diff --git a/doc b/doc index f6efe0c577..189dddc9e8 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit f6efe0c5770bcdb36f25e915b64eaaa8ae176597 +Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6 diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 48ade8b86f..8398aa0f2a 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -678,50 +678,6 @@ void Analyzer::FlipRoles() resp_supporters = tmp; } -void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag) - { - if ( protocol_confirmed ) - return; - - protocol_confirmed = true; - - const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal(); - // Enqueue both of these events. In the base scripts, only the analyzer version is handled. - // The protocol remains just for handling scripts that haven't been updated. Once that event - // is removed, this method is also removed. - if ( analyzer_confirmation ) - event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id)); - if ( protocol_confirmation ) - event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id)); - } - -void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) - { - if ( ! protocol_violation && ! analyzer_violation ) - return; - - StringValPtr r; - - if ( data && len ) - { - const char* tmp = util::copy_string(reason); - r = make_intrusive(util::fmt( - "%s [%s%s]", tmp, util::fmt_bytes(data, min(40, len)), len > 40 ? "..." : "")); - delete[] tmp; - } - else - r = make_intrusive(reason); - - const auto& tval = tag.AsVal(); - // Enqueue both of these events. In the base scripts, only the analyzer version is handled. - // The protocol remains just for handling scripts that haven't been updated. Once that event - // is removed, this method is also removed. - if ( analyzer_confirmation ) - event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r)); - if ( protocol_confirmation ) - event_mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r)); - } - void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag) { if ( analyzer_confirmed ) diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 157cebd5e4..65a69d1489 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -522,47 +522,6 @@ public: */ void RemoveSupportAnalyzer(SupportAnalyzer* analyzer); - /** - * Signals Zeek's protocol detection that the analyzer has recognized - * the input to indeed conform to the expected protocol. This should - * be called as early as possible during a connection's life-time. It - * may turn into \c protocol_confirmed event at the script-layer (but - * only once per analyzer for each connection, even if the method is - * called multiple times). - * - * If tag is given, it overrides the analyzer tag passed to the - * scripting layer; the default is the one of the analyzer itself. - */ - [[deprecated("Remove in v5.1. Use AnalyzerConfirmation.")]] virtual void - ProtocolConfirmation(zeek::Tag tag = zeek::Tag()); - - /** - * Signals Zeek's protocol detection that the analyzer has found a - * severe protocol violation that could indicate that it's not - * parsing the expected protocol. This turns into \c - * protocol_violation events at the script-layer (one such event is - * raised for each call to this method so that the script-layer can - * built up a notion of how prevalent protocol violations are; the - * more, the less likely it's the right protocol). - * - * @param reason A textual description of the error encountered. - * - * @param data An optional pointer to the malformed data. - * - * @param len If \a data is given, the length of it. - */ - [[deprecated("Remove in v5.1. Use AnalyzerViolation.")]] virtual void - ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0); - - /** - * Returns true if ProtocolConfirmation() has been called at least - * once. - */ - [[deprecated("Remove in v5.1. Use AnalyzerConfirmed.")]] bool ProtocolConfirmed() const - { - return protocol_confirmed; - } - /** * Signals Zeek's protocol detection that the analyzer has recognized * the input to indeed conform to the expected protocol. This should diff --git a/src/event.bif b/src/event.bif index 413be2933c..901967ae6d 100644 --- a/src/event.bif +++ b/src/event.bif @@ -372,15 +372,12 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## be used to reference the analyzer when using builtin functions like ## :zeek:id:`disable_analyzer`. ## -## .. zeek:see:: protocol_violation -## ## .. note:: ## ## Zeek's default scripts use this event to determine the ``service`` column ## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). event analyzer_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); -event protocol_confirmation%(c: connection, atype: AllAnalyzers::Tag, aid: count%) &deprecated="Remove in v5.1. Use analyzer_confirmation."; ## Generated if a DPD signature matched but the DPD buffer is already exhausted ## and thus the analyzer could not be attached. While this does not confirm @@ -417,8 +414,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%); ## ## reason: TODO. ## -## .. zeek:see:: protocol_confirmation -## ## .. note:: ## ## Zeek's default scripts use this event to disable an analyzer via @@ -426,7 +421,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%); ## however a script-level decision and not done automatically by the event ## engine. event analyzer_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); -event protocol_violation%(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string%) &deprecated="Remove in v.5.1. Use analyzer_violation."; ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Zeek flushes the internal diff --git a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/FOO.cc b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/FOO.cc index 743f530665..038c813cde 100644 --- a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/FOO.cc +++ b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/FOO.cc @@ -53,7 +53,7 @@ void FOO_Analyzer::DeliverStream(int len, const u_char* data, bool orig) catch ( const binpac::Exception& e ) { printf("Exception: %s\n", e.c_msg()); - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/foo.pac b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/foo.pac index 9a30137d29..99adf35b4f 100644 --- a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/foo.pac +++ b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/foo.pac @@ -41,7 +41,7 @@ refine flow FOO_Flow += { function proc_foo_message(msg: FOO_PDU): bool %{ // printf("FOO %d %d\n", msg->hdr()->len(), msg->hdr_len()); - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->bro_analyzer()->AnalyzerConfirmation(); zeek::BifEvent::Foo::enqueue_foo_message( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), diff --git a/testing/btest/plugins/protocol-plugin/src/Foo.cc b/testing/btest/plugins/protocol-plugin/src/Foo.cc index aef658e7ec..d5d1a8766a 100644 --- a/testing/btest/plugins/protocol-plugin/src/Foo.cc +++ b/testing/btest/plugins/protocol-plugin/src/Foo.cc @@ -3,7 +3,7 @@ #include "foo_pac.h" #include "events.bif.h" -#include +#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h" using namespace btest::plugin::Demo_Foo; @@ -45,7 +45,7 @@ void Foo::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); } }