Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move all Val classes to the zeek namespaces

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-06-24 16:55:28 -04:00
parent ec9eff0bd5
commit 64332ca22c
265 changed files with 3154 additions and 3086 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/file_analysis/Analyzer.cc
View file

@ -19,7 +19,7 @@ void file_analysis::Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
}
file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
RecordValPtr arg_args,
zeek::RecordValPtr arg_args,
File* arg_file)
: tag(arg_tag),
args(std::move(arg_args)),
@ -30,16 +30,16 @@ file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
id = ++id_counter;
}
file_analysis::Analyzer::Analyzer(RecordValPtr arg_args, File* arg_file)
file_analysis::Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file)
: Analyzer({}, std::move(arg_args), arg_file)
{}
file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
RecordVal* arg_args,
zeek::RecordVal* arg_args,
File* arg_file)
: Analyzer(arg_tag, {zeek::NewRef{}, arg_args}, arg_file)
{}
file_analysis::Analyzer::Analyzer(RecordVal* arg_args, File* arg_file)
file_analysis::Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file)
: Analyzer({}, {zeek::NewRef{}, arg_args}, arg_file)
{}

18
src/file_analysis/Analyzer.h
View file

@ -6,8 +6,10 @@
#include <sys/types.h> // for u_char
class RecordVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
}
namespace file_analysis {
@ -96,11 +98,11 @@ public:
/**
* @return the AnalyzerArgs associated with the analyzer.
*/
const RecordValPtr& GetArgs() const
const zeek::RecordValPtr& GetArgs() const
{ return args; }
[[deprecated("Remove in v4.1. Use GetArgs().")]]
RecordVal* Args() const
zeek::RecordVal* Args() const
{ return args.get(); }
/**
@ -152,10 +154,10 @@ protected:
* tunable options, if any, related to a particular analyzer type.
* @param arg_file the file to which the the analyzer is being attached.
*/
Analyzer(file_analysis::Tag arg_tag, RecordValPtr arg_args, File* arg_file);
Analyzer(file_analysis::Tag arg_tag, zeek::RecordValPtr arg_args, File* arg_file);
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
Analyzer(file_analysis::Tag arg_tag, zeek::RecordVal* arg_args, File* arg_file);
/**
* Constructor. Only derived classes are meant to be instantiated.
@ -166,16 +168,16 @@ protected:
* tunable options, if any, related to a particular analyzer type.
* @param arg_file the file to which the the analyzer is being attached.
*/
Analyzer(RecordValPtr arg_args, File* arg_file);
Analyzer(zeek::RecordValPtr arg_args, File* arg_file);
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
Analyzer(RecordVal* arg_args, File* arg_file);
Analyzer(zeek::RecordVal* arg_args, File* arg_file);
private:
ID id; /**< Unique instance ID. */
file_analysis::Tag tag; /**< The particular type of the analyzer instance. */
RecordValPtr args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
zeek::RecordValPtr args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
File* file; /**< The file to which the analyzer is attached. */
bool got_stream_delivery;
bool skip;

16
src/file_analysis/AnalyzerSet.cc
View file

@ -41,14 +41,14 @@ AnalyzerSet::~AnalyzerSet()
}
Analyzer* AnalyzerSet::Find(const file_analysis::Tag& tag,
RecordValPtr args)
zeek::RecordValPtr args)
{
auto key = GetKey(tag, std::move(args));
Analyzer* rval = analyzer_map.Lookup(key.get());
return rval;
}
bool AnalyzerSet::Add(const file_analysis::Tag& tag, RecordValPtr args)
bool AnalyzerSet::Add(const file_analysis::Tag& tag, zeek::RecordValPtr args)
{
auto key = GetKey(tag, args);
@ -72,7 +72,7 @@ bool AnalyzerSet::Add(const file_analysis::Tag& tag, RecordValPtr args)
}
Analyzer* AnalyzerSet::QueueAdd(const file_analysis::Tag& tag,
RecordValPtr args)
zeek::RecordValPtr args)
{
auto key = GetKey(tag, args);
file_analysis::Analyzer* a = InstantiateAnalyzer(tag, std::move(args));
@ -108,7 +108,7 @@ void AnalyzerSet::AddMod::Abort()
}
bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
RecordValPtr args)
zeek::RecordValPtr args)
{
return Remove(tag, GetKey(tag, std::move(args)));
}
@ -140,7 +140,7 @@ bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
}
bool AnalyzerSet::QueueRemove(const file_analysis::Tag& tag,
RecordValPtr args)
zeek::RecordValPtr args)
{
auto key = GetKey(tag, std::move(args));
auto rval = analyzer_map.Lookup(key.get());
@ -154,9 +154,9 @@ bool AnalyzerSet::RemoveMod::Perform(AnalyzerSet* set)
}
std::unique_ptr<HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
RecordValPtr args) const
zeek::RecordValPtr args) const
{
auto lv = zeek::make_intrusive<ListVal>(zeek::TYPE_ANY);
auto lv = zeek::make_intrusive<zeek::ListVal>(zeek::TYPE_ANY);
lv->Append(t.AsVal());
lv->Append(std::move(args));
auto key = analyzer_hash->MakeHashKey(*lv, true);
@ -168,7 +168,7 @@ std::unique_ptr<HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
}
file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(const Tag& tag,
RecordValPtr args) const
zeek::RecordValPtr args) const
{
auto a = file_mgr->InstantiateAnalyzer(tag, std::move(args), file);

18
src/file_analysis/AnalyzerSet.h
View file

@ -10,8 +10,10 @@
class CompositeHash;
class RecordVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
}
namespace file_analysis {
@ -45,7 +47,7 @@ public:
* @param args an \c AnalyzerArgs record.
* @return pointer to an analyzer instance, or a null pointer if not found.
*/
Analyzer* Find(const file_analysis::Tag& tag, RecordValPtr args);
Analyzer* Find(const file_analysis::Tag& tag, zeek::RecordValPtr args);
/**
* Attach an analyzer to #file immediately.
@ -53,7 +55,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return true if analyzer was instantiated/attached, else false.
*/
bool Add(const file_analysis::Tag& tag, RecordValPtr args);
bool Add(const file_analysis::Tag& tag, zeek::RecordValPtr args);
/**
* Queue the attachment of an analyzer to #file.
@ -63,7 +65,7 @@ public:
* a null pointer. The caller does *not* take ownership of the memory.
*/
file_analysis::Analyzer* QueueAdd(const file_analysis::Tag& tag,
RecordValPtr args);
zeek::RecordValPtr args);
/**
* Remove an analyzer from #file immediately.
@ -71,7 +73,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return false if analyzer didn't exist and so wasn't removed, else true.
*/
bool Remove(const file_analysis::Tag& tag, RecordValPtr args);
bool Remove(const file_analysis::Tag& tag, zeek::RecordValPtr args);
/**
* Queue the removal of an analyzer from #file.
@ -79,7 +81,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return true if analyzer exists at time of call, else false;
*/
bool QueueRemove(const file_analysis::Tag& tag, RecordValPtr args);
bool QueueRemove(const file_analysis::Tag& tag, zeek::RecordValPtr args);
/**
* Perform all queued modifications to the current analyzer set.
@ -113,7 +115,7 @@ protected:
* @return the hash key calculated from \a args
*/
std::unique_ptr<HashKey> GetKey(const file_analysis::Tag& tag,
RecordValPtr args) const;
zeek::RecordValPtr args) const;
/**
* Create an instance of a file analyzer.
@ -122,7 +124,7 @@ protected:
* @return a new file analyzer instance.
*/
file_analysis::Analyzer* InstantiateAnalyzer(const file_analysis::Tag& tag,
RecordValPtr args) const;
zeek::RecordValPtr args) const;
/**
* Insert an analyzer instance in to the set.

8
src/file_analysis/Component.h
View file

@ -8,8 +8,10 @@
#include "../zeek-config.h"
class RecordVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
}
namespace file_analysis {
@ -26,8 +28,8 @@ class Manager;
class Component : public zeek::plugin::Component,
public plugin::TaggedComponent<file_analysis::Tag> {
public:
typedef Analyzer* (*factory_callback)(RecordVal* args, File* file);
using factory_function = Analyzer* (*)(RecordValPtr args, File* file);
typedef Analyzer* (*factory_callback)(zeek::RecordVal* args, File* file);
using factory_function = Analyzer* (*)(zeek::RecordValPtr args, File* file);
/**
* Constructor.

50
src/file_analysis/File.cc
View file

@ -21,21 +21,21 @@
using namespace file_analysis;
static TableValPtr empty_connection_table()
static zeek::TableValPtr empty_connection_table()
{
auto tbl_index = zeek::make_intrusive<zeek::TypeList>(zeek::id::conn_id);
tbl_index->Append(zeek::id::conn_id);
auto tbl_type = zeek::make_intrusive<zeek::TableType>(std::move(tbl_index),
zeek::id::connection);
return zeek::make_intrusive<TableVal>(std::move(tbl_type));
return zeek::make_intrusive<zeek::TableVal>(std::move(tbl_type));
}
static RecordValPtr get_conn_id_val(const Connection* conn)
static zeek::RecordValPtr get_conn_id_val(const Connection* conn)
{
auto v = zeek::make_intrusive<RecordVal>(zeek::id::conn_id);
v->Assign(0, zeek::make_intrusive<AddrVal>(conn->OrigAddr()));
auto v = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
v->Assign(0, zeek::make_intrusive<zeek::AddrVal>(conn->OrigAddr()));
v->Assign(1, val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport()));
v->Assign(2, zeek::make_intrusive<AddrVal>(conn->RespAddr()));
v->Assign(2, zeek::make_intrusive<zeek::AddrVal>(conn->RespAddr()));
v->Assign(3, val_mgr->Port(ntohs(conn->RespPort()), conn->ConnTransport()));
return v;
}
@ -91,8 +91,8 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
val = zeek::make_intrusive<RecordVal>(zeek::id::fa_file);
val->Assign(id_idx, zeek::make_intrusive<StringVal>(file_id.c_str()));
val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_file);
val->Assign(id_idx, zeek::make_intrusive<zeek::StringVal>(file_id.c_str()));
SetSource(source_name);
if ( conn )
@ -115,7 +115,7 @@ File::~File()
void File::UpdateLastActivityTime()
{
val->Assign(last_active_idx, zeek::make_intrusive<TimeVal>(network_time));
val->Assign(last_active_idx, zeek::make_intrusive<zeek::TimeVal>(network_time));
}
double File::GetLastActivityTime() const
@ -128,7 +128,7 @@ bool File::UpdateConnectionFields(Connection* conn, bool is_orig)
if ( ! conn )
return false;
Val* conns = val->GetField(conns_idx).get();
zeek::Val* conns = val->GetField(conns_idx).get();
if ( ! conns )
{
@ -190,7 +190,7 @@ std::string File::GetSource() const
void File::SetSource(const std::string& source)
{
val->Assign(source_idx, zeek::make_intrusive<StringVal>(source.c_str()));
val->Assign(source_idx, zeek::make_intrusive<zeek::StringVal>(source.c_str()));
}
double File::GetTimeoutInterval() const
@ -200,13 +200,13 @@ double File::GetTimeoutInterval() const
void File::SetTimeoutInterval(double interval)
{
val->Assign(timeout_interval_idx, zeek::make_intrusive<IntervalVal>(interval));
val->Assign(timeout_interval_idx, zeek::make_intrusive<zeek::IntervalVal>(interval));
}
bool File::SetExtractionLimit(RecordVal* args, uint64_t bytes)
bool File::SetExtractionLimit(zeek::RecordVal* args, uint64_t bytes)
{ return SetExtractionLimit({zeek::NewRef{}, args}, bytes); }
bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes)
{
Analyzer* a = analyzers.Find(file_mgr->GetComponentTag("EXTRACT"),
std::move(args));
@ -253,10 +253,10 @@ void File::ScheduleInactivityTimer() const
timer_mgr->Add(new FileTimer(network_time, id, GetTimeoutInterval()));
}
bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args)
bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args)
{ return AddAnalyzer(tag, {zeek::NewRef{}, args}); }
bool File::AddAnalyzer(file_analysis::Tag tag, RecordValPtr args)
bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args)
{
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer",
id.c_str(), file_mgr->GetComponentName(tag).c_str());
@ -267,10 +267,10 @@ bool File::AddAnalyzer(file_analysis::Tag tag, RecordValPtr args)
return analyzers.QueueAdd(tag, std::move(args)) != nullptr;
}
bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args)
bool File::RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args)
{ return RemoveAnalyzer(tag, {zeek::NewRef{}, args}); }
bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args)
bool File::RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args)
{
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing remove of %s analyzer",
id.c_str(), file_mgr->GetComponentName(tag).c_str());
@ -306,8 +306,8 @@ bool File::SetMime(const std::string& mime_type)
if ( ! FileEventAvailable(file_sniff) )
return false;
auto meta = zeek::make_intrusive<RecordVal>(zeek::id::fa_metadata);
meta->Assign(meta_mime_type_idx, zeek::make_intrusive<StringVal>(mime_type));
auto meta = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_metadata);
meta->Assign(meta_mime_type_idx, zeek::make_intrusive<zeek::StringVal>(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->False());
FileEvent(file_sniff, {val, std::move(meta)});
@ -318,7 +318,7 @@ void File::InferMetadata()
{
did_metadata_inference = true;
Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
zeek::Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
if ( ! bof_buffer_val )
{
@ -326,7 +326,7 @@ void File::InferMetadata()
return;
BroString* bs = concatenate(bof_buffer.chunks);
val->Assign<StringVal>(bof_buffer_idx, bs);
val->Assign<zeek::StringVal>(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx).get();
}
@ -339,11 +339,11 @@ void File::InferMetadata()
len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
file_mgr->DetectMIME(data, len, &matches);
auto meta = zeek::make_intrusive<RecordVal>(zeek::id::fa_metadata);
auto meta = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_metadata);
if ( ! matches.empty() )
{
meta->Assign<StringVal>(meta_mime_type_idx,
meta->Assign<zeek::StringVal>(meta_mime_type_idx,
*(matches.begin()->second.begin()));
meta->Assign(meta_mime_types_idx,
file_analysis::GenMIMEMatchesVal(matches));
@ -370,7 +370,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
if ( bof_buffer.size > 0 )
{
BroString* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, zeek::make_intrusive<StringVal>(bs));
val->Assign(bof_buffer_idx, zeek::make_intrusive<zeek::StringVal>(bs));
}
return false;

23
src/file_analysis/File.h
View file

@ -16,14 +16,13 @@
class Connection;
class EventHandlerPtr;
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordType, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<zeek::RecordVal>;
using RecordTypePtr = zeek::IntrusivePtr<zeek::RecordType>;
}
class RecordVal;
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
namespace file_analysis {
class FileReassembler;
@ -44,11 +43,11 @@ public:
/**
* @return the wrapped \c fa_file record value, #val.
*/
const RecordValPtr& ToVal() const
const zeek::RecordValPtr& ToVal() const
{ return val; }
[[deprecated("Remove in v4.1. Use ToVal().")]]
RecordVal* GetVal() const
zeek::RecordVal* GetVal() const
{ return val.get(); }
/**
@ -80,10 +79,10 @@ public:
* @param bytes new limit.
* @return false if no extraction analyzer is active, else true.
*/
bool SetExtractionLimit(RecordValPtr args, uint64_t bytes);
bool SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool SetExtractionLimit(RecordVal* args, uint64_t bytes);
bool SetExtractionLimit(zeek::RecordVal* args, uint64_t bytes);
/**
* @return value of the "id" field from #val record.
@ -128,10 +127,10 @@ public:
* @param args an \c AnalyzerArgs value representing a file analyzer.
* @return false if analyzer can't be instantiated, else true.
*/
bool AddAnalyzer(file_analysis::Tag tag, RecordValPtr args);
bool AddAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool AddAnalyzer(file_analysis::Tag tag, RecordVal* args);
bool AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args);
/**
* Queues removal of an analyzer.
@ -139,10 +138,10 @@ public:
* @param args an \c AnalyzerArgs value representing a file analyzer.
* @return true if analyzer was active at time of call, else false.
*/
bool RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args);
bool RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
bool RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args);
/**
* Signal that this analyzer can be deleted once it's safe to do so.
@ -353,7 +352,7 @@ protected:
protected:
std::string id; /**< A pretty hash that likely identifies file */
RecordValPtr val; /**< \c fa_file from script layer. */
zeek::RecordValPtr val; /**< \c fa_file from script layer. */
FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */
uint64_t stream_offset; /**< The offset of the file which has been forwarded. */
uint64_t reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */

24
src/file_analysis/Manager.cc
View file

@ -258,12 +258,12 @@ bool Manager::SetReassemblyBuffer(const string& file_id, uint64_t max)
return true;
}
bool Manager::SetExtractionLimit(const string& file_id, RecordVal* args,
bool Manager::SetExtractionLimit(const string& file_id, zeek::RecordVal* args,
uint64_t n) const
{ return SetExtractionLimit(file_id, {zeek::NewRef{}, args}, n); }
bool Manager::SetExtractionLimit(const string& file_id,
RecordValPtr args, uint64_t n) const
zeek::RecordValPtr args, uint64_t n) const
{
File* file = LookupFile(file_id);
@ -274,11 +274,11 @@ bool Manager::SetExtractionLimit(const string& file_id,
}
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const
zeek::RecordVal* args) const
{ return AddAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const
zeek::RecordValPtr args) const
{
File* file = LookupFile(file_id);
@ -289,11 +289,11 @@ bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
}
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const
zeek::RecordVal* args) const
{ return RemoveAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const
zeek::RecordValPtr args) const
{
File* file = LookupFile(file_id);
@ -454,11 +454,11 @@ bool Manager::IsDisabled(const analyzer::Tag& tag)
return yield->AsBool();
}
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, RecordVal* args, File* f) const
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, zeek::RecordVal* args, File* f) const
{ return InstantiateAnalyzer(tag, {zeek::NewRef{}, args}, f); }
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
RecordValPtr args,
zeek::RecordValPtr args,
File* f) const
{
Component* c = Lookup(tag);
@ -517,22 +517,22 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
return *(matches.begin()->second.begin());
}
VectorValPtr file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
{
static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
auto rval = zeek::make_intrusive<VectorVal>(mime_matches);
auto rval = zeek::make_intrusive<zeek::VectorVal>(mime_matches);
for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
it != m.end(); ++it )
{
auto element = zeek::make_intrusive<RecordVal>(mime_match);
auto element = zeek::make_intrusive<zeek::RecordVal>(mime_match);
for ( set<string>::const_iterator it2 = it->second.begin();
it2 != it->second.end(); ++it2 )
{
element->Assign(0, val_mgr->Int(it->first));
element->Assign(1, zeek::make_intrusive<StringVal>(*it2));
element->Assign(1, zeek::make_intrusive<zeek::StringVal>(*it2));
}
rval->Assign(rval->Size(), std::move(element));

24
src/file_analysis/Manager.h
View file

@ -14,8 +14,8 @@
#include "analyzer/Tag.h"
class TableVal;
class VectorVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek);
namespace analyzer {
class Analyzer;
@ -254,10 +254,10 @@ public:
* else true.
*/
bool SetExtractionLimit(const std::string& file_id,
RecordValPtr args, uint64_t n) const;
zeek::RecordValPtr args, uint64_t n) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool SetExtractionLimit(const std::string& file_id, RecordVal* args,
bool SetExtractionLimit(const std::string& file_id, zeek::RecordVal* args,
uint64_t n) const;
/**
@ -278,11 +278,11 @@ public:
* @return false if the analyzer failed to be instantiated, else true.
*/
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const;
zeek::RecordValPtr args) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const;
zeek::RecordVal* args) const;
/**
* Queue removal of an analyzer for a given file identifier.
@ -292,11 +292,11 @@ public:
* @return true if the analyzer is active at the time of call, else false.
*/
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const;
zeek::RecordValPtr args) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const;
zeek::RecordVal* args) const;
/**
* Tells whether analysis for a file is active or ignored.
@ -312,11 +312,11 @@ public:
* @param f The file analzer is to be associated with.
* @return The new analyzer instance or null if tag is invalid.
*/
Analyzer* InstantiateAnalyzer(const Tag& tag, RecordValPtr args,
Analyzer* InstantiateAnalyzer(const Tag& tag, zeek::RecordValPtr args,
File* f) const;
[[deprecated("Remove in v4.1. Pass in IntrusivePtr args instead.")]]
Analyzer* InstantiateAnalyzer(const Tag& tag, RecordVal* args, File* f) const;
Analyzer* InstantiateAnalyzer(const Tag& tag, zeek::RecordVal* args, File* f) const;
/**
* Returns a set of all matching MIME magic signatures for a given
@ -427,7 +427,7 @@ private:
RuleFileMagicState* magic_state; /**< File magic signature match state. */
MIMEMap mime_types;/**< Mapping of MIME types to analyzers. */
inline static TableVal* disabled = nullptr; /**< Table of disabled analyzers. */
inline static zeek::TableVal* disabled = nullptr; /**< Table of disabled analyzers. */
inline static zeek::TableType* tag_set_type = nullptr; /**< Type for set[tag]. */
size_t cumulative_files;
@ -438,7 +438,7 @@ private:
* Returns a script-layer value corresponding to the \c mime_matches type.
* @param m The MIME match information with which to populate the value.
*/
VectorValPtr GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
zeek::VectorValPtr GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
} // namespace file_analysis

8
src/file_analysis/Tag.cc
View file

@ -18,20 +18,20 @@ file_analysis::Tag& file_analysis::Tag::operator=(const file_analysis::Tag& othe
return *this;
}
const EnumValPtr& file_analysis::Tag::AsVal() const
const zeek::EnumValPtr& file_analysis::Tag::AsVal() const
{
return ::Tag::AsVal(file_mgr->GetTagType());
}
EnumVal* file_analysis::Tag::AsEnumVal() const
zeek::EnumVal* file_analysis::Tag::AsEnumVal() const
{
return AsVal().get();
}
file_analysis::Tag::Tag(EnumValPtr val)
file_analysis::Tag::Tag(zeek::EnumValPtr val)
: ::Tag(std::move(val))
{ }
file_analysis::Tag::Tag(EnumVal* val)
file_analysis::Tag::Tag(zeek::EnumVal* val)
: ::Tag({zeek::NewRef{}, val})
{ }

10
src/file_analysis/Tag.h
View file

@ -5,7 +5,7 @@
#include "zeek-config.h"
#include "../Tag.h"
class EnumVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(EnumVal, zeek);
namespace zeek::plugin {
template <class T> class TaggedComponent;
@ -88,10 +88,10 @@ public:
*
* @param etype the script-layer enum type associated with the tag.
*/
const EnumValPtr& AsVal() const;
const zeek::EnumValPtr& AsVal() const;
[[deprecated("Remove in v4.1. Use AsVal() instead.")]]
EnumVal* AsEnumVal() const;
zeek::EnumVal* AsEnumVal() const;
static const Tag Error;
@ -116,10 +116,10 @@ protected:
*
* @param val An enum value of script type \c Files::Tag.
*/
explicit Tag(EnumValPtr val);
explicit Tag(zeek::EnumValPtr val);
[[deprecated("Remove in v4.1. Construct from IntrusivePtr instead.")]]
explicit Tag(EnumVal* val);
explicit Tag(zeek::EnumVal* val);
};
}

14
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -11,7 +11,7 @@
using namespace file_analysis;
DataEvent::DataEvent(RecordValPtr args, File* file,
DataEvent::DataEvent(zeek::RecordValPtr args, File* file,
EventHandlerPtr ce, EventHandlerPtr se)
: file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
std::move(args), file),
@ -19,7 +19,7 @@ DataEvent::DataEvent(RecordValPtr args, File* file,
{
}
file_analysis::Analyzer* DataEvent::Instantiate(RecordValPtr args,
file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
File* file)
{
const auto& chunk_val = args->GetField("chunk_event");
@ -44,9 +44,9 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
if ( ! chunk_event ) return true;
mgr.Enqueue(chunk_event,
GetFile()->ToVal(),
zeek::make_intrusive<StringVal>(new BroString(data, len, false)),
val_mgr->Count(offset)
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(new BroString(data, len, false)),
val_mgr->Count(offset)
);
return true;
@ -57,8 +57,8 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
if ( ! stream_event ) return true;
mgr.Enqueue(stream_event,
GetFile()->ToVal(),
zeek::make_intrusive<StringVal>(new BroString(data, len, false))
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(new BroString(data, len, false))
);
return true;

4
src/file_analysis/analyzer/data_event/DataEvent.h
View file

@ -43,7 +43,7 @@ public:
* @return the new DataEvent analyzer instance or a null pointer if
* no "chunk_event" or "stream_event" field was specfied in \a args.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
protected:
@ -57,7 +57,7 @@ protected:
* @param se pointer to event handler which will be called to receive
* sequential file data.
*/
DataEvent(RecordValPtr args, File* file,
DataEvent(zeek::RecordValPtr args, File* file,
EventHandlerPtr ce, EventHandlerPtr se);
private:

18
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -9,12 +9,12 @@
using namespace file_analysis;
Entropy::Entropy(RecordValPtr args, File* file)
Entropy::Entropy(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"),
std::move(args), file)
{
//entropy->Init();
entropy = new EntropyVal;
entropy = new zeek::EntropyVal;
fed = false;
}
@ -23,7 +23,7 @@ Entropy::~Entropy()
Unref(entropy);
}
file_analysis::Analyzer* Entropy::Instantiate(RecordValPtr args,
file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
File* file)
{
return new Entropy(std::move(args), file);
@ -63,12 +63,12 @@ void Entropy::Finalize()
entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<RecordVal>(entropy_test_result);
ent_result->Assign<DoubleVal>(0, ent);
ent_result->Assign<DoubleVal>(1, chisq);
ent_result->Assign<DoubleVal>(2, mean);
ent_result->Assign<DoubleVal>(3, montepi);
ent_result->Assign<DoubleVal>(4, scc);
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign<zeek::DoubleVal>(0, ent);
ent_result->Assign<zeek::DoubleVal>(1, chisq);
ent_result->Assign<zeek::DoubleVal>(2, mean);
ent_result->Assign<zeek::DoubleVal>(3, montepi);
ent_result->Assign<zeek::DoubleVal>(4, scc);
mgr.Enqueue(file_entropy,
GetFile()->ToVal(),

6
src/file_analysis/analyzer/entropy/Entropy.h
View file

@ -31,7 +31,7 @@ public:
* @return the new Entropy analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
/**
@ -66,7 +66,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Entropy(RecordValPtr args, File* file);
Entropy(zeek::RecordValPtr args, File* file);
/**
* If some file contents have been seen, finalizes the entropy of them and
@ -75,7 +75,7 @@ protected:
void Finalize();
private:
EntropyVal* entropy;
zeek::EntropyVal* entropy;
bool fed;
};

8
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -10,7 +10,7 @@
using namespace file_analysis;
Extract::Extract(RecordValPtr args, File* file,
Extract::Extract(zeek::RecordValPtr args, File* file,
const std::string& arg_filename, uint64_t arg_limit)
: file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"),
std::move(args), file),
@ -33,8 +33,8 @@ Extract::~Extract()
safe_close(fd);
}
static const ValPtr& get_extract_field_val(const RecordValPtr& args,
const char* name)
static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args,
const char* name)
{
const auto& rval = args->GetField(name);
@ -44,7 +44,7 @@ static const ValPtr& get_extract_field_val(const RecordValPtr& args,
return rval;
}
file_analysis::Analyzer* Extract::Instantiate(RecordValPtr args, File* file)
file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, File* file)
{
const auto& fname = get_extract_field_val(args, "extract_filename");
const auto& limit = get_extract_field_val(args, "extract_limit");

4
src/file_analysis/analyzer/extract/Extract.h
View file

@ -47,7 +47,7 @@ public:
* @return the new Extract analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
/**
@ -67,7 +67,7 @@ protected:
* to which the contents of the file will be extracted/written.
* @param arg_limit the maximum allowed file size.
*/
Extract(RecordValPtr args, File* file,
Extract(zeek::RecordValPtr args, File* file,
const std::string& arg_filename, uint64_t arg_limit);
private:

8
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -9,7 +9,7 @@
using namespace file_analysis;
Hash::Hash(RecordValPtr args, File* file, HashVal* hv, const char* arg_kind)
Hash::Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* arg_kind)
: file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
std::move(args), file),
hash(hv), fed(false), kind(arg_kind)
@ -54,8 +54,8 @@ void Hash::Finalize()
return;
mgr.Enqueue(file_hash,
GetFile()->ToVal(),
zeek::make_intrusive<StringVal>(kind),
hash->Get()
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(kind),
hash->Get()
);
}

22
src/file_analysis/analyzer/hash/Hash.h
View file

@ -56,7 +56,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Hash(RecordValPtr args, File* file, HashVal* hv, const char* kind);
Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* kind);
/**
* If some file contents have been seen, finalizes the hash of them and
@ -65,7 +65,7 @@ protected:
void Finalize();
private:
HashVal* hash;
zeek::HashVal* hash;
bool fed;
const char* kind;
};
@ -83,7 +83,7 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
{ return file_hash ? new MD5(std::move(args), file) : nullptr; }
@ -94,8 +94,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
MD5(RecordValPtr args, File* file)
: Hash(std::move(args), file, new MD5Val(), "md5")
MD5(zeek::RecordValPtr args, File* file)
: Hash(std::move(args), file, new zeek::MD5Val(), "md5")
{}
};
@ -112,7 +112,7 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
{ return file_hash ? new SHA1(std::move(args), file) : nullptr; }
@ -123,8 +123,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA1(RecordValPtr args, File* file)
: Hash(std::move(args), file, new SHA1Val(), "sha1")
SHA1(zeek::RecordValPtr args, File* file)
: Hash(std::move(args), file, new zeek::SHA1Val(), "sha1")
{}
};
@ -141,7 +141,7 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
{ return file_hash ? new SHA256(std::move(args), file) : nullptr; }
@ -152,8 +152,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA256(RecordValPtr args, File* file)
: Hash(std::move(args), file, new SHA256Val(), "sha256")
SHA256(zeek::RecordValPtr args, File* file)
: Hash(std::move(args), file, new zeek::SHA256Val(), "sha256")
{}
};

2
src/file_analysis/analyzer/pe/PE.cc
View file

@ -3,7 +3,7 @@
using namespace file_analysis;
PE::PE(RecordValPtr args, File* file)
PE::PE(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), std::move(args),
file)
{

4
src/file_analysis/analyzer/pe/PE.h
View file

@ -15,7 +15,7 @@ class PE : public file_analysis::Analyzer {
public:
~PE();
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
{ return new PE(std::move(args), file); }
@ -24,7 +24,7 @@ public:
virtual bool EndOfFile();
protected:
PE(RecordValPtr args, File* file);
PE(zeek::RecordValPtr args, File* file);
binpac::PE::File* interp;
binpac::PE::MockConnection* conn;
bool done;

28
src/file_analysis/analyzer/pe/pe-analyzer.pac
View file

@ -5,14 +5,14 @@
%}
%header{
VectorValPtr process_rvas(const RVAS* rvas);
TableValPtr characteristics_to_bro(uint32_t c, uint8_t len);
zeek::VectorValPtr process_rvas(const RVAS* rvas);
zeek::TableValPtr characteristics_to_bro(uint32_t c, uint8_t len);
%}
%code{
VectorValPtr process_rvas(const RVAS* rva_table)
zeek::VectorValPtr process_rvas(const RVAS* rva_table)
{
auto rvas = zeek::make_intrusive<VectorVal>(zeek::id::index_vec);
auto rvas = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( uint16 i=0; i < rva_table->rvas()->size(); ++i )
rvas->Assign(i, val_mgr->Count((*rva_table->rvas())[i]->size()));
@ -20,10 +20,10 @@ VectorValPtr process_rvas(const RVAS* rva_table)
return rvas;
}
TableValPtr characteristics_to_bro(uint32_t c, uint8_t len)
zeek::TableValPtr characteristics_to_bro(uint32_t c, uint8_t len)
{
uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF;
auto char_set = zeek::make_intrusive<TableVal>(zeek::id::count_set);
auto char_set = zeek::make_intrusive<zeek::TableVal>(zeek::id::count_set);
for ( uint16 i=0; i < len; ++i )
{
@ -46,8 +46,8 @@ refine flow File += {
%{
if ( pe_dos_header )
{
auto dh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::DOSHeader);
dh->Assign(0, zeek::make_intrusive<StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
auto dh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::DOSHeader);
dh->Assign(0, zeek::make_intrusive<zeek::StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
dh->Assign(1, val_mgr->Count(${h.UsedBytesInTheLastPage}));
dh->Assign(2, val_mgr->Count(${h.FileSizeInPages}));
dh->Assign(3, val_mgr->Count(${h.NumberOfRelocationItems}));
@ -77,7 +77,7 @@ refine flow File += {
if ( pe_dos_code )
mgr.Enqueue(pe_dos_code,
connection()->bro_analyzer()->GetFile()->ToVal(),
zeek::make_intrusive<StringVal>(code.length(), (const char*) code.data())
zeek::make_intrusive<zeek::StringVal>(code.length(), (const char*) code.data())
);
return true;
%}
@ -96,9 +96,9 @@ refine flow File += {
%{
if ( pe_file_header )
{
auto fh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::FileHeader);
auto fh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::FileHeader);
fh->Assign(0, val_mgr->Count(${h.Machine}));
fh->Assign(1, zeek::make_intrusive<TimeVal>(static_cast<double>(${h.TimeDateStamp})));
fh->Assign(1, zeek::make_intrusive<zeek::TimeVal>(static_cast<double>(${h.TimeDateStamp})));
fh->Assign(2, val_mgr->Count(${h.PointerToSymbolTable}));
fh->Assign(3, val_mgr->Count(${h.NumberOfSymbols}));
fh->Assign(4, val_mgr->Count(${h.SizeOfOptionalHeader}));
@ -124,7 +124,7 @@ refine flow File += {
if ( pe_optional_header )
{
auto oh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
auto oh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
oh->Assign(0, val_mgr->Count(${h.magic}));
oh->Assign(1, val_mgr->Count(${h.major_linker_version}));
@ -166,7 +166,7 @@ refine flow File += {
%{
if ( pe_section_header )
{
auto section_header = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::SectionHeader);
auto section_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::SectionHeader);
// Strip null characters from the end of the section name.
u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length());
@ -175,7 +175,7 @@ refine flow File += {
name_len = ${h.name}.length();
else
name_len = first_null - ${h.name}.data();
section_header->Assign(0, zeek::make_intrusive<StringVal>(name_len, (const char*) ${h.name}.data()));
section_header->Assign(0, zeek::make_intrusive<zeek::StringVal>(name_len, (const char*) ${h.name}.data()));
section_header->Assign(1, val_mgr->Count(${h.virtual_size}));
section_header->Assign(2, val_mgr->Count(${h.virtual_addr}));

5
src/file_analysis/analyzer/unified2/Unified2.cc
View file

@ -5,7 +5,7 @@
using namespace file_analysis;
Unified2::Unified2(RecordValPtr args, File* file)
Unified2::Unified2(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file)
{
interp = new binpac::Unified2::Unified2_Analyzer(this);
@ -16,7 +16,7 @@ Unified2::~Unified2()
delete interp;
}
file_analysis::Analyzer* Unified2::Instantiate(RecordValPtr args, File* file)
file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, File* file)
{
return new Unified2(std::move(args), file);
}
@ -27,7 +27,6 @@ bool Unified2::DeliverStream(const u_char* data, uint64_t len)
{
interp->NewData(true, data, data + len);
}
catch ( const binpac::Exception& e )
{
printf("Binpac exception: %s\n", e.c_msg());

4
src/file_analysis/analyzer/unified2/Unified2.h
View file

@ -20,10 +20,10 @@ public:
bool DeliverStream(const u_char* data, uint64_t len) override;
static file_analysis::Analyzer* Instantiate(RecordValPtr args, File* file);
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, File* file);
protected:
Unified2(RecordValPtr args, File* file);
Unified2(zeek::RecordValPtr args, File* file);
private:
binpac::Unified2::Unified2_Analyzer* interp;

26
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -8,25 +8,25 @@
%}
%code{
AddrValPtr binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<uint32_t>* a)
zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<uint32_t>* a)
{
if ( a->size() == 1 )
{
return zeek::make_intrusive<AddrVal>(IPAddr(IPv4, &(a->at(0)), IPAddr::Host));
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv4, &(a->at(0)), IPAddr::Host));
}
else if ( a->size() == 4 )
{
uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) };
return zeek::make_intrusive<AddrVal>(IPAddr(IPv6, tmp, IPAddr::Host));
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, tmp, IPAddr::Host));
}
else
{
// Should never reach here.
return zeek::make_intrusive<AddrVal>(1);
return zeek::make_intrusive<zeek::AddrVal>(1);
}
}
ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
zeek::ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
{
TransportProto proto = TRANSPORT_UNKNOWN;
switch ( p ) {
@ -42,8 +42,8 @@ ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
refine flow Flow += {
%member{
AddrValPtr unified2_addr_to_bro_addr(std::vector<uint32_t>* a);
ValPtr to_port(uint16_t n, uint8_t p);
zeek::AddrValPtr unified2_addr_to_bro_addr(std::vector<uint32_t>* a);
zeek::ValPtr to_port(uint16_t n, uint8_t p);
%}
%init{
@ -71,10 +71,10 @@ refine flow Flow += {
%{
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, val_mgr->Count(${ev.signature_revision}));
@ -97,10 +97,10 @@ refine flow Flow += {
%{
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, val_mgr->Count(${ev.signature_revision}));
@ -128,11 +128,11 @@ refine flow Flow += {
%{
if ( ::unified2_packet )
{
auto packet = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::Packet);
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
packet->Assign(0, val_mgr->Count(${pkt.sensor_id}));
packet->Assign(1, val_mgr->Count(${pkt.event_id}));
packet->Assign(2, val_mgr->Count(${pkt.event_second}));
packet->Assign(3, zeek::make_intrusive<TimeVal>(ts_to_double(${pkt.packet_ts})));
packet->Assign(3, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${pkt.packet_ts})));
packet->Assign(4, val_mgr->Count(${pkt.link_type}));
packet->Assign(5, to_stringval(${pkt.packet_data}));

58
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -92,38 +92,38 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
i2a_ASN1_OBJECT(bio, hash_alg);
int len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial_number);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
return true;
}
file_analysis::Analyzer* OCSP::InstantiateRequest(RecordValPtr args, File* file)
file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, File* file)
{
return new OCSP(std::move(args), file, true);
}
file_analysis::Analyzer* OCSP::InstantiateReply(RecordValPtr args, File* file)
file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, File* file)
{
return new OCSP(std::move(args), file, false);
}
file_analysis::OCSP::OCSP(RecordValPtr args, file_analysis::File* file,
file_analysis::OCSP::OCSP(zeek::RecordValPtr args, file_analysis::File* file,
bool arg_request)
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"),
std::move(args), file),
@ -209,9 +209,9 @@ typedef struct ocsp_basic_response_st {
STACK_OF(X509) *certs;
} OCSP_BASICRESP;
*/
static StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
BIO* bio, char* buf,
size_t buf_len)
static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
BIO* bio, char* buf,
size_t buf_len)
{
int der_basic_resp_len = 0;
unsigned char* der_basic_resp_dat = nullptr;
@ -276,14 +276,14 @@ static StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
auto alg_obj = alg_obj_type->value.object;
i2a_ASN1_OBJECT(bio, alg_obj);
auto alg_len = BIO_read(bio, buf, buf_len);
auto rval = zeek::make_intrusive<StringVal>(alg_len, buf);
auto rval = zeek::make_intrusive<zeek::StringVal>(alg_len, buf);
BIO_reset(bio);
OPENSSL_free(der_basic_resp_dat);
return rval;
}
static ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
{
int der_basic_resp_len = 0;
unsigned char* der_basic_resp_dat = nullptr;
@ -451,14 +451,14 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
const STACK_OF(X509)* certs = nullptr;
int resp_count, num_ext = 0;
VectorVal *certs_vector = nullptr;
zeek::VectorVal *certs_vector = nullptr;
int len = 0;
char buf[OCSP_STRING_BUF_SIZE];
memset(buf, 0, sizeof(buf));
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
auto status_val = zeek::make_intrusive<StringVal>(strlen(status_str), status_str);
auto status_val = zeek::make_intrusive<zeek::StringVal>(strlen(status_str), status_str);
if ( ocsp_response_status )
mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
@ -501,7 +501,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
if ( OCSP_RESPID_bio(basic_resp, bio) )
{
len = BIO_read(bio, buf, sizeof(buf));
vl.emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
}
else
@ -517,7 +517,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
produced_at = OCSP_resp_get0_produced_at(basic_resp);
#endif
vl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
vl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
// responses
@ -560,36 +560,36 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
reporter->Weird("OpenSSL failed to find status of OCSP response");
const char* cert_status_str = OCSP_cert_status_str(status);
rvl.emplace_back(zeek::make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(strlen(cert_status_str), cert_status_str));
// revocation time and reason if revoked
if ( status == V_OCSP_CERTSTATUS_REVOKED )
{
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), reporter)));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), reporter)));
if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
{
const char* revoke_reason = OCSP_crl_reason_str(reason);
rvl.emplace_back(zeek::make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(strlen(revoke_reason), revoke_reason));
}
else
rvl.emplace_back(zeek::make_intrusive<StringVal>(0, ""));
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(0, ""));
}
else
{
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
rvl.emplace_back(zeek::make_intrusive<StringVal>(0, ""));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(0, ""));
}
if ( this_update )
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(this_update, GetFile(), reporter)));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(this_update, GetFile(), reporter)));
else
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
if ( next_update )
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(next_update, GetFile(), reporter)));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(next_update, GetFile(), reporter)));
else
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
if ( ocsp_response_certificate )
mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
@ -608,7 +608,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
len = BIO_read(bio, buf, sizeof(buf));
vl.emplace_back(zeek::make_intrusive<StringVal>(len, buf));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
#else
vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
@ -616,10 +616,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
//i2a_ASN1_OBJECT(bio, basic_resp->signature);
//len = BIO_read(bio, buf, sizeof(buf));
//ocsp_resp_record->Assign(7, zeek::make_intrusive<StringVal>(len, buf));
//ocsp_resp_record->Assign(7, zeek::make_intrusive<zeek::StringVal>(len, buf));
//BIO_reset(bio);
certs_vector = new VectorVal(zeek::id::find_type<zeek::VectorType>("x509_opaque_vector"));
certs_vector = new zeek::VectorVal(zeek::id::find_type<zeek::VectorType>("x509_opaque_vector"));
vl.emplace_back(zeek::AdoptRef{}, certs_vector);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)

6
src/file_analysis/analyzer/x509/OCSP.h
View file

@ -18,13 +18,13 @@ public:
bool Undelivered(uint64_t offset, uint64_t len) override;
bool EndOfFile() override;
static file_analysis::Analyzer* InstantiateRequest(RecordValPtr args,
static file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
File* file);
static file_analysis::Analyzer* InstantiateReply(RecordValPtr args,
static file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
File* file);
protected:
OCSP(RecordValPtr args, File* file, bool request);
OCSP(zeek::RecordValPtr args, File* file, bool request);
private:
void ParseResponse(OCSP_RESPONSE*);

70
src/file_analysis/analyzer/x509/X509.cc
View file

@ -23,7 +23,7 @@
using namespace file_analysis;
file_analysis::X509::X509(RecordValPtr args, file_analysis::File* file)
file_analysis::X509::X509(zeek::RecordValPtr args, file_analysis::File* file)
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"),
std::move(args), file)
{
@ -53,7 +53,7 @@ bool file_analysis::X509::EndOfFile()
hash_update(ctx, cert_char, cert_data.size());
hash_final(ctx, buf);
std::string cert_sha256 = sha256_digest_print(buf);
auto index = zeek::make_intrusive<StringVal>(cert_sha256);
auto index = zeek::make_intrusive<zeek::StringVal>(cert_sha256);
const auto& entry = certificate_cache->Find(index);
if ( entry )
@ -65,7 +65,7 @@ bool file_analysis::X509::EndOfFile()
// yup, let's call the callback.
cache_hit_callback->Invoke(GetFile()->ToVal(), entry,
zeek::make_intrusive<StringVal>(cert_sha256));
zeek::make_intrusive<zeek::StringVal>(cert_sha256));
return false;
}
}
@ -113,25 +113,25 @@ bool file_analysis::X509::EndOfFile()
return false;
}
RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
{
::X509* ssl_cert = cert_val->GetCertificate();
char buf[2048]; // we need a buffer for some of the openssl functions
memset(buf, 0, sizeof(buf));
auto pX509Cert = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Certificate);
auto pX509Cert = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(1, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(2, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(2, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
X509_NAME *subject_name = X509_get_subject_name(ssl_cert);
@ -151,17 +151,17 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
// we found a common name
ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos)));
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(4, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(4, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
}
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(3, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(3, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_free(bio);
pX509Cert->Assign(5, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
pX509Cert->Assign(5, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@ -171,7 +171,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0;
pX509Cert->Assign(7, zeek::make_intrusive<StringVal>(buf));
pX509Cert->Assign(7, zeek::make_intrusive<zeek::StringVal>(buf));
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -193,25 +193,25 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0;
pX509Cert->Assign(8, zeek::make_intrusive<StringVal>(buf));
pX509Cert->Assign(8, zeek::make_intrusive<zeek::StringVal>(buf));
// Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL )
{
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("dsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("dsa"));
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("rsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("rsa"));
const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e);
if ( exponent != NULL )
{
pX509Cert->Assign(11, zeek::make_intrusive<StringVal>(exponent));
pX509Cert->Assign(11, zeek::make_intrusive<zeek::StringVal>(exponent));
OPENSSL_free(exponent);
exponent = NULL;
}
@ -219,7 +219,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
#ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("ecdsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("ecdsa"));
pX509Cert->Assign(12, KeyCurve(pkey));
}
#endif
@ -240,7 +240,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
return pX509Cert;
}
X509_STORE* file_analysis::X509::GetRootStore(TableVal* root_certs)
X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
{
// If this certificate store was built previously, just reuse the old one.
if ( x509_stores.count(root_certs) > 0 )
@ -254,7 +254,7 @@ X509_STORE* file_analysis::X509::GetRootStore(TableVal* root_certs)
{
const auto& key = idxs->Idx(i);
auto val = root_certs->FindOrDefault(key);
StringVal* sv = val->AsStringVal();
zeek::StringVal* sv = val->AsStringVal();
assert(sv);
const uint8_t* data = sv->Bytes();
::X509* x = d2i_X509(NULL, &data, sv->Len());
@ -290,7 +290,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
{
if ( x509_ext_basic_constraints )
{
auto pBasicConstraint = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
auto pBasicConstraint = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
if ( constr->pathlen )
@ -340,10 +340,10 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
return;
}
VectorValPtr names;
VectorValPtr emails;
VectorValPtr uris;
VectorValPtr ips;
zeek::VectorValPtr names;
zeek::VectorValPtr emails;
zeek::VectorValPtr uris;
zeek::VectorValPtr ips;
bool otherfields = false;
@ -365,27 +365,27 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
#else
const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
#endif
auto bs = zeek::make_intrusive<StringVal>(name);
auto bs = zeek::make_intrusive<zeek::StringVal>(name);
switch ( gen->type )
{
case GEN_DNS:
if ( names == nullptr )
names = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
names = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
names->Assign(names->Size(), std::move(bs));
break;
case GEN_URI:
if ( uris == nullptr )
uris = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
uris = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
uris->Assign(uris->Size(), std::move(bs));
break;
case GEN_EMAIL:
if ( emails == nullptr )
emails = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
emails = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
emails->Assign(emails->Size(), std::move(bs));
break;
@ -395,15 +395,15 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
else if ( gen->type == GEN_IPADD )
{
if ( ips == nullptr )
ips = zeek::make_intrusive<VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
ips = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
uint32_t* addr = (uint32_t*) gen->d.ip->data;
if( gen->d.ip->length == 4 )
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(*addr));
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(*addr));
else if ( gen->d.ip->length == 16 )
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(addr));
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(addr));
else
{
@ -421,7 +421,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
}
}
auto sanExt = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
auto sanExt = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
if ( names != nullptr )
sanExt->Assign(0, names);
@ -443,7 +443,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
GENERAL_NAMES_free(altname);
}
StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
{
assert(key != nullptr);
@ -472,7 +472,7 @@ StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
if ( curve_name == nullptr )
return nullptr;
return zeek::make_intrusive<StringVal>(curve_name);
return zeek::make_intrusive<zeek::StringVal>(curve_name);
#endif
}
@ -543,7 +543,7 @@ X509Val::~X509Val()
X509_free(certificate);
}
ValPtr X509Val::DoClone(CloneState* state)
zeek::ValPtr X509Val::DoClone(CloneState* state)
{
auto copy = zeek::make_intrusive<X509Val>();
if ( certificate )

20
src/file_analysis/analyzer/x509/X509.h
View file

@ -86,9 +86,9 @@ public:
* @param Returns the new record value and passes ownership to
* caller.
*/
static RecordValPtr ParseCertificate(X509Val* cert_val, File* file = nullptr);
static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, File* file = nullptr);
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
{ return new X509(std::move(args), file); }
@ -102,7 +102,7 @@ public:
*
* @return OpenSSL's X509 store associated with the table value.
*/
static X509_STORE* GetRootStore(TableVal* root_certs);
static X509_STORE* GetRootStore(zeek::TableVal* root_certs);
/**
* Frees memory obtained from OpenSSL that is associated with the global
@ -117,7 +117,7 @@ public:
/**
* Sets the table[string] that used as the certificate cache inside of Zeek.
*/
static void SetCertificateCache(TableValPtr cache)
static void SetCertificateCache(zeek::TableValPtr cache)
{ certificate_cache = std::move(cache); }
/**
@ -127,7 +127,7 @@ public:
{ cache_hit_callback = std::move(func); }
protected:
X509(RecordValPtr args, File* file);
X509(zeek::RecordValPtr args, File* file);
private:
void ParseBasicConstraints(X509_EXTENSION* ex);
@ -137,11 +137,11 @@ private:
std::string cert_data;
// Helpers for ParseCertificate.
static StringValPtr KeyCurve(EVP_PKEY* key);
static zeek::StringValPtr KeyCurve(EVP_PKEY* key);
static unsigned int KeyLength(EVP_PKEY *key);
/** X509 stores associated with global script-layer values */
inline static std::map<Val*, X509_STORE*> x509_stores = std::map<Val*, X509_STORE*>();
inline static TableValPtr certificate_cache = nullptr;
inline static std::map<zeek::Val*, X509_STORE*> x509_stores = std::map<zeek::Val*, X509_STORE*>();
inline static zeek::TableValPtr certificate_cache = nullptr;
inline static FuncPtr cache_hit_callback = nullptr;
};
@ -152,7 +152,7 @@ private:
* script-land. Otherwise, we cannot verify certificates from Bro
* scriptland
*/
class X509Val : public OpaqueVal {
class X509Val : public zeek::OpaqueVal {
public:
/**
* Construct an X509Val.
@ -170,7 +170,7 @@ public:
*
* @return A cloned X509Val.
*/
ValPtr DoClone(CloneState* state) override;
zeek::ValPtr DoClone(CloneState* state) override;
/**
* Destructor.

16
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -17,7 +17,7 @@
using namespace file_analysis;
X509Common::X509Common(const file_analysis::Tag& arg_tag,
RecordValPtr arg_args, File* arg_file)
zeek::RecordValPtr arg_args, File* arg_file)
: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
{
}
@ -268,15 +268,15 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
}
if ( ! ext_val )
ext_val = zeek::make_intrusive<StringVal>(0, "");
ext_val = zeek::make_intrusive<zeek::StringVal>(0, "");
auto pX509Ext = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Extension);
pX509Ext->Assign(0, zeek::make_intrusive<StringVal>(name));
auto pX509Ext = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Extension);
pX509Ext->Assign(0, zeek::make_intrusive<zeek::StringVal>(name));
if ( short_name and strlen(short_name) > 0 )
pX509Ext->Assign(1, zeek::make_intrusive<StringVal>(short_name));
pX509Ext->Assign(1, zeek::make_intrusive<zeek::StringVal>(short_name));
pX509Ext->Assign(2, zeek::make_intrusive<StringVal>(oid));
pX509Ext->Assign(2, zeek::make_intrusive<zeek::StringVal>(oid));
pX509Ext->Assign(3, val_mgr->Bool(critical));
pX509Ext->Assign(4, ext_val);
@ -298,7 +298,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
ParseExtensionsSpecific(ex, global, ext_asn, oid);
}
StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
{
BIO_flush(bio);
ERR_clear_error();
@ -331,7 +331,7 @@ StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
}
BIO_read(bio, (void*) buffer, length);
auto ext_val = zeek::make_intrusive<StringVal>(length, buffer);
auto ext_val = zeek::make_intrusive<zeek::StringVal>(length, buffer);
free(buffer);
BIO_free_all(bio);

10
src/file_analysis/analyzer/x509/X509Common.h
View file

@ -12,10 +12,12 @@
class EventHandlerPtr;
class Reporter;
template <class T> class IntrusivePtr;
class StringVal;
ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
namespace zeek {
template <class T> class IntrusivePtr;
using StringValPtr = zeek::IntrusivePtr<StringVal>;
}
namespace file_analysis {
@ -37,13 +39,13 @@ public:
*
* @return The X509 extension value.
*/
static StringValPtr GetExtensionFromBIO(BIO* bio, File* f = nullptr);
static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, File* f = nullptr);
static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter);
protected:
X509Common(const file_analysis::Tag& arg_tag,
RecordValPtr arg_args, File* arg_file);
zeek::RecordValPtr arg_args, File* arg_file);
void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global);
void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);

22
src/file_analysis/analyzer/x509/functions.bif
View file

@ -11,12 +11,12 @@
#include <openssl/err.h>
// construct an error record
static RecordValPtr x509_result_record(uint64_t num, const char* reason, ValPtr chainVector = nullptr)
static zeek::RecordValPtr x509_result_record(uint64_t num, const char* reason, zeek::ValPtr chainVector = nullptr)
{
auto rrecord = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Result);
auto rrecord = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Result);
rrecord->Assign(0, val_mgr->Int(num));
rrecord->Assign(1, zeek::make_intrusive<StringVal>(reason));
rrecord->Assign(1, zeek::make_intrusive<zeek::StringVal>(reason));
if ( chainVector )
rrecord->Assign(2, std::move(chainVector));
@ -24,7 +24,7 @@ static RecordValPtr x509_result_record(uint64_t num, const char* reason, ValPtr
}
// get all cretificates starting at the second one (assuming the first one is the host certificate)
STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec)
{
STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
if ( ! untrusted_certs )
@ -215,13 +215,13 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
## x509_get_certificate_string x509_verify
function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
%{
RecordValPtr rval;
zeek::RecordValPtr rval;
X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
if ( ! ctx )
return x509_result_record(-1, "Problem initializing root store");
VectorVal *certs_vec = certs->AsVectorVal();
zeek::VectorVal *certs_vec = certs->AsVectorVal();
if ( certs_vec->Size() < 1 )
{
reporter->Error("No certificates given in vector");
@ -507,7 +507,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
return x509_result_record(-1, "Problem initializing root store");
VectorVal *certs_vec = certs->AsVectorVal();
zeek::VectorVal *certs_vec = certs->AsVectorVal();
if ( ! certs_vec || certs_vec->Size() < 1 )
{
reporter->Error("No certificates given in vector");
@ -542,7 +542,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
int result = X509_verify_cert(csc);
VectorValPtr chainVector;
zeek::VectorValPtr chainVector;
if ( result == 1 ) // we have a valid chain. try to get it...
{
@ -556,7 +556,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
}
int num_certs = sk_X509_num(chain);
chainVector = zeek::make_intrusive<VectorVal>(zeek::id::find_type<VectorType>("x509_opaque_vector"));
chainVector = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<VectorType>("x509_opaque_vector"));
for ( int i = 0; i < num_certs; i++ )
{
@ -761,7 +761,7 @@ sct_verify_err:
* 1 -> issuer name
* 2 -> pubkey
*/
StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
{
assert(cert_handle);
@ -824,7 +824,7 @@ StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int
assert( len <= sizeof(md) );
return zeek::make_intrusive<StringVal>(len, reinterpret_cast<const char*>(md));
return zeek::make_intrusive<zeek::StringVal>(len, reinterpret_cast<const char*>(md));
}
%%}

4
src/file_analysis/analyzer/x509/x509-extension.pac
View file

@ -41,11 +41,11 @@ refine connection MockConnection += {
mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
bro_analyzer()->GetFile()->ToVal(),
val_mgr->Count(version),
zeek::make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
zeek::make_intrusive<zeek::StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
val_mgr->Count(timestamp),
val_mgr->Count(digitally_signed_algorithms->HashAlgorithm()),
val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm()),
zeek::make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
zeek::make_intrusive<zeek::StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
);
return true;

2
src/file_analysis/file_analysis.bif
View file

@ -71,7 +71,7 @@ function Files::__stop%(file_id: string%): bool
function Files::__analyzer_name%(tag: Files::Tag%) : string
%{
const auto& n = file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()});
return zeek::make_intrusive<StringVal>(n);
return zeek::make_intrusive<zeek::StringVal>(n);
%}
## :zeek:see:`Files::file_exists`.