_mgr->Count(${val.word_count})); lanman->Assign(0, ${val.word_count});
lanman->Assign(1, zeek::val_mgr->Count(${val.dialect_index})); lanman->Assign(1, ${val.dialect_index});
lanman->Assign(2, std::move(security)); lanman->Assign(2, std::move(security));
lanman->Assign(3, zeek::val_mgr->Count(${val.lanman.max_buffer_size})); lanman->Assign(3, ${val.lanman.max_buffer_size});
lanman->Assign(4, zeek::val_mgr->Count(${val.lanman.max_mpx_count})); lanman->Assign(4, ${val.lanman.max_mpx_count});
lanman->Assign(5, zeek::val_mgr->Count(${val.lanman.max_number_vcs})); lanman->Assign(5, ${val.lanman.max_number_vcs});
lanman->Assign(6, std::move(raw)); lanman->Assign(6, std::move(raw));
lanman->Assign(7, zeek::val_mgr->Count(${val.lanman.session_key})); lanman->Assign(7, ${val.lanman.session_key});
lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz})); lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz}));
lanman->Assign(9, to_stringval(${val.lanman.encryption_key})); lanman->Assign(9, to_stringval(${val.lanman.encryption_key}));
@ -80,44 +80,44 @@ refine connection SMB_Conn += {
case 0x11: case 0x11:
{ {
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity); auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, zeek::val_mgr->Bool(${val.ntlm.security_user_level})); security->Assign(0, bool(${val.ntlm.security_user_level}));
security->Assign(1, zeek::val_mgr->Bool(${val.ntlm.security_challenge_response})); security->Assign(1, bool(${val.ntlm.security_challenge_response}));
security->Assign(2, zeek::val_mgr->Bool(${val.ntlm.security_signatures_enabled})); security->Assign(2, bool(${val.ntlm.security_signatures_enabled}));
security->Assign(3, zeek::val_mgr->Bool(${val.ntlm.security_signatures_required})); security->Assign(3, bool(${val.ntlm.security_signatures_required}));
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm.capabilities_raw_mode})); capabilities->Assign(0, bool(${val.ntlm.capabilities_raw_mode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm.capabilities_mpx_mode})); capabilities->Assign(1, bool(${val.ntlm.capabilities_mpx_mode}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm.capabilities_unicode})); capabilities->Assign(2, bool(${val.ntlm.capabilities_unicode}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_files})); capabilities->Assign(3, bool(${val.ntlm.capabilities_large_files}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_smbs})); capabilities->Assign(4, bool(${val.ntlm.capabilities_nt_smbs}));
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm.capabilities_rpc_remote_apis})); capabilities->Assign(5, bool(${val.ntlm.capabilities_rpc_remote_apis}));
capabilities->Assign(6, zeek::val_mgr->Bool(${val.ntlm.capabilities_status32})); capabilities->Assign(6, bool(${val.ntlm.capabilities_status32}));
capabilities->Assign(7, zeek::val_mgr->Bool(${val.ntlm.capabilities_level_2_oplocks})); capabilities->Assign(7, bool(${val.ntlm.capabilities_level_2_oplocks}));
capabilities->Assign(8, zeek::val_mgr->Bool(${val.ntlm.capabilities_lock_and_read})); capabilities->Assign(8, bool(${val.ntlm.capabilities_lock_and_read}));
capabilities->Assign(9, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_find})); capabilities->Assign(9, bool(${val.ntlm.capabilities_nt_find}));
capabilities->Assign(10, zeek::val_mgr->Bool(${val.ntlm.capabilities_dfs})); capabilities->Assign(10, bool(${val.ntlm.capabilities_dfs}));
capabilities->Assign(11, zeek::val_mgr->Bool(${val.ntlm.capabilities_infolevel_passthru})); capabilities->Assign(11, bool(${val.ntlm.capabilities_infolevel_passthru}));
capabilities->Assign(12, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_readx})); capabilities->Assign(12, bool(${val.ntlm.capabilities_large_readx}));
capabilities->Assign(13, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_writex})); capabilities->Assign(13, bool(${val.ntlm.capabilities_large_writex}));
capabilities->Assign(14, zeek::val_mgr->Bool(${val.ntlm.capabilities_unix})); capabilities->Assign(14, bool(${val.ntlm.capabilities_unix}));
capabilities->Assign(15, zeek::val_mgr->Bool(${val.ntlm.capabilities_bulk_transfer})); capabilities->Assign(15, bool(${val.ntlm.capabilities_bulk_transfer}));
capabilities->Assign(16, zeek::val_mgr->Bool(${val.ntlm.capabilities_compressed_data})); capabilities->Assign(16, bool(${val.ntlm.capabilities_compressed_data}));
capabilities->Assign(17, zeek::val_mgr->Bool(${val.ntlm.capabilities_extended_security})); capabilities->Assign(17, bool(${val.ntlm.capabilities_extended_security}));
auto ntlm = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseNTLM); auto ntlm = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseNTLM);
ntlm->Assign(0, zeek::val_mgr->Count(${val.word_count})); ntlm->Assign(0, ${val.word_count});
ntlm->Assign(1, zeek::val_mgr->Count(${val.dialect_index})); ntlm->Assign(1, ${val.dialect_index});
ntlm->Assign(2, std::move(security)); ntlm->Assign(2, std::move(security));
ntlm->Assign(3, zeek::val_mgr->Count(${val.ntlm.max_buffer_size})); ntlm->Assign(3, ${val.ntlm.max_buffer_size});
ntlm->Assign(4, zeek::val_mgr->Count(${val.ntlm.max_mpx_count})); ntlm->Assign(4, ${val.ntlm.max_mpx_count});
ntlm->Assign(5, zeek::val_mgr->Count(${val.ntlm.max_number_vcs})); ntlm->Assign(5, ${val.ntlm.max_number_vcs});
ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size})); ntlm->Assign(6, ${val.ntlm.max_raw_size});
ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key})); ntlm->Assign(7, ${val.ntlm.session_key});
ntlm->Assign(8, std::move(capabilities)); ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time})); ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time}));

56
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -14,13 +14,13 @@ refine connection SMB_Conn += {
{ {
auto request = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXRequest); auto request = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXRequest);
request->Assign(0, zeek::val_mgr->Count(${val.word_count})); request->Assign(0, ${val.word_count});
switch ( ${val.word_count} ) { switch ( ${val.word_count} ) {
case 10: // pre NT LM 0.12 case 10: // pre NT LM 0.12
request->Assign(1, zeek::val_mgr->Count(${val.lanman.max_buffer_size})); request->Assign(1, ${val.lanman.max_buffer_size});
request->Assign(2, zeek::val_mgr->Count(${val.lanman.max_mpx_count})); request->Assign(2, ${val.lanman.max_mpx_count});
request->Assign(3, zeek::val_mgr->Count(${val.lanman.vc_number})); request->Assign(3, ${val.lanman.vc_number});
request->Assign(4, zeek::val_mgr->Count(${val.lanman.session_key})); request->Assign(4, ${val.lanman.session_key});
request->Assign(5, smb_string2stringval(${val.lanman.native_os})); request->Assign(5, smb_string2stringval(${val.lanman.native_os}));
request->Assign(6, smb_string2stringval(${val.lanman.native_lanman})); request->Assign(6, smb_string2stringval(${val.lanman.native_lanman}));
@ -32,17 +32,17 @@ refine connection SMB_Conn += {
case 12: // NT LM 0.12 with extended security case 12: // NT LM 0.12 with extended security
{ {
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode})); capabilities->Assign(0, bool(${val.ntlm_extended_security.capabilities.unicode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files})); capabilities->Assign(1, bool(${val.ntlm_extended_security.capabilities.large_files}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs})); capabilities->Assign(2, bool(${val.ntlm_extended_security.capabilities.nt_smbs}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.status32})); capabilities->Assign(3, bool(${val.ntlm_extended_security.capabilities.status32}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.level_2_oplocks})); capabilities->Assign(4, bool(${val.ntlm_extended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_find})); capabilities->Assign(5, bool(${val.ntlm_extended_security.capabilities.nt_find}));
request->Assign(1, zeek::val_mgr->Count(${val.ntlm_extended_security.max_buffer_size})); request->Assign(1, ${val.ntlm_extended_security.max_buffer_size});
request->Assign(2, zeek::val_mgr->Count(${val.ntlm_extended_security.max_mpx_count})); request->Assign(2, ${val.ntlm_extended_security.max_mpx_count});
request->Assign(3, zeek::val_mgr->Count(${val.ntlm_extended_security.vc_number})); request->Assign(3, ${val.ntlm_extended_security.vc_number});
request->Assign(4, zeek::val_mgr->Count(${val.ntlm_extended_security.session_key})); request->Assign(4, ${val.ntlm_extended_security.session_key});
request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os})); request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman})); request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman}));
@ -54,17 +54,17 @@ refine connection SMB_Conn += {
case 13: // NT LM 0.12 without extended security case 13: // NT LM 0.12 without extended security
{ {
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode})); capabilities->Assign(0, bool(${val.ntlm_nonextended_security.capabilities.unicode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files})); capabilities->Assign(1, bool(${val.ntlm_nonextended_security.capabilities.large_files}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs})); capabilities->Assign(2, bool(${val.ntlm_nonextended_security.capabilities.nt_smbs}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.status32})); capabilities->Assign(3, bool(${val.ntlm_nonextended_security.capabilities.status32}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.level_2_oplocks})); capabilities->Assign(4, bool(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_find})); capabilities->Assign(5, bool(${val.ntlm_nonextended_security.capabilities.nt_find}));
request->Assign(1, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_buffer_size})); request->Assign(1, ${val.ntlm_nonextended_security.max_buffer_size});
request->Assign(2, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_mpx_count})); request->Assign(2, ${val.ntlm_nonextended_security.max_mpx_count});
request->Assign(3, zeek::val_mgr->Count(${val.ntlm_nonextended_security.vc_number})); request->Assign(3, ${val.ntlm_nonextended_security.vc_number});
request->Assign(4, zeek::val_mgr->Count(${val.ntlm_nonextended_security.session_key})); request->Assign(4, ${val.ntlm_nonextended_security.session_key});
request->Assign(5, smb_string2stringval(${val.ntlm_nonextended_security.native_os})); request->Assign(5, smb_string2stringval(${val.ntlm_nonextended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_nonextended_security.native_lanman})); request->Assign(6, smb_string2stringval(${val.ntlm_nonextended_security.native_lanman}));
@ -91,18 +91,18 @@ refine connection SMB_Conn += {
if ( smb1_session_setup_andx_response ) if ( smb1_session_setup_andx_response )
{ {
auto response = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXResponse); auto response = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXResponse);
response->Assign(0, zeek::val_mgr->Count(${val.word_count})); response->Assign(0, ${val.word_count});
switch ( ${val.word_count} ) switch ( ${val.word_count} )
{ {
case 3: // pre NT LM 0.12 case 3: // pre NT LM 0.12
response->Assign(1, zeek::val_mgr->Bool(${val.lanman.is_guest})); response->Assign(1, bool(${val.lanman.is_guest}));
response->Assign(2, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]})); response->Assign(2, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]}));
response->Assign(3, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]})); response->Assign(3, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]}));
response->Assign(4, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]})); response->Assign(4, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]}));
break; break;
case 4: // NT LM 0.12 case 4: // NT LM 0.12
response->Assign(1, zeek::val_mgr->Bool(${val.ntlm.is_guest})); response->Assign(1, bool(${val.ntlm.is_guest}));
response->Assign(2, smb_string2stringval(${val.ntlm.native_os})); response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman})); response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain})); //response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));

16
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -6,14 +6,14 @@ refine connection SMB_Conn += {
return false; return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans_Sec_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans_Sec_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count})); args->Assign(0, ${val.total_param_count});
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count})); args->Assign(1, ${val.total_data_count});
args->Assign(2, zeek::val_mgr->Count(${val.param_count})); args->Assign(2, ${val.param_count});
args->Assign(3, zeek::val_mgr->Count(${val.param_offset})); args->Assign(3, ${val.param_offset});
args->Assign(4, zeek::val_mgr->Count(${val.param_displacement})); args->Assign(4, ${val.param_displacement});
args->Assign(5, zeek::val_mgr->Count(${val.data_count})); args->Assign(5, ${val.data_count});
args->Assign(6, zeek::val_mgr->Count(${val.data_offset})); args->Assign(6, ${val.data_offset});
args->Assign(7, zeek::val_mgr->Count(${val.data_displacement})); args->Assign(7, ${val.data_displacement});
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data()); (const char*)${val.parameters}.data());

18
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -6,15 +6,15 @@ refine connection SMB_Conn += {
return false; return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Sec_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Sec_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count})); args->Assign(0, ${val.total_param_count});
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count})); args->Assign(1, ${val.total_data_count});
args->Assign(2, zeek::val_mgr->Count(${val.param_count})); args->Assign(2, ${val.param_count});
args->Assign(3, zeek::val_mgr->Count(${val.param_offset})); args->Assign(3, ${val.param_offset});
args->Assign(4, zeek::val_mgr->Count(${val.param_displacement})); args->Assign(4, ${val.param_displacement});
args->Assign(5, zeek::val_mgr->Count(${val.data_count})); args->Assign(5, ${val.data_count});
args->Assign(6, zeek::val_mgr->Count(${val.data_offset})); args->Assign(6, ${val.data_offset});
args->Assign(7, zeek::val_mgr->Count(${val.data_displacement})); args->Assign(7, ${val.data_displacement});
args->Assign(8, zeek::val_mgr->Count(${val.FID})); args->Assign(8, ${val.FID});
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data()); auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data()); auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data());

34
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -25,18 +25,18 @@ refine connection SMB_Conn += {
if ( smb1_transaction2_request ) if ( smb1_transaction2_request )
{ {
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count})); args->Assign(0, ${val.total_param_count});
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count})); args->Assign(1, ${val.total_data_count});
args->Assign(2, zeek::val_mgr->Count(${val.max_param_count})); args->Assign(2, ${val.max_param_count});
args->Assign(3, zeek::val_mgr->Count(${val.max_data_count})); args->Assign(3, ${val.max_data_count});
args->Assign(4, zeek::val_mgr->Count(${val.max_setup_count})); args->Assign(4, ${val.max_setup_count});
args->Assign(5, zeek::val_mgr->Count(${val.flags})); args->Assign(5, ${val.flags});
args->Assign(6, zeek::val_mgr->Count(${val.timeout})); args->Assign(6, ${val.timeout});
args->Assign(7, zeek::val_mgr->Count(${val.param_count})); args->Assign(7, ${val.param_count});
args->Assign(8, zeek::val_mgr->Count(${val.param_offset})); args->Assign(8, ${val.param_offset});
args->Assign(9, zeek::val_mgr->Count(${val.data_count})); args->Assign(9, ${val.data_count});
args->Assign(10, zeek::val_mgr->Count(${val.data_offset})); args->Assign(10, ${val.data_offset});
args->Assign(11, zeek::val_mgr->Count(${val.setup_count})); args->Assign(11, ${val.setup_count});
zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(), zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
@ -132,11 +132,11 @@ refine connection SMB_Conn += {
if ( smb1_trans2_find_first2_request ) if ( smb1_trans2_find_first2_request )
{ {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Find_First2_Request_Args); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Find_First2_Request_Args);
result->Assign(0, zeek::val_mgr->Count(${val.search_attrs})); result->Assign(0, ${val.search_attrs});
result->Assign(1, zeek::val_mgr->Count(${val.search_count})); result->Assign(1, ${val.search_count});
result->Assign(2, zeek::val_mgr->Count(${val.flags})); result->Assign(2, ${val.flags});
result->Assign(3, zeek::val_mgr->Count(${val.info_level})); result->Assign(3, ${val.info_level});
result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type})); result->Assign(4, ${val.search_storage_type});
result->Assign(5, smb_string2stringval(${val.file_name})); result->Assign(5, smb_string2stringval(${val.file_name}));
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(), zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),

16
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -25,14 +25,14 @@
// { // do nothing // { // do nothing
// } // }
r->Assign(0, zeek::val_mgr->Count(${hdr.command})); r->Assign(0, ${hdr.command});
r->Assign(1, zeek::val_mgr->Count(${hdr.status})); r->Assign(1, ${hdr.status});
r->Assign(2, zeek::val_mgr->Count(${hdr.flags})); r->Assign(2, ${hdr.flags});
r->Assign(3, zeek::val_mgr->Count(${hdr.flags2})); r->Assign(3, ${hdr.flags2});
r->Assign(4, zeek::val_mgr->Count(${hdr.tid})); r->Assign(4, ${hdr.tid});
r->Assign(5, zeek::val_mgr->Count(${hdr.pid})); r->Assign(5, ${hdr.pid});
r->Assign(6, zeek::val_mgr->Count(${hdr.uid})); r->Assign(6, ${hdr.uid});
r->Assign(7, zeek::val_mgr->Count(${hdr.mid})); r->Assign(7, ${hdr.mid});
return r; return r;
} }

4
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -22,8 +22,8 @@ refine connection SMB_Conn += {
{ {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CloseResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CloseResponse);
resp->Assign(0, zeek::val_mgr->Count(${val.alloc_size})); resp->Assign(0, ${val.alloc_size});
resp->Assign(1, zeek::val_mgr->Count(${val.eof})); resp->Assign(1, ${val.eof});
resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},

8
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -18,8 +18,8 @@ refine connection SMB_Conn += {
{ {
auto requestinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateRequest); auto requestinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateRequest);
requestinfo->Assign(0, std::move(filename)); requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition})); requestinfo->Assign(1, ${val.disposition});
requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options})); requestinfo->Assign(2, ${val.create_options});
zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
@ -35,13 +35,13 @@ refine connection SMB_Conn += {
{ {
auto responseinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateResponse); auto responseinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateResponse);
responseinfo->Assign(0, BuildSMB2GUID(${val.file_id})); responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
responseinfo->Assign(1, zeek::val_mgr->Count(${val.eof})); responseinfo->Assign(1, ${val.eof});
responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time})); ${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs})); responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action})); responseinfo->Assign(4, ${val.create_action});
zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),

6
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -41,12 +41,12 @@ refine connection SMB_Conn += {
{ {
auto nr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateResponse); auto nr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateResponse);
nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision})); nr->Assign(0, ${val.dialect_revision});
nr->Assign(1, zeek::val_mgr->Count(${val.security_mode})); nr->Assign(1, ${val.security_mode});
nr->Assign(2, BuildSMB2GUID(${val.server_guid})); nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
nr->Assign(3, filetime2zeektime(${val.system_time})); nr->Assign(3, filetime2zeektime(${val.system_time}));
nr->Assign(4, filetime2zeektime(${val.server_start_time})); nr->Assign(4, filetime2zeektime(${val.server_start_time}));
nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count})); nr->Assign(5, ${val.negotiate_context_count});
auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues); auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues);

8
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_request ) if ( smb2_session_setup_request )
{ {
auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest); auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, zeek::val_mgr->Count(${val.security_mode})); req->Assign(0, ${val.security_mode});
zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
@ -21,9 +21,9 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_response ) if ( smb2_session_setup_response )
{ {
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupFlags); auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupFlags);
flags->Assign(0, zeek::val_mgr->Bool(${val.flag_guest})); flags->Assign(0, bool(${val.flag_guest}));
flags->Assign(1, zeek::val_mgr->Bool(${val.flag_anonymous})); flags->Assign(1, bool(${val.flag_anonymous}));
flags->Assign(2, zeek::val_mgr->Bool(${val.flag_encrypt})); flags->Assign(2, bool(${val.flag_encrypt}));
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags)); resp->Assign(0, std::move(flags));

12
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -193,12 +193,12 @@ refine connection SMB_Conn += {
if ( smb2_file_fscontrol ) if ( smb2_file_fscontrol )
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Fscontrol); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Fscontrol);
r->Assign(0, zeek::val_mgr->Int(${val.free_space_start_filtering})); r->Assign(0, int(${val.free_space_start_filtering}));
r->Assign(1, zeek::val_mgr->Int(${val.free_space_start_threshold})); r->Assign(1, int(${val.free_space_start_threshold}));
r->Assign(2, zeek::val_mgr->Int(${val.free_space_stop_filtering})); r->Assign(2, int(${val.free_space_stop_filtering}));
r->Assign(3, zeek::val_mgr->Count(${val.default_quota_threshold})); r->Assign(3, ${val.default_quota_threshold});
r->Assign(4, zeek::val_mgr->Count(${val.default_quota_limit})); r->Assign(4, ${val.default_quota_limit});
r->Assign(5, zeek::val_mgr->Count(${val.file_system_control_flags})); r->Assign(5, ${val.file_system_control_flags});
zeek::BifEvent::enqueue_smb2_file_fscontrol(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_file_fscontrol(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),

6
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -7,9 +7,9 @@ refine connection SMB_Conn += {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Transform_header); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Transform_header);
r->Assign(0, to_stringval(${hdr.signature})); r->Assign(0, to_stringval(${hdr.signature}));
r->Assign(1, to_stringval(${hdr.nonce})); r->Assign(1, to_stringval(${hdr.nonce}));
r->Assign(2, zeek::val_mgr->Count(${hdr.orig_msg_size})); r->Assign(2, ${hdr.orig_msg_size});
r->Assign(3, zeek::val_mgr->Count(${hdr.flags})); r->Assign(3, ${hdr.flags});
r->Assign(4, zeek::val_mgr->Count(${hdr.session_id})); r->Assign(4, ${hdr.session_id});
zeek::BifEvent::enqueue_smb2_transform_header(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_transform_header(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),

2
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -19,7 +19,7 @@ refine connection SMB_Conn += {
if ( smb2_tree_connect_response ) if ( smb2_tree_connect_response )
{ {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse);
resp->Assign(0, zeek::val_mgr->Count(${val.share_type})); resp->Assign(0, ${val.share_type});
zeek::BifEvent::enqueue_smb2_tree_connect_response(zeek_analyzer(), zeek::BifEvent::enqueue_smb2_tree_connect_response(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),

64
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -12,15 +12,15 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv);
zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr) zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Header); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Header);
r->Assign(0, zeek::val_mgr->Count(${hdr.credit_charge})); r->Assign(0, ${hdr.credit_charge});
r->Assign(1, zeek::val_mgr->Count(${hdr.status})); r->Assign(1, ${hdr.status});
r->Assign(2, zeek::val_mgr->Count(${hdr.command})); r->Assign(2, ${hdr.command});
r->Assign(3, zeek::val_mgr->Count(${hdr.credits})); r->Assign(3, ${hdr.credits});
r->Assign(4, zeek::val_mgr->Count(${hdr.flags})); r->Assign(4, ${hdr.flags});
r->Assign(5, zeek::val_mgr->Count(${hdr.message_id})); r->Assign(5, ${hdr.message_id});
r->Assign(6, zeek::val_mgr->Count(${hdr.process_id})); r->Assign(6, ${hdr.process_id});
r->Assign(7, zeek::val_mgr->Count(${hdr.tree_id})); r->Assign(7, ${hdr.tree_id});
r->Assign(8, zeek::val_mgr->Count(${hdr.session_id})); r->Assign(8, ${hdr.session_id});
r->Assign(9, to_stringval(${hdr.signature})); r->Assign(9, to_stringval(${hdr.signature}));
return r; return r;
} }
@ -28,29 +28,29 @@ zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id) zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::GUID); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::GUID);
r->Assign(0, zeek::val_mgr->Count(${file_id.persistent})); r->Assign(0, ${file_id.persistent});
r->Assign(1, zeek::val_mgr->Count(${file_id._volatile})); r->Assign(1, ${file_id._volatile});
return r; return r;
} }
zeek::RecordValPtr smb2_file_attrs_to_zeek(SMB2_file_attributes* val) zeek::RecordValPtr smb2_file_attrs_to_zeek(SMB2_file_attributes* val)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::FileAttrs); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::FileAttrs);
r->Assign(0, zeek::val_mgr->Bool(${val.read_only})); r->Assign(0, bool(${val.read_only}));
r->Assign(1, zeek::val_mgr->Bool(${val.hidden})); r->Assign(1, bool(${val.hidden}));
r->Assign(2, zeek::val_mgr->Bool(${val.system})); r->Assign(2, bool(${val.system}));
r->Assign(3, zeek::val_mgr->Bool(${val.directory})); r->Assign(3, bool(${val.directory}));
r->Assign(4, zeek::val_mgr->Bool(${val.archive})); r->Assign(4, bool(${val.archive}));
r->Assign(5, zeek::val_mgr->Bool(${val.normal})); r->Assign(5, bool(${val.normal}));
r->Assign(6, zeek::val_mgr->Bool(${val.temporary})); r->Assign(6, bool(${val.temporary}));
r->Assign(7, zeek::val_mgr->Bool(${val.sparse_file})); r->Assign(7, bool(${val.sparse_file}));
r->Assign(8, zeek::val_mgr->Bool(${val.reparse_point})); r->Assign(8, bool(${val.reparse_point}));
r->Assign(9, zeek::val_mgr->Bool(${val.compressed})); r->Assign(9, bool(${val.compressed}));
r->Assign(10, zeek::val_mgr->Bool(${val.offline})); r->Assign(10, bool(${val.offline}));
r->Assign(11, zeek::val_mgr->Bool(${val.not_content_indexed})); r->Assign(11, bool(${val.not_content_indexed}));
r->Assign(12, zeek::val_mgr->Bool(${val.encrypted})); r->Assign(12, bool(${val.encrypted}));
r->Assign(13, zeek::val_mgr->Bool(${val.integrity_stream})); r->Assign(13, bool(${val.integrity_stream}));
r->Assign(14, zeek::val_mgr->Bool(${val.no_scrub_data})); r->Assign(14, bool(${val.no_scrub_data}));
return r; return r;
} }
@ -58,15 +58,15 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateContextValue); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateContextValue);
r->Assign(0, zeek::val_mgr->Count(${ncv.context_type})); r->Assign(0, ${ncv.context_type});
r->Assign(1, zeek::val_mgr->Count(${ncv.data_length})); r->Assign(1, ${ncv.data_length});
switch ( ${ncv.context_type} ) { switch ( ${ncv.context_type} ) {
case SMB2_PREAUTH_INTEGRITY_CAPABILITIES: case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
{ {
auto rpreauth = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::PreAuthIntegrityCapabilities); auto rpreauth = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::PreAuthIntegrityCapabilities);
rpreauth->Assign(0, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count})); rpreauth->Assign(0, ${ncv.preauth_integrity_capabilities.hash_alg_count});
rpreauth->Assign(1, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length})); rpreauth->Assign(1, ${ncv.preauth_integrity_capabilities.salt_length});
auto ha = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto ha = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
@ -85,7 +85,7 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_ENCRYPTION_CAPABILITIES: case SMB2_ENCRYPTION_CAPABILITIES:
{ {
auto rencr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::EncryptionCapabilities); auto rencr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::EncryptionCapabilities);
rencr->Assign(0, zeek::val_mgr->Count(${ncv.encryption_capabilities.cipher_count})); rencr->Assign(0, ${ncv.encryption_capabilities.cipher_count});
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
@ -103,7 +103,7 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_COMPRESSION_CAPABILITIES: case SMB2_COMPRESSION_CAPABILITIES:
{ {
auto rcomp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CompressionCapabilities); auto rcomp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CompressionCapabilities);
rcomp->Assign(0, zeek::val_mgr->Count(${ncv.compression_capabilities.alg_count})); rcomp->Assign(0, ${ncv.compression_capabilities.alg_count});
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);

12
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -47,7 +47,7 @@ zeek::ValPtr asn1_obj_to_val(const ASN1Encoding* obj)
zeek::RecordValPtr rval = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::ObjectValue); zeek::RecordValPtr rval = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::ObjectValue);
uint8 tag = obj->meta()->tag(); uint8 tag = obj->meta()->tag();
rval->Assign(0, zeek::val_mgr->Count(tag)); rval->Assign(0, tag);
switch ( tag ) { switch ( tag ) {
case VARBIND_UNSPECIFIED_TAG: case VARBIND_UNSPECIFIED_TAG:
@ -93,7 +93,7 @@ zeek::ValPtr time_ticks_to_val(const TimeTicks* tt)
zeek::RecordValPtr build_hdr(const Header* header) zeek::RecordValPtr build_hdr(const Header* header)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::Header); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::Header);
rv->Assign(0, zeek::val_mgr->Count(header->version())); rv->Assign(0, uint64_t(header->version()));
switch ( header->version() ) { switch ( header->version() ) {
case SNMPV1_TAG: case SNMPV1_TAG:
@ -132,10 +132,10 @@ zeek::RecordValPtr build_hdrV3(const Header* header)
v3->Assign(0, asn1_integer_to_val(global_data->id(), zeek::TYPE_COUNT)); v3->Assign(0, asn1_integer_to_val(global_data->id(), zeek::TYPE_COUNT));
v3->Assign(1, asn1_integer_to_val(global_data->max_size(), zeek::TYPE_COUNT)); v3->Assign(1, asn1_integer_to_val(global_data->max_size(), zeek::TYPE_COUNT));
v3->Assign(2, zeek::val_mgr->Count(flags_byte)); v3->Assign(2, flags_byte);
v3->Assign(3, zeek::val_mgr->Bool(flags_byte & 0x01)); v3->Assign(3, bool(flags_byte & 0x01));
v3->Assign(4, zeek::val_mgr->Bool(flags_byte & 0x02)); v3->Assign(4, bool(flags_byte & 0x02));
v3->Assign(5, zeek::val_mgr->Bool(flags_byte & 0x04)); v3->Assign(5, bool(flags_byte & 0x04));
v3->Assign(6, asn1_integer_to_val(global_data->security_model(), zeek::TYPE_COUNT)); v3->Assign(6, asn1_integer_to_val(global_data->security_model(), zeek::TYPE_COUNT));
v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters())); v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters()));

2
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -111,7 +111,7 @@ refine flow SSH_Flow += {
} }
result->Assign(6, zeek::val_mgr->Bool(!${msg.is_orig})); result->Assign(6, bool(!${msg.is_orig}));
zeek::BifEvent::enqueue_ssh_capabilities(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_ssh_capabilities(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), to_stringval(${msg.cookie}), connection()->zeek_analyzer()->Conn(), to_stringval(${msg.cookie}),

26
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -161,8 +161,8 @@ refine connection Handshake_Conn += {
for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i ) for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i )
{ {
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm); auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
el->Assign(0, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->HashAlgorithm())); el->Assign(0, (*supported_signature_algorithms)[i]->HashAlgorithm());
el->Assign(1, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->SignatureAlgorithm())); el->Assign(1, (*supported_signature_algorithms)[i]->SignatureAlgorithm());
slist->Assign(i, std::move(el)); slist->Assign(i, std::move(el));
} }
} }
@ -345,14 +345,14 @@ refine connection Handshake_Conn += {
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
{ {
ha->Assign(0, zeek::val_mgr->Count(${kex.signed_params.algorithm.HashAlgorithm})); ha->Assign(0, ${kex.signed_params.algorithm.HashAlgorithm});
ha->Assign(1, zeek::val_mgr->Count(${kex.signed_params.algorithm.SignatureAlgorithm})); ha->Assign(1, ${kex.signed_params.algorithm.SignatureAlgorithm});
} }
else else
{ {
// set to impossible value // set to impossible value
ha->Assign(0, zeek::val_mgr->Count(256)); ha->Assign(0, 256);
ha->Assign(1, zeek::val_mgr->Count(256)); ha->Assign(1, 256);
} }
zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(),
@ -414,8 +414,8 @@ refine connection Handshake_Conn += {
return true; return true;
auto ha = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm); auto ha = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, zeek::val_mgr->Count(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(0, digitally_signed_algorithms->HashAlgorithm());
ha->Assign(1, zeek::val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm())); ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm());
zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, zeek_analyzer()->Conn(), ${rec.is_orig},
@ -445,14 +445,14 @@ refine connection Handshake_Conn += {
if ( ${signed_params.uses_signature_and_hashalgorithm} ) if ( ${signed_params.uses_signature_and_hashalgorithm} )
{ {
ha->Assign(0, zeek::val_mgr->Count(${signed_params.algorithm.HashAlgorithm})); ha->Assign(0, ${signed_params.algorithm.HashAlgorithm});
ha->Assign(1, zeek::val_mgr->Count(${signed_params.algorithm.SignatureAlgorithm})); ha->Assign(1, ${signed_params.algorithm.SignatureAlgorithm});
} }
else else
{ {
// set to impossible value // set to impossible value
ha->Assign(0, zeek::val_mgr->Count(256)); ha->Assign(0, 256);
ha->Assign(1, zeek::val_mgr->Count(256)); ha->Assign(1, 256);
} }
zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(),
@ -499,7 +499,7 @@ refine connection Handshake_Conn += {
{ {
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::PSKIdentity); auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::PSKIdentity);
el->Assign(0, zeek::make_intrusive<zeek::StringVal>(identity->identity().length(), (const char*) identity->identity().data())); el->Assign(0, zeek::make_intrusive<zeek::StringVal>(identity->identity().length(), (const char*) identity->identity().data()));
el->Assign(1, zeek::val_mgr->Count(identity->obfuscated_ticket_age())); el->Assign(1, identity->obfuscated_ticket_age());
slist->Assign(slist->Size(), std::move(el)); slist->Assign(slist->Size(), std::move(el));
} }
} }

50
src/analyzer/protocol/tcp/TCP.cc
View file

@ -109,14 +109,14 @@ static RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip,
static auto SYN_packet = id::find_type<RecordType>("SYN_packet"); static auto SYN_packet = id::find_type<RecordType>("SYN_packet");
auto* v = new RecordVal(SYN_packet); auto* v = new RecordVal(SYN_packet);
v->Assign(0, val_mgr->Bool(is_orig)); v->Assign(0, bool(is_orig));
v->Assign(1, val_mgr->Bool(int(ip->DF()))); v->Assign(1, bool(int(ip->DF())));
v->Assign(2, val_mgr->Count((ip->TTL()))); v->Assign(2, uint32_t(ip->TTL()));
v->Assign(3, val_mgr->Count((ip->TotalLen()))); v->Assign(3, uint32_t((ip->TotalLen())));
v->Assign(4, val_mgr->Count(ntohs(tcp->th_win))); v->Assign(4, uint32_t(ntohs(tcp->th_win)));
v->Assign(5, val_mgr->Int(winscale)); v->Assign(5, int(winscale));
v->Assign(6, val_mgr->Count(MSS)); v->Assign(6, uint32_t(MSS));
v->Assign(7, val_mgr->Bool(SACK)); v->Assign(7, bool(SACK));
return v; return v;
} }
@ -1285,10 +1285,10 @@ void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
auto orig_endp_val = conn_val->GetFieldAs<RecordVal>("orig"); auto orig_endp_val = conn_val->GetFieldAs<RecordVal>("orig");
auto resp_endp_val = conn_val->GetFieldAs<RecordVal>("resp"); auto resp_endp_val = conn_val->GetFieldAs<RecordVal>("resp");
orig_endp_val->Assign(0, val_mgr->Count(orig->Size())); orig_endp_val->Assign(0, orig->Size());
orig_endp_val->Assign(1, val_mgr->Count(int(orig->state))); orig_endp_val->Assign(1, int(orig->state));
resp_endp_val->Assign(0, val_mgr->Count(resp->Size())); resp_endp_val->Assign(0, resp->Size());
resp_endp_val->Assign(1, val_mgr->Count(int(resp->state))); resp_endp_val->Assign(1, int(resp->state));
// Call children's UpdateConnVal // Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
@ -1369,8 +1369,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
auto length = kind < 2 ? 1 : o[1]; auto length = kind < 2 ? 1 : o[1];
auto option_record = make_intrusive<RecordVal>(BifType::Record::TCP::Option); auto option_record = make_intrusive<RecordVal>(BifType::Record::TCP::Option);
option_list->Assign(option_list->Size(), option_record); option_list->Assign(option_list->Size(), option_record);
option_record->Assign(0, val_mgr->Count(kind)); option_record->Assign(0, uint32_t(kind));
option_record->Assign(1, val_mgr->Count(length)); option_record->Assign(1, uint32_t(length));
switch ( kind ) { switch ( kind ) {
case 2: case 2:
@ -1378,7 +1378,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 4 ) if ( length == 4 )
{ {
auto mss = ntohs(*reinterpret_cast<const uint16_t*>(o + 2)); auto mss = ntohs(*reinterpret_cast<const uint16_t*>(o + 2));
option_record->Assign(3, val_mgr->Count(mss)); option_record->Assign(3, uint32_t(mss));
} }
else else
{ {
@ -1392,7 +1392,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 3 ) if ( length == 3 )
{ {
auto scale = o[2]; auto scale = o[2];
option_record->Assign(4, val_mgr->Count(scale)); option_record->Assign(4, uint32_t(scale));
} }
else else
{ {
@ -1438,8 +1438,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
{ {
auto send = ntohl(*reinterpret_cast<const uint32_t*>(o + 2)); auto send = ntohl(*reinterpret_cast<const uint32_t*>(o + 2));
auto echo = ntohl(*reinterpret_cast<const uint32_t*>(o + 6)); auto echo = ntohl(*reinterpret_cast<const uint32_t*>(o + 6));
option_record->Assign(6, val_mgr->Count(send)); option_record->Assign(6, uint32_t(send));
option_record->Assign(7, val_mgr->Count(echo)); option_record->Assign(7, uint32_t(echo));
} }
else else
{ {
@ -2076,13 +2076,13 @@ RecordVal* TCPStats_Endpoint::BuildStats()
static auto endpoint_stats = id::find_type<RecordType>("endpoint_stats"); static auto endpoint_stats = id::find_type<RecordType>("endpoint_stats");
auto* stats = new RecordVal(endpoint_stats); auto* stats = new RecordVal(endpoint_stats);
stats->Assign(0, val_mgr->Count(num_pkts)); stats->Assign(0, num_pkts);
stats->Assign(1, val_mgr->Count(num_rxmit)); stats->Assign(1, num_rxmit);
stats->Assign(2, val_mgr->Count(num_rxmit_bytes)); stats->Assign(2, num_rxmit_bytes);
stats->Assign(3, val_mgr->Count(num_in_order)); stats->Assign(3, num_in_order);
stats->Assign(4, val_mgr->Count(num_OO)); stats->Assign(4, num_OO);
stats->Assign(5, val_mgr->Count(num_repl)); stats->Assign(5, num_repl);
stats->Assign(6, val_mgr->Count(endian_type)); stats->Assign(6, endian_type);
return stats; return stats;
} }

10
src/analyzer/protocol/teredo/Teredo.cc
View file

@ -109,12 +109,10 @@ RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
uint8_t au_len = *((uint8_t*)(auth + 3)); uint8_t au_len = *((uint8_t*)(auth + 3));
uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len))); uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len)));
uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8)); uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8));
teredo_auth->Assign(0, make_intrusive<StringVal>( teredo_auth->Assign(0, new String(auth + 4, id_len, true));
new String(auth + 4, id_len, true))); teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true));
teredo_auth->Assign(1, make_intrusive<StringVal>( teredo_auth->Assign(2, nonce);
new String(auth + 4 + id_len, au_len, true))); teredo_auth->Assign(3, conf);
teredo_auth->Assign(2, val_mgr->Count(nonce));
teredo_auth->Assign(3, val_mgr->Count(conf));
teredo_hdr->Assign(0, std::move(teredo_auth)); teredo_hdr->Assign(0, std::move(teredo_auth));
} }

8
src/analyzer/protocol/udp/UDP.cc
View file

@ -235,14 +235,14 @@ void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
bro_int_t size = is_orig ? request_len : reply_len; bro_int_t size = is_orig ? request_len : reply_len;
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, val_mgr->Count(0)); endp->Assign(0, 0);
endp->Assign(1, val_mgr->Count(int(UDP_INACTIVE))); endp->Assign(1, int(UDP_INACTIVE));
} }
else else
{ {
endp->Assign(0, val_mgr->Count(size)); endp->Assign(0, uint64_t(size));
endp->Assign(1, val_mgr->Count(int(UDP_ACTIVE))); endp->Assign(1, int(UDP_ACTIVE));
} }
} }

8
src/broker/Manager.cc
View file

@ -784,7 +784,7 @@ RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame)
return rval; return rval;
} }
rval->Assign(0, make_intrusive<StringVal>(func->Name())); rval->Assign(0, func->Name());
continue; continue;
} }
@ -1453,20 +1453,20 @@ void Manager::ProcessStatus(broker::status_view stat)
if ( ctx ) if ( ctx )
{ {
endpoint_info->Assign(0, make_intrusive<StringVal>(to_string(ctx->node))); endpoint_info->Assign(0, to_string(ctx->node));
static auto ni = id::find_type<RecordType>("Broker::NetworkInfo"); static auto ni = id::find_type<RecordType>("Broker::NetworkInfo");
auto network_info = make_intrusive<RecordVal>(ni); auto network_info = make_intrusive<RecordVal>(ni);
if ( ctx->network ) if ( ctx->network )
{ {
network_info->Assign(0, make_intrusive<StringVal>(ctx->network->address.data())); network_info->Assign(0, ctx->network->address.data());
network_info->Assign(1, val_mgr->Port(ctx->network->port, TRANSPORT_TCP)); network_info->Assign(1, val_mgr->Port(ctx->network->port, TRANSPORT_TCP));
} }
else else
{ {
// TODO: are there any status messages where the ctx->network // TODO: are there any status messages where the ctx->network
// is not set and actually could be? // is not set and actually could be?
network_info->Assign(0, make_intrusive<StringVal>("<unknown>")); network_info->Assign(0, "<unknown>");
network_info->Assign(1, val_mgr->Port(0, TRANSPORT_TCP)); network_info->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
} }

2
src/broker/comm.bif
View file

@ -126,7 +126,7 @@ function Broker::__peers%(%): PeerInfos
network_info->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP)); network_info->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
} }
endpoint_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(to_string(p.peer.node))); endpoint_info->Assign(0, to_string(p.peer.node));
endpoint_info->Assign(1, std::move(network_info)); endpoint_info->Assign(1, std::move(network_info));
auto ps = (BifEnum::Broker::PeerStatus)p.status; auto ps = (BifEnum::Broker::PeerStatus)p.status;

24
src/file_analysis/File.cc
View file

@ -92,12 +92,12 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str()); DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
val = make_intrusive<RecordVal>(id::fa_file); val = make_intrusive<RecordVal>(id::fa_file);
val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str())); val->Assign(id_idx, file_id);
SetSource(source_name); SetSource(source_name);
if ( conn ) if ( conn )
{ {
val->Assign(is_orig_idx, val_mgr->Bool(is_orig)); val->Assign(is_orig_idx, is_orig);
UpdateConnectionFields(conn, is_orig); UpdateConnectionFields(conn, is_orig);
} }
@ -115,7 +115,7 @@ File::~File()
void File::UpdateLastActivityTime() void File::UpdateLastActivityTime()
{ {
val->Assign(last_active_idx, make_intrusive<TimeVal>(run_state::network_time)); val->AssignTime(last_active_idx, run_state::network_time);
} }
double File::GetLastActivityTime() const double File::GetLastActivityTime() const
@ -190,7 +190,7 @@ std::string File::GetSource() const
void File::SetSource(const std::string& source) void File::SetSource(const std::string& source)
{ {
val->Assign(source_idx, make_intrusive<StringVal>(source.c_str())); val->Assign(source_idx, source);
} }
double File::GetTimeoutInterval() const double File::GetTimeoutInterval() const
@ -200,7 +200,7 @@ double File::GetTimeoutInterval() const
void File::SetTimeoutInterval(double interval) void File::SetTimeoutInterval(double interval)
{ {
val->Assign(timeout_interval_idx, make_intrusive<IntervalVal>(interval)); val->AssignInterval(timeout_interval_idx, interval);
} }
bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes) bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
@ -223,13 +223,13 @@ bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
void File::IncrementByteCount(uint64_t size, int field_idx) void File::IncrementByteCount(uint64_t size, int field_idx)
{ {
uint64_t old = LookupFieldDefaultCount(field_idx); uint64_t old = LookupFieldDefaultCount(field_idx);
val->Assign(field_idx, val_mgr->Count(old + size)); val->Assign(field_idx, old + size);
} }
void File::SetTotalBytes(uint64_t size) void File::SetTotalBytes(uint64_t size)
{ {
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size); DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size);
val->Assign(total_bytes_idx, val_mgr->Count(size)); val->Assign(total_bytes_idx, size);
} }
bool File::IsComplete() const bool File::IsComplete() const
@ -298,8 +298,8 @@ bool File::SetMime(const std::string& mime_type)
return false; return false;
auto meta = make_intrusive<RecordVal>(id::fa_metadata); auto meta = make_intrusive<RecordVal>(id::fa_metadata);
meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type)); meta->Assign(meta_mime_type_idx, mime_type);
meta->Assign(meta_inferred_idx, val_mgr->False()); meta->Assign(meta_inferred_idx, false);
FileEvent(file_sniff, {val, std::move(meta)}); FileEvent(file_sniff, {val, std::move(meta)});
return true; return true;
@ -317,7 +317,7 @@ void File::InferMetadata()
return; return;
String* bs = concatenate(bof_buffer.chunks); String* bs = concatenate(bof_buffer.chunks);
val->Assign<StringVal>(bof_buffer_idx, bs); val->Assign(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx).get(); bof_buffer_val = val->GetField(bof_buffer_idx).get();
} }
@ -334,7 +334,7 @@ void File::InferMetadata()
if ( ! matches.empty() ) if ( ! matches.empty() )
{ {
meta->Assign<StringVal>(meta_mime_type_idx, meta->Assign(meta_mime_type_idx,
*(matches.begin()->second.begin())); *(matches.begin()->second.begin()));
meta->Assign(meta_mime_types_idx, meta->Assign(meta_mime_types_idx,
file_analysis::GenMIMEMatchesVal(matches)); file_analysis::GenMIMEMatchesVal(matches));
@ -361,7 +361,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
if ( bof_buffer.size > 0 ) if ( bof_buffer.size > 0 )
{ {
String* bs = concatenate(bof_buffer.chunks); String* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, make_intrusive<StringVal>(bs)); val->Assign(bof_buffer_idx, bs);
} }
return false; return false;

4
src/file_analysis/Manager.cc
View file

@ -524,8 +524,8 @@ VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
for ( set<string>::const_iterator it2 = it->second.begin(); for ( set<string>::const_iterator it2 = it->second.begin();
it2 != it->second.end(); ++it2 ) it2 != it->second.end(); ++it2 )
{ {
element->Assign(0, val_mgr->Int(it->first)); element->Assign(0, it->first);
element->Assign(1, make_intrusive<StringVal>(*it2)); element->Assign(1, *it2);
} }
rval->Assign(rval->Size(), std::move(element)); rval->Assign(rval->Size(), std::move(element));

10
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -63,11 +63,11 @@ void Entropy::Finalize()
static auto entropy_test_result = id::find_type<RecordType>("entropy_test_result"); static auto entropy_test_result = id::find_type<RecordType>("entropy_test_result");
auto ent_result = make_intrusive<RecordVal>(entropy_test_result); auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
ent_result->Assign<DoubleVal>(0, ent); ent_result->Assign(0, ent);
ent_result->Assign<DoubleVal>(1, chisq); ent_result->Assign(1, chisq);
ent_result->Assign<DoubleVal>(2, mean); ent_result->Assign(2, mean);
ent_result->Assign<DoubleVal>(3, montepi); ent_result->Assign(3, montepi);
ent_result->Assign<DoubleVal>(4, scc); ent_result->Assign(4, scc);
event_mgr.Enqueue(file_entropy, event_mgr.Enqueue(file_entropy,
GetFile()->ToVal(), GetFile()->ToVal(),

102
src/file_analysis/analyzer/pe/pe-analyzer.pac
View file

@ -49,22 +49,22 @@ refine flow File += {
{ {
auto dh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::DOSHeader); auto dh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::DOSHeader);
dh->Assign(0, zeek::make_intrusive<zeek::StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data())); dh->Assign(0, zeek::make_intrusive<zeek::StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
dh->Assign(1, zeek::val_mgr->Count(${h.UsedBytesInTheLastPage})); dh->Assign(1, ${h.UsedBytesInTheLastPage});
dh->Assign(2, zeek::val_mgr->Count(${h.FileSizeInPages})); dh->Assign(2, ${h.FileSizeInPages});
dh->Assign(3, zeek::val_mgr->Count(${h.NumberOfRelocationItems})); dh->Assign(3, ${h.NumberOfRelocationItems});
dh->Assign(4, zeek::val_mgr->Count(${h.HeaderSizeInParagraphs})); dh->Assign(4, ${h.HeaderSizeInParagraphs});
dh->Assign(5, zeek::val_mgr->Count(${h.MinimumExtraParagraphs})); dh->Assign(5, ${h.MinimumExtraParagraphs});
dh->Assign(6, zeek::val_mgr->Count(${h.MaximumExtraParagraphs})); dh->Assign(6, ${h.MaximumExtraParagraphs});
dh->Assign(7, zeek::val_mgr->Count(${h.InitialRelativeSS})); dh->Assign(7, ${h.InitialRelativeSS});
dh->Assign(8, zeek::val_mgr->Count(${h.InitialSP})); dh->Assign(8, ${h.InitialSP});
dh->Assign(9, zeek::val_mgr->Count(${h.Checksum})); dh->Assign(9, ${h.Checksum});
dh->Assign(10, zeek::val_mgr->Count(${h.InitialIP})); dh->Assign(10, ${h.InitialIP});
dh->Assign(11, zeek::val_mgr->Count(${h.InitialRelativeCS})); dh->Assign(11, ${h.InitialRelativeCS});
dh->Assign(12, zeek::val_mgr->Count(${h.AddressOfRelocationTable})); dh->Assign(12, ${h.AddressOfRelocationTable});
dh->Assign(13, zeek::val_mgr->Count(${h.OverlayNumber})); dh->Assign(13, ${h.OverlayNumber});
dh->Assign(14, zeek::val_mgr->Count(${h.OEMid})); dh->Assign(14, ${h.OEMid});
dh->Assign(15, zeek::val_mgr->Count(${h.OEMinfo})); dh->Assign(15, ${h.OEMinfo});
dh->Assign(16, zeek::val_mgr->Count(${h.AddressOfNewExeHeader})); dh->Assign(16, ${h.AddressOfNewExeHeader});
zeek::event_mgr.Enqueue(pe_dos_header, zeek::event_mgr.Enqueue(pe_dos_header,
connection()->zeek_analyzer()->GetFile()->ToVal(), connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -98,11 +98,11 @@ refine flow File += {
if ( pe_file_header ) if ( pe_file_header )
{ {
auto fh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::FileHeader); auto fh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::FileHeader);
fh->Assign(0, zeek::val_mgr->Count(${h.Machine})); fh->Assign(0, ${h.Machine});
fh->Assign(1, zeek::make_intrusive<zeek::TimeVal>(static_cast<double>(${h.TimeDateStamp}))); fh->AssignTime(1, double(${h.TimeDateStamp}));
fh->Assign(2, zeek::val_mgr->Count(${h.PointerToSymbolTable})); fh->Assign(2, ${h.PointerToSymbolTable});
fh->Assign(3, zeek::val_mgr->Count(${h.NumberOfSymbols})); fh->Assign(3, ${h.NumberOfSymbols});
fh->Assign(4, zeek::val_mgr->Count(${h.SizeOfOptionalHeader})); fh->Assign(4, ${h.SizeOfOptionalHeader});
fh->Assign(5, characteristics_to_zeek(${h.Characteristics}, 16)); fh->Assign(5, characteristics_to_zeek(${h.Characteristics}, 16));
zeek::event_mgr.Enqueue(pe_file_header, zeek::event_mgr.Enqueue(pe_file_header,
@ -127,31 +127,31 @@ refine flow File += {
{ {
auto oh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::OptionalHeader); auto oh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
oh->Assign(0, zeek::val_mgr->Count(${h.magic})); oh->Assign(0, ${h.magic});
oh->Assign(1, zeek::val_mgr->Count(${h.major_linker_version})); oh->Assign(1, ${h.major_linker_version});
oh->Assign(2, zeek::val_mgr->Count(${h.minor_linker_version})); oh->Assign(2, ${h.minor_linker_version});
oh->Assign(3, zeek::val_mgr->Count(${h.size_of_code})); oh->Assign(3, ${h.size_of_code});
oh->Assign(4, zeek::val_mgr->Count(${h.size_of_init_data})); oh->Assign(4, ${h.size_of_init_data});
oh->Assign(5, zeek::val_mgr->Count(${h.size_of_uninit_data})); oh->Assign(5, ${h.size_of_uninit_data});
oh->Assign(6, zeek::val_mgr->Count(${h.addr_of_entry_point})); oh->Assign(6, ${h.addr_of_entry_point});
oh->Assign(7, zeek::val_mgr->Count(${h.base_of_code})); oh->Assign(7, ${h.base_of_code});
if ( ${h.pe_format} != PE32_PLUS ) if ( ${h.pe_format} != PE32_PLUS )
oh->Assign(8, zeek::val_mgr->Count(${h.base_of_data})); oh->Assign(8, ${h.base_of_data});
oh->Assign(9, zeek::val_mgr->Count(${h.image_base})); oh->Assign(9, ${h.image_base});
oh->Assign(10, zeek::val_mgr->Count(${h.section_alignment})); oh->Assign(10, ${h.section_alignment});
oh->Assign(11, zeek::val_mgr->Count(${h.file_alignment})); oh->Assign(11, ${h.file_alignment});
oh->Assign(12, zeek::val_mgr->Count(${h.os_version_major})); oh->Assign(12, ${h.os_version_major});
oh->Assign(13, zeek::val_mgr->Count(${h.os_version_minor})); oh->Assign(13, ${h.os_version_minor});
oh->Assign(14, zeek::val_mgr->Count(${h.major_image_version})); oh->Assign(14, ${h.major_image_version});
oh->Assign(15, zeek::val_mgr->Count(${h.minor_image_version})); oh->Assign(15, ${h.minor_image_version});
oh->Assign(16, zeek::val_mgr->Count(${h.major_subsys_version})); oh->Assign(16, ${h.major_subsys_version});
oh->Assign(17, zeek::val_mgr->Count(${h.minor_subsys_version})); oh->Assign(17, ${h.minor_subsys_version});
oh->Assign(18, zeek::val_mgr->Count(${h.size_of_image})); oh->Assign(18, ${h.size_of_image});
oh->Assign(19, zeek::val_mgr->Count(${h.size_of_headers})); oh->Assign(19, ${h.size_of_headers});
oh->Assign(20, zeek::val_mgr->Count(${h.checksum})); oh->Assign(20, ${h.checksum});
oh->Assign(21, zeek::val_mgr->Count(${h.subsystem})); oh->Assign(21, ${h.subsystem});
oh->Assign(22, characteristics_to_zeek(${h.dll_characteristics}, 16)); oh->Assign(22, characteristics_to_zeek(${h.dll_characteristics}, 16));
oh->Assign(23, process_rvas(${h.rvas})); oh->Assign(23, process_rvas(${h.rvas}));
@ -178,14 +178,14 @@ refine flow File += {
name_len = first_null - ${h.name}.data(); name_len = first_null - ${h.name}.data();
section_header->Assign(0, zeek::make_intrusive<zeek::StringVal>(name_len, (const char*) ${h.name}.data())); section_header->Assign(0, zeek::make_intrusive<zeek::StringVal>(name_len, (const char*) ${h.name}.data()));
section_header->Assign(1, zeek::val_mgr->Count(${h.virtual_size})); section_header->Assign(1, ${h.virtual_size});
section_header->Assign(2, zeek::val_mgr->Count(${h.virtual_addr})); section_header->Assign(2, ${h.virtual_addr});
section_header->Assign(3, zeek::val_mgr->Count(${h.size_of_raw_data})); section_header->Assign(3, ${h.size_of_raw_data});
section_header->Assign(4, zeek::val_mgr->Count(${h.ptr_to_raw_data})); section_header->Assign(4, ${h.ptr_to_raw_data});
section_header->Assign(5, zeek::val_mgr->Count(${h.non_used_ptr_to_relocs})); section_header->Assign(5, ${h.non_used_ptr_to_relocs});
section_header->Assign(6, zeek::val_mgr->Count(${h.non_used_ptr_to_line_nums})); section_header->Assign(6, ${h.non_used_ptr_to_line_nums});
section_header->Assign(7, zeek::val_mgr->Count(${h.non_used_num_of_relocs})); section_header->Assign(7, ${h.non_used_num_of_relocs});
section_header->Assign(8, zeek::val_mgr->Count(${h.non_used_num_of_line_nums})); section_header->Assign(8, ${h.non_used_num_of_line_nums});
section_header->Assign(9, characteristics_to_zeek(${h.characteristics}, 32)); section_header->Assign(9, characteristics_to_zeek(${h.characteristics}, 32));
zeek::event_mgr.Enqueue(pe_section_header, zeek::event_mgr.Enqueue(pe_section_header,

54
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -73,19 +73,19 @@ refine flow Flow += {
if ( ::unified2_event ) if ( ::unified2_event )
{ {
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent); auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id})); ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id})); ids_event->Assign(1, ${ev.event_id});
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts}))); ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id})); ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id})); ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision})); ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id})); ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id})); ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip})); ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip})); ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol})); ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action})); ids_event->Assign(17, ${ev.packet_action});
zeek::event_mgr.Enqueue(::unified2_event, zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(), connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -99,23 +99,23 @@ refine flow Flow += {
if ( ::unified2_event ) if ( ::unified2_event )
{ {
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent); auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id})); ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id})); ids_event->Assign(1, ${ev.event_id});
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts}))); ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id})); ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id})); ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision})); ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id})); ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id})); ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip})); ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip})); ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol})); ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(12, zeek::val_mgr->Count(${ev.impact_flag})); ids_event->Assign(12, ${ev.impact_flag});
ids_event->Assign(13, zeek::val_mgr->Count(${ev.impact})); ids_event->Assign(13, ${ev.impact});
ids_event->Assign(14, zeek::val_mgr->Count(${ev.blocked})); ids_event->Assign(14, ${ev.blocked});
ids_event->Assign(15, zeek::val_mgr->Count(${ev.mpls_label})); ids_event->Assign(15, ${ev.mpls_label});
ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id})); ids_event->Assign(16, ${ev.vlan_id});
zeek::event_mgr.Enqueue(::unified2_event, zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(), connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -130,11 +130,11 @@ refine flow Flow += {
if ( ::unified2_packet ) if ( ::unified2_packet )
{ {
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet); auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
packet->Assign(0, zeek::val_mgr->Count(${pkt.sensor_id})); packet->Assign(0, ${pkt.sensor_id});
packet->Assign(1, zeek::val_mgr->Count(${pkt.event_id})); packet->Assign(1, ${pkt.event_id});
packet->Assign(2, zeek::val_mgr->Count(${pkt.event_second})); packet->Assign(2, ${pkt.event_second});
packet->Assign(3, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${pkt.packet_ts}))); packet->AssignTime(3, ts_to_double(${pkt.packet_ts}));
packet->Assign(4, zeek::val_mgr->Count(${pkt.link_type})); packet->Assign(4, ${pkt.link_type});
packet->Assign(5, to_stringval(${pkt.packet_data})); packet->Assign(5, to_stringval(${pkt.packet_data}));
zeek::event_mgr.Enqueue(::unified2_packet, zeek::event_mgr.Enqueue(::unified2_packet,

26
src/file_analysis/analyzer/x509/X509.cc
View file

@ -124,7 +124,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
auto pX509Cert = make_intrusive<RecordVal>(BifType::Record::X509::Certificate); auto pX509Cert = make_intrusive<RecordVal>(BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem()); BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1)); pX509Cert->Assign(0, uint64_t(X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert)); i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf)); int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf)); pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf));
@ -161,8 +161,8 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf)); pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
BIO_free(bio); BIO_free(bio);
pX509Cert->Assign(5, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter))); pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
pX509Cert->Assign(6, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter))); pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
// we only read 255 bytes because byte 256 is always 0. // we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination, // if the string is longer than 255, that will be our null-termination,
@ -172,7 +172,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) ) if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0; buf[0] = 0;
pX509Cert->Assign(7, make_intrusive<StringVal>(buf)); pX509Cert->Assign(7, buf);
// Special case for RDP server certificates. For some reason some (all?) RDP server // Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which // certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -194,25 +194,25 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) ) if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0; buf[0] = 0;
pX509Cert->Assign(8, make_intrusive<StringVal>(buf)); pX509Cert->Assign(8, buf);
// Things we can do when we have the key... // Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert); EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL ) if ( pkey != NULL )
{ {
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA ) if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, make_intrusive<StringVal>("dsa")); pX509Cert->Assign(9, "dsa");
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA ) else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{ {
pX509Cert->Assign(9, make_intrusive<StringVal>("rsa")); pX509Cert->Assign(9, "rsa");
const BIGNUM *e; const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL); RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e); char *exponent = BN_bn2dec(e);
if ( exponent != NULL ) if ( exponent != NULL )
{ {
pX509Cert->Assign(11, make_intrusive<StringVal>(exponent)); pX509Cert->Assign(11, exponent);
OPENSSL_free(exponent); OPENSSL_free(exponent);
exponent = NULL; exponent = NULL;
} }
@ -220,7 +220,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC ) else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{ {
pX509Cert->Assign(9, make_intrusive<StringVal>("ecdsa")); pX509Cert->Assign(9, "ecdsa");
pX509Cert->Assign(12, KeyCurve(pkey)); pX509Cert->Assign(12, KeyCurve(pkey));
} }
#endif #endif
@ -232,7 +232,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
unsigned int length = KeyLength(pkey); unsigned int length = KeyLength(pkey);
if ( length > 0 ) if ( length > 0 )
pX509Cert->Assign(10, val_mgr->Count(length)); pX509Cert->Assign(10, length);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
} }
@ -292,10 +292,10 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex)
if ( x509_ext_basic_constraints ) if ( x509_ext_basic_constraints )
{ {
auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints); auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca)); pBasicConstraint->Assign(0, constr->ca);
if ( constr->pathlen ) if ( constr->pathlen )
pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen))); pBasicConstraint->Assign(1, int32_t(ASN1_INTEGER_get(constr->pathlen)));
event_mgr.Enqueue(x509_ext_basic_constraints, event_mgr.Enqueue(x509_ext_basic_constraints,
GetFile()->ToVal(), GetFile()->ToVal(),
@ -436,7 +436,7 @@ void X509::ParseSAN(X509_EXTENSION* ext)
if ( ips != nullptr ) if ( ips != nullptr )
sanExt->Assign(3, ips); sanExt->Assign(3, ips);
sanExt->Assign(4, val_mgr->Bool(otherfields)); sanExt->Assign(4, otherfields);
event_mgr.Enqueue(x509_ext_subject_alternative_name, event_mgr.Enqueue(x509_ext_subject_alternative_name,
GetFile()->ToVal(), GetFile()->ToVal(),

8
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -273,13 +273,13 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bo
ext_val = make_intrusive<StringVal>(0, ""); ext_val = make_intrusive<StringVal>(0, "");
auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension); auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
pX509Ext->Assign(0, make_intrusive<StringVal>(name)); pX509Ext->Assign(0, name);
if ( short_name and strlen(short_name) > 0 ) if ( short_name and strlen(short_name) > 0 )
pX509Ext->Assign(1, make_intrusive<StringVal>(short_name)); pX509Ext->Assign(1, short_name);
pX509Ext->Assign(2, make_intrusive<StringVal>(oid)); pX509Ext->Assign(2, oid);
pX509Ext->Assign(3, val_mgr->Bool(critical)); pX509Ext->Assign(3, critical);
pX509Ext->Assign(4, ext_val); pX509Ext->Assign(4, ext_val);
// send off generic extension event // send off generic extension event

4
src/file_analysis/analyzer/x509/functions.bif
View file

@ -16,8 +16,8 @@ static zeek::RecordValPtr x509_result_record(uint64_t num, const char* reason, z
{ {
auto rrecord = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Result); auto rrecord = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Result);
rrecord->Assign(0, zeek::val_mgr->Int(num)); rrecord->Assign(0, num);
rrecord->Assign(1, zeek::make_intrusive<zeek::StringVal>(reason)); rrecord->Assign(1, reason);
if ( chainVector ) if ( chainVector )
rrecord->Assign(2, std::move(chainVector)); rrecord->Assign(2, std::move(chainVector));

10
src/iosource/Packet.cc
View file

@ -117,12 +117,12 @@ RecordValPtr Packet::ToRawPktHdrVal() const
l2_hdr->Assign(4, FmtEUI48(data)); // dst l2_hdr->Assign(4, FmtEUI48(data)); // dst
if ( vlan ) if ( vlan )
l2_hdr->Assign(5, val_mgr->Count(vlan)); l2_hdr->Assign(5, vlan);
if ( inner_vlan ) if ( inner_vlan )
l2_hdr->Assign(6, val_mgr->Count(inner_vlan)); l2_hdr->Assign(6, inner_vlan);
l2_hdr->Assign(7, val_mgr->Count(eth_type)); l2_hdr->Assign(7, eth_type);
if ( eth_type == ETHERTYPE_ARP || eth_type == ETHERTYPE_REVARP ) if ( eth_type == ETHERTYPE_ARP || eth_type == ETHERTYPE_REVARP )
// We also identify ARP for L3 over ethernet // We also identify ARP for L3 over ethernet
@ -131,8 +131,8 @@ RecordValPtr Packet::ToRawPktHdrVal() const
else else
l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN)); l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
l2_hdr->Assign(1, val_mgr->Count(len)); l2_hdr->Assign(1, len);
l2_hdr->Assign(2, val_mgr->Count(cap_len)); l2_hdr->Assign(2, cap_len);
l2_hdr->Assign(8, BifType::Enum::layer3_proto->GetEnumVal(l3)); l2_hdr->Assign(8, BifType::Enum::layer3_proto->GetEnumVal(l3));

10
src/iosource/pcap/pcap.bif
View file

@ -127,9 +127,9 @@ function findalldevs%(%): Pcap::Interfaces
{ {
auto r = make_intrusive<RecordVal>(iface_type); auto r = make_intrusive<RecordVal>(iface_type);
r->Assign(0, make_intrusive<StringVal>(d->name)); r->Assign(0, d->name);
if ( d->description ) if ( d->description )
r->Assign(1, make_intrusive<StringVal>(d->description)); r->Assign(1, d->description);
auto addrs = make_intrusive<ListVal>(TYPE_ADDR); auto addrs = make_intrusive<ListVal>(TYPE_ADDR);
for ( auto addr = d->addresses; addr != NULL; addr = addr->next ) for ( auto addr = d->addresses; addr != NULL; addr = addr->next )
@ -146,11 +146,11 @@ function findalldevs%(%): Pcap::Interfaces
} }
} }
r->Assign(2, addrs->ToSetVal()); r->Assign(2, addrs->ToSetVal());
r->Assign(3, val_mgr->Bool(d->flags & PCAP_IF_LOOPBACK)); r->Assign(3, bool(d->flags & PCAP_IF_LOOPBACK));
#ifdef PCAP_IF_UP #ifdef PCAP_IF_UP
// These didn't become available until libpcap 1.6.1 // These didn't become available until libpcap 1.6.1
r->Assign(4, val_mgr->Bool(d->flags & PCAP_IF_UP)); r->Assign(4, bool(d->flags & PCAP_IF_UP));
r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_RUNNING)); r->Assign(5, bool(d->flags & PCAP_IF_RUNNING));
#endif #endif
pcap_interfaces->Assign(std::move(r), nullptr); pcap_interfaces->Assign(std::move(r), nullptr);

16
src/logging/Manager.cc
View file

@ -1517,9 +1517,9 @@ std::string Manager::FormatRotationPath(EnumValPtr writer,
auto ri = make_intrusive<RecordVal>(BifType::Record::Log::RotationFmtInfo); auto ri = make_intrusive<RecordVal>(BifType::Record::Log::RotationFmtInfo);
ri->Assign(0, std::move(writer)); ri->Assign(0, std::move(writer));
ri->Assign<StringVal>(1, path.size(), path.data()); ri->Assign<StringVal>(1, path.size(), path.data());
ri->Assign<TimeVal>(2, open); ri->AssignTime(2, open);
ri->Assign<TimeVal>(3, close); ri->AssignTime(3, close);
ri->Assign(4, val_mgr->Bool(terminating)); ri->Assign(4, terminating);
ri->Assign<FuncVal>(5, std::move(postprocessor)); ri->Assign<FuncVal>(5, std::move(postprocessor));
std::string rval; std::string rval;
@ -1608,11 +1608,11 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
auto info = make_intrusive<RecordVal>(BifType::Record::Log::RotationInfo); auto info = make_intrusive<RecordVal>(BifType::Record::Log::RotationInfo);
info->Assign(0, {NewRef{}, winfo->type}); info->Assign(0, {NewRef{}, winfo->type});
info->Assign(1, make_intrusive<StringVal>(new_name)); info->Assign(1, new_name);
info->Assign(2, make_intrusive<StringVal>(winfo->writer->Info().path)); info->Assign(2, winfo->writer->Info().path);
info->Assign(3, make_intrusive<TimeVal>(open)); info->AssignTime(3, open);
info->Assign(4, make_intrusive<TimeVal>(close)); info->AssignTime(4, close);
info->Assign(5, val_mgr->Bool(terminating)); info->Assign(5, terminating);
static auto default_ppf = id::find_func("Log::__default_rotation_postprocessor"); static auto default_ppf = id::find_func("Log::__default_rotation_postprocessor");

10
src/logging/writers/ascii/Ascii.cc
View file

@ -818,11 +818,11 @@ void Ascii::RotateLeftoverLogs()
auto rot_info = make_intrusive<RecordVal>(rot_info_type); auto rot_info = make_intrusive<RecordVal>(rot_info_type);
rot_info->Assign(0, writer_val); rot_info->Assign(0, writer_val);
rot_info->Assign<StringVal>(1, rotation_path); rot_info->Assign(1, rotation_path);
rot_info->Assign<StringVal>(2, ll.Path()); rot_info->Assign(2, ll.Path());
rot_info->Assign<TimeVal>(3, ll.open_time); rot_info->AssignTime(3, double(ll.open_time));
rot_info->Assign<TimeVal>(4, ll.close_time); rot_info->AssignTime(4, double(ll.close_time));
rot_info->Assign(5, val_mgr->False()); rot_info->Assign(5, false);
if ( rename(ll.filename.data(), rotation_path.data()) != 0 ) if ( rename(ll.filename.data(), rotation_path.data()) != 0 )
reporter->FatalError("Found leftover/unprocessed log '%s', but " reporter->FatalError("Found leftover/unprocessed log '%s', but "

124
src/stats.bif
View file

@ -57,10 +57,10 @@ function get_net_stats%(%): NetStats
auto r = zeek::make_intrusive<zeek::RecordVal>(NetStats); auto r = zeek::make_intrusive<zeek::RecordVal>(NetStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(recv)); r->Assign(n++, recv);
r->Assign(n++, zeek::val_mgr->Count(drop)); r->Assign(n++, drop);
r->Assign(n++, zeek::val_mgr->Count(link)); r->Assign(n++, link);
r->Assign(n++, zeek::val_mgr->Count(bytes_recv)); r->Assign(n++, bytes_recv);
return r; return r;
%} %}
@ -86,16 +86,16 @@ function get_conn_stats%(%): ConnStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ConnStats); auto r = zeek::make_intrusive<zeek::RecordVal>(ConnStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(Connection::TotalConnections())); r->Assign(n++, Connection::TotalConnections());
r->Assign(n++, zeek::val_mgr->Count(Connection::CurrentConnections())); r->Assign(n++, Connection::CurrentConnections());
r->Assign(n++, zeek::val_mgr->Count(sessions->CurrentConnections())); r->Assign(n++, sessions->CurrentConnections());
SessionStats s; SessionStats s;
if ( sessions ) if ( sessions )
sessions->GetStats(s); sessions->GetStats(s);
#define ADD_STAT(x) \ #define ADD_STAT(x) \
r->Assign(n++, zeek::val_mgr->Count(unsigned(sessions ? x : 0))); r->Assign(n++, unsigned(sessions ? x : 0));
ADD_STAT(s.num_packets); ADD_STAT(s.num_packets);
ADD_STAT(s.num_fragments); ADD_STAT(s.num_fragments);
@ -110,7 +110,7 @@ function get_conn_stats%(%): ConnStats
ADD_STAT(s.max_ICMP_conns); ADD_STAT(s.max_ICMP_conns);
ADD_STAT(s.cumulative_ICMP_conns); ADD_STAT(s.cumulative_ICMP_conns);
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::killed_by_inactivity)); r->Assign(n++, zeek::detail::killed_by_inactivity);
return r; return r;
%} %}
@ -147,27 +147,27 @@ function get_proc_stats%(%): ProcStats
double(ru.ru_stime.tv_sec) + double(ru.ru_stime.tv_usec) / 1e6; double(ru.ru_stime.tv_sec) + double(ru.ru_stime.tv_usec) / 1e6;
#ifdef DEBUG #ifdef DEBUG
r->Assign(n++, zeek::val_mgr->Count(1)); r->Assign(n++, true);
#else #else
r->Assign(n++, zeek::val_mgr->Count(0)); r->Assign(n++, false);
#endif #endif
r->Assign(n++, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::zeek_start_time)); r->AssignTime(n++, zeek::run_state::zeek_start_time);
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(elapsed_time, Seconds)); r->AssignInterval(n++, elapsed_time);
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(user_time, Seconds)); r->AssignInterval(n++, user_time);
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(system_time, Seconds)); r->AssignInterval(n++, system_time);
uint64_t total_mem; uint64_t total_mem;
zeek::util::get_memory_usage(&total_mem, NULL); zeek::util::get_memory_usage(&total_mem, NULL);
r->Assign(n++, zeek::val_mgr->Count(unsigned(total_mem))); r->Assign(n++, unsigned(total_mem));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_minflt))); r->Assign(n++, unsigned(ru.ru_minflt));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_majflt))); r->Assign(n++, unsigned(ru.ru_majflt));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_nswap))); r->Assign(n++, unsigned(ru.ru_nswap));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_inblock))); r->Assign(n++, unsigned(ru.ru_inblock));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_oublock))); r->Assign(n++, unsigned(ru.ru_oublock));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_nivcsw))); r->Assign(n++, unsigned(ru.ru_nivcsw));
return r; return r;
%} %}
@ -193,8 +193,8 @@ function get_event_stats%(%): EventStats
auto r = zeek::make_intrusive<zeek::RecordVal>(EventStats); auto r = zeek::make_intrusive<zeek::RecordVal>(EventStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_queued)); r->Assign(n++, event_mgr.num_events_queued);
r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_dispatched)); r->Assign(n++, event_mgr.num_events_dispatched);
return r; return r;
%} %}
@ -220,10 +220,10 @@ function get_reassembler_stats%(%): ReassemblerStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ReassemblerStats); auto r = zeek::make_intrusive<zeek::RecordVal>(ReassemblerStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_FILE))); r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_FILE));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_FRAG))); r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_FRAG));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_TCP))); r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_TCP));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_UNKNOWN))); r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_UNKNOWN));
return r; return r;
%} %}
@ -252,12 +252,12 @@ function get_dns_stats%(%): DNSStats
zeek::detail::DNS_Mgr::Stats dstats; zeek::detail::DNS_Mgr::Stats dstats;
zeek::detail::dns_mgr->GetStats(&dstats); zeek::detail::dns_mgr->GetStats(&dstats);
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.requests))); r->Assign(n++, unsigned(dstats.requests));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.successful))); r->Assign(n++, unsigned(dstats.successful));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.failed))); r->Assign(n++, unsigned(dstats.failed));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.pending))); r->Assign(n++, unsigned(dstats.pending));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.cached_hosts))); r->Assign(n++, unsigned(dstats.cached_hosts));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.cached_addresses))); r->Assign(n++, unsigned(dstats.cached_addresses));
return r; return r;
%} %}
@ -283,9 +283,9 @@ function get_timer_stats%(%): TimerStats
auto r = zeek::make_intrusive<zeek::RecordVal>(TimerStats); auto r = zeek::make_intrusive<zeek::RecordVal>(TimerStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(unsigned(zeek::detail::timer_mgr->Size()))); r->Assign(n++, unsigned(zeek::detail::timer_mgr->Size()));
r->Assign(n++, zeek::val_mgr->Count(unsigned(zeek::detail::timer_mgr->PeakSize()))); r->Assign(n++, unsigned(zeek::detail::timer_mgr->PeakSize()));
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::timer_mgr->CumulativeNum())); r->Assign(n++, zeek::detail::timer_mgr->CumulativeNum());
return r; return r;
%} %}
@ -311,9 +311,9 @@ function get_file_analysis_stats%(%): FileAnalysisStats
auto r = zeek::make_intrusive<zeek::RecordVal>(FileAnalysisStats); auto r = zeek::make_intrusive<zeek::RecordVal>(FileAnalysisStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CurrentFiles())); r->Assign(n++, zeek::file_mgr->CurrentFiles());
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->MaxFiles())); r->Assign(n++, zeek::file_mgr->MaxFiles());
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CumulativeFiles())); r->Assign(n++, zeek::file_mgr->CumulativeFiles());
return r; return r;
%} %}
@ -339,7 +339,7 @@ function get_thread_stats%(%): ThreadStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ThreadStats); auto r = zeek::make_intrusive<zeek::RecordVal>(ThreadStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::thread_mgr->NumThreads())); r->Assign(n++, zeek::thread_mgr->NumThreads());
return r; return r;
%} %}
@ -365,10 +365,10 @@ function get_gap_stats%(%): GapStats
auto r = zeek::make_intrusive<zeek::RecordVal>(GapStats); auto r = zeek::make_intrusive<zeek::RecordVal>(GapStats);
int n = 0; int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_ack_events)); r->Assign(n++, zeek::detail::tot_ack_events);
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_ack_bytes)); r->Assign(n++, zeek::detail::tot_ack_bytes);
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_gap_events)); r->Assign(n++, zeek::detail::tot_gap_events);
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_gap_bytes)); r->Assign(n++, zeek::detail::tot_gap_bytes);
return r; return r;
%} %}
@ -402,13 +402,13 @@ function get_matcher_stats%(%): MatcherStats
if ( zeek::detail::rule_matcher ) if ( zeek::detail::rule_matcher )
zeek::detail::rule_matcher->GetStats(&s); zeek::detail::rule_matcher->GetStats(&s);
r->Assign(n++, zeek::val_mgr->Count(s.matchers)); r->Assign(n++, s.matchers);
r->Assign(n++, zeek::val_mgr->Count(s.nfa_states)); r->Assign(n++, s.nfa_states);
r->Assign(n++, zeek::val_mgr->Count(s.dfa_states)); r->Assign(n++, s.dfa_states);
r->Assign(n++, zeek::val_mgr->Count(s.computed)); r->Assign(n++, s.computed);
r->Assign(n++, zeek::val_mgr->Count(s.mem)); r->Assign(n++, s.mem);
r->Assign(n++, zeek::val_mgr->Count(s.hits)); r->Assign(n++, s.hits);
r->Assign(n++, zeek::val_mgr->Count(s.misses)); r->Assign(n++, s.misses);
return r; return r;
%} %}
@ -436,15 +436,15 @@ function get_broker_stats%(%): BrokerStats
int n = 0; int n = 0;
auto cs = broker_mgr->GetStatistics(); auto cs = broker_mgr->GetStatistics();
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_peers))); r->Assign(n++, static_cast<uint64_t>(cs.num_peers));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_stores))); r->Assign(n++, static_cast<uint64_t>(cs.num_stores));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_pending_queries))); r->Assign(n++, static_cast<uint64_t>(cs.num_pending_queries));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_events_incoming))); r->Assign(n++, static_cast<uint64_t>(cs.num_events_incoming));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_events_outgoing))); r->Assign(n++, static_cast<uint64_t>(cs.num_events_outgoing));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_logs_incoming))); r->Assign(n++, static_cast<uint64_t>(cs.num_logs_incoming));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_logs_outgoing))); r->Assign(n++, static_cast<uint64_t>(cs.num_logs_outgoing));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_ids_incoming))); r->Assign(n++, static_cast<uint64_t>(cs.num_ids_incoming));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_ids_outgoing))); r->Assign(n++, static_cast<uint64_t>(cs.num_ids_outgoing));
return r; return r;
%} %}
@ -478,7 +478,7 @@ function get_reporter_stats%(%): ReporterStats
weirds_by_type->Assign(std::move(weird), zeek::val_mgr->Count(kv.second)); weirds_by_type->Assign(std::move(weird), zeek::val_mgr->Count(kv.second));
} }
r->Assign(n++, zeek::val_mgr->Count(reporter->GetWeirdCount())); r->Assign(n++, reporter->GetWeirdCount());
r->Assign(n++, std::move(weirds_by_type)); r->Assign(n++, std::move(weirds_by_type));
return r; return r;

20
src/supervisor/Supervisor.cc
View file

@ -1348,22 +1348,22 @@ RecordValPtr Supervisor::NodeConfig::ToRecord() const
{ {
const auto& rt = BifType::Record::Supervisor::NodeConfig; const auto& rt = BifType::Record::Supervisor::NodeConfig;
auto rval = make_intrusive<RecordVal>(rt); auto rval = make_intrusive<RecordVal>(rt);
rval->Assign(rt->FieldOffset("name"), make_intrusive<StringVal>(name)); rval->Assign(rt->FieldOffset("name"), name);
if ( interface ) if ( interface )
rval->Assign(rt->FieldOffset("interface"), make_intrusive<StringVal>(*interface)); rval->Assign(rt->FieldOffset("interface"), *interface);
if ( directory ) if ( directory )
rval->Assign(rt->FieldOffset("directory"), make_intrusive<StringVal>(*directory)); rval->Assign(rt->FieldOffset("directory"), *directory);
if ( stdout_file ) if ( stdout_file )
rval->Assign(rt->FieldOffset("stdout_file"), make_intrusive<StringVal>(*stdout_file)); rval->Assign(rt->FieldOffset("stdout_file"), *stdout_file);
if ( stderr_file ) if ( stderr_file )
rval->Assign(rt->FieldOffset("stderr_file"), make_intrusive<StringVal>(*stderr_file)); rval->Assign(rt->FieldOffset("stderr_file"), *stderr_file);
if ( cpu_affinity ) if ( cpu_affinity )
rval->Assign(rt->FieldOffset("cpu_affinity"), val_mgr->Int(*cpu_affinity)); rval->Assign(rt->FieldOffset("cpu_affinity"), *cpu_affinity);
auto st = rt->GetFieldType<VectorType>("scripts"); auto st = rt->GetFieldType<VectorType>("scripts");
auto scripts_val = make_intrusive<VectorVal>(std::move(st)); auto scripts_val = make_intrusive<VectorVal>(std::move(st));
@ -1390,7 +1390,7 @@ RecordValPtr Supervisor::NodeConfig::ToRecord() const
val->Assign(ept->FieldOffset("p"), val_mgr->Port(ep.port, TRANSPORT_TCP)); val->Assign(ept->FieldOffset("p"), val_mgr->Port(ep.port, TRANSPORT_TCP));
if ( ep.interface ) if ( ep.interface )
val->Assign(ept->FieldOffset("interface"), make_intrusive<StringVal>(*ep.interface)); val->Assign(ept->FieldOffset("interface"), *ep.interface);
cluster_val->Assign(std::move(key), std::move(val)); cluster_val->Assign(std::move(key), std::move(val));
} }
@ -1406,7 +1406,7 @@ RecordValPtr SupervisorNode::ToRecord() const
rval->Assign(rt->FieldOffset("node"), config.ToRecord()); rval->Assign(rt->FieldOffset("node"), config.ToRecord());
if ( pid ) if ( pid )
rval->Assign(rt->FieldOffset("pid"), val_mgr->Int(pid)); rval->Assign(rt->FieldOffset("pid"), pid);
return rval; return rval;
} }
@ -1464,11 +1464,11 @@ bool SupervisedNode::InitCluster() const
if ( ep.interface ) if ( ep.interface )
val->Assign(cluster_node_type->FieldOffset("interface"), val->Assign(cluster_node_type->FieldOffset("interface"),
make_intrusive<StringVal>(*ep.interface)); *ep.interface);
if ( manager_name && ep.role != BifEnum::Supervisor::MANAGER ) if ( manager_name && ep.role != BifEnum::Supervisor::MANAGER )
val->Assign(cluster_node_type->FieldOffset("manager"), val->Assign(cluster_node_type->FieldOffset("manager"),
make_intrusive<StringVal>(*manager_name)); *manager_name);
cluster_nodes->Assign(std::move(key), std::move(val)); cluster_nodes->Assign(std::move(key), std::move(val));
} }

2
src/supervisor/supervisor.bif
View file

@ -86,7 +86,7 @@ function Supervisor::__node%(%): Supervisor::NodeConfig
zeek::emit_builtin_error("not a supervised process"); zeek::emit_builtin_error("not a supervised process");
const auto& rt = zeek::BifType::Record::Supervisor::NodeConfig; const auto& rt = zeek::BifType::Record::Supervisor::NodeConfig;
auto rval = zeek::make_intrusive<zeek::RecordVal>(rt); auto rval = zeek::make_intrusive<zeek::RecordVal>(rt);
rval->Assign<zeek::StringVal>(rt->FieldOffset("name"), "<invalid>"); rval->Assign(rt->FieldOffset("name"), "<invalid>");
return rval; return rval;
} }

8
src/util.cc
View file

@ -865,10 +865,10 @@ FILE* rotate_file(const char* name, RecordVal* rotate_info)
// Init rotate_info. // Init rotate_info.
if ( rotate_info ) if ( rotate_info )
{ {
rotate_info->Assign<StringVal>(0, name); rotate_info->Assign(0, name);
rotate_info->Assign<StringVal>(1, newname); rotate_info->Assign(1, newname);
rotate_info->Assign<TimeVal>(2, run_state::network_time); rotate_info->AssignTime(2, run_state::network_time);
rotate_info->Assign<TimeVal>(3, run_state::network_time); rotate_info->AssignTime(3, run_state::network_time);
} }
return newf; return newf;

88
src/zeek.bif
View file

@ -1053,11 +1053,11 @@ function find_entropy%(data: string%): entropy_test_result
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result"); static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result); auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign(0, zeek::make_intrusive<zeek::DoubleVal>(ent)); ent_result->Assign(0, ent);
ent_result->Assign(1, zeek::make_intrusive<zeek::DoubleVal>(chisq)); ent_result->Assign(1, chisq);
ent_result->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(mean)); ent_result->Assign(2, mean);
ent_result->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(montepi)); ent_result->Assign(3, montepi);
ent_result->Assign(4, zeek::make_intrusive<zeek::DoubleVal>(scc)); ent_result->Assign(4, scc);
return ent_result; return ent_result;
%} %}
@ -1105,11 +1105,11 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result"); static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result); auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign(0, zeek::make_intrusive<zeek::DoubleVal>(ent)); ent_result->Assign(0, ent);
ent_result->Assign(1, zeek::make_intrusive<zeek::DoubleVal>(chisq)); ent_result->Assign(1, chisq);
ent_result->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(mean)); ent_result->Assign(2, mean);
ent_result->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(montepi)); ent_result->Assign(3, montepi);
ent_result->Assign(4, zeek::make_intrusive<zeek::DoubleVal>(scc)); ent_result->Assign(4, scc);
return ent_result; return ent_result;
%} %}
@ -1926,10 +1926,10 @@ function packet_source%(%): PacketSource
if ( ps ) if ( ps )
{ {
r->Assign(0, zeek::val_mgr->Bool(ps->IsLive())); r->Assign(0, bool(ps->IsLive()));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(ps->Path())); r->Assign(1, ps->Path());
r->Assign(2, zeek::val_mgr->Int(ps->LinkType())); r->Assign(2, ps->LinkType());
r->Assign(3, zeek::val_mgr->Count(ps->Netmask())); r->Assign(3, ps->Netmask());
} }
return r; return r;
@ -1979,13 +1979,13 @@ function global_ids%(%): id_table
const auto& id = global.second; const auto& id = global.second;
static auto script_id = zeek::id::find_type<zeek::RecordType>("script_id"); static auto script_id = zeek::id::find_type<zeek::RecordType>("script_id");
auto rec = zeek::make_intrusive<zeek::RecordVal>(script_id); auto rec = zeek::make_intrusive<zeek::RecordVal>(script_id);
rec->Assign(0, zeek::make_intrusive<zeek::StringVal>(type_name(id->GetType()->Tag()))); rec->Assign(0, type_name(id->GetType()->Tag()));
rec->Assign(1, zeek::val_mgr->Bool(id->IsExport())); rec->Assign(1, bool(id->IsExport()));
rec->Assign(2, zeek::val_mgr->Bool(id->IsConst())); rec->Assign(2, bool(id->IsConst()));
rec->Assign(3, zeek::val_mgr->Bool(id->IsEnumConst())); rec->Assign(3, bool(id->IsEnumConst()));
rec->Assign(4, zeek::val_mgr->Bool(id->IsOption())); rec->Assign(4, bool(id->IsOption()));
rec->Assign(5, zeek::val_mgr->Bool(id->IsRedefinable())); rec->Assign(5, bool(id->IsRedefinable()));
rec->Assign(6, zeek::val_mgr->Bool(id->GetAttr(zeek::detail::ATTR_BACKEND) != zeek::detail::Attr::nil)); rec->Assign(6, bool(id->GetAttr(zeek::detail::ATTR_BACKEND) != zeek::detail::Attr::nil));
if ( id->HasVal() ) if ( id->HasVal() )
rec->Assign(7, id->GetVal()); rec->Assign(7, id->GetVal());
@ -2235,14 +2235,14 @@ function backtrace%(%): Backtrace
const auto& params = ci.func->GetType()->Params(); const auto& params = ci.func->GetType()->Params();
auto args = MakeCallArgumentVector(ci.args, params); auto args = MakeCallArgumentVector(ci.args, params);
elem->Assign<StringVal>(function_name_idx, ci.func->Name()); elem->Assign(function_name_idx, ci.func->Name());
elem->Assign(function_args_idx, std::move(args)); elem->Assign(function_args_idx, std::move(args));
if ( ci.call ) if ( ci.call )
{ {
auto loc = ci.call->GetLocationInfo(); auto loc = ci.call->GetLocationInfo();
elem->Assign<StringVal>(file_location_idx, loc->filename); elem->Assign(file_location_idx, loc->filename);
elem->Assign(line_location_idx, val_mgr->Count(loc->first_line)); elem->Assign(line_location_idx, loc->first_line);
} }
rval->Assign(rval->Size(), std::move(elem)); rval->Assign(rval->Size(), std::move(elem));
@ -3414,18 +3414,18 @@ function lookup_connection%(cid: conn_id%): connection
c->Assign(0, std::move(id_val)); c->Assign(0, std::move(id_val));
auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint); auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
orig_endp->Assign(0, zeek::val_mgr->Count(0)); orig_endp->Assign(0, 0);
orig_endp->Assign(1, zeek::val_mgr->Count(int(0))); orig_endp->Assign(1, 0);
auto resp_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint); auto resp_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
resp_endp->Assign(0, zeek::val_mgr->Count(0)); resp_endp->Assign(0, 0);
resp_endp->Assign(1, zeek::val_mgr->Count(int(0))); resp_endp->Assign(1, 0);
c->Assign(1, std::move(orig_endp)); c->Assign(1, std::move(orig_endp));
c->Assign(2, std::move(resp_endp)); c->Assign(2, std::move(resp_endp));
c->Assign(3, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::network_time)); c->AssignTime(3, zeek::run_state::network_time);
c->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(0.0)); c->AssignInterval(4, 0.0);
c->Assign(5, zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set)); // service c->Assign(5, zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set)); // service
c->Assign(6, zeek::val_mgr->EmptyString()); // history c->Assign(6, zeek::val_mgr->EmptyString()); // history
@ -3494,19 +3494,19 @@ function get_current_packet%(%) : pcap_packet
if ( ! pkt_src || ! pkt_src->GetCurrentPacket(&p) ) if ( ! pkt_src || ! pkt_src->GetCurrentPacket(&p) )
{ {
pkt->Assign(0, zeek::val_mgr->Count(0)); pkt->Assign(0, 0);
pkt->Assign(1, zeek::val_mgr->Count(0)); pkt->Assign(1, 0);
pkt->Assign(2, zeek::val_mgr->Count(0)); pkt->Assign(2, 0);
pkt->Assign(3, zeek::val_mgr->Count(0)); pkt->Assign(3, 0);
pkt->Assign(4, zeek::val_mgr->EmptyString()); pkt->Assign(4, zeek::val_mgr->EmptyString());
pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN)); pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
return pkt; return pkt;
} }
pkt->Assign(0, zeek::val_mgr->Count(uint32_t(p->ts.tv_sec))); pkt->Assign(0, uint32_t(p->ts.tv_sec));
pkt->Assign(1, zeek::val_mgr->Count(uint32_t(p->ts.tv_usec))); pkt->Assign(1, uint32_t(p->ts.tv_usec));
pkt->Assign(2, zeek::val_mgr->Count(p->cap_len)); pkt->Assign(2, p->cap_len);
pkt->Assign(3, zeek::val_mgr->Count(p->len)); pkt->Assign(3, p->len);
pkt->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data)); pkt->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data));
pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type)); pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type));
@ -4736,8 +4736,8 @@ function rotate_file%(f: file%): rotate_info
info = zeek::make_intrusive<zeek::RecordVal>(rotate_info); info = zeek::make_intrusive<zeek::RecordVal>(rotate_info);
info->Assign(0, zeek::val_mgr->EmptyString()); info->Assign(0, zeek::val_mgr->EmptyString());
info->Assign(1, zeek::val_mgr->EmptyString()); info->Assign(1, zeek::val_mgr->EmptyString());
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(0.0)); info->AssignTime(2, 0.0);
info->Assign(3, zeek::make_intrusive<zeek::TimeVal>(0.0)); info->AssignTime(3, 0.0);
return info; return info;
%} %}
@ -4779,8 +4779,8 @@ function rotate_file_by_name%(f: string%): rotate_info
// Record indicating error. // Record indicating error.
info->Assign(0, zeek::val_mgr->EmptyString()); info->Assign(0, zeek::val_mgr->EmptyString());
info->Assign(1, zeek::val_mgr->EmptyString()); info->Assign(1, zeek::val_mgr->EmptyString());
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(0.0)); info->AssignTime(2, 0.0);
info->Assign(3, zeek::make_intrusive<zeek::TimeVal>(0.0)); info->AssignTime(3, 0.0);
return info; return info;
} }
@ -4788,12 +4788,12 @@ function rotate_file_by_name%(f: string%): rotate_info
if ( is_pkt_dumper ) if ( is_pkt_dumper )
{ {
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::detail::pkt_dumper->OpenTime())); info->AssignTime(2, zeek::run_state::detail::pkt_dumper->OpenTime());
zeek::run_state::detail::pkt_dumper->Open(); zeek::run_state::detail::pkt_dumper->Open();
} }
if ( is_addl_pkt_dumper ) if ( is_addl_pkt_dumper )
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(addl_pkt_dumper->OpenTime())); info->AssignTime(2, addl_pkt_dumper->OpenTime());
return info; return info;
%} %}