mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Remove deprecated protocol_confirmation/violation events and methods
This commit is contained in:
Tim Wojtulewicz
parent
392c2f3810
commit
644ed5d314
7 changed files with 5 additions and 96 deletions
2
doc
2
doc
|
|
@ -1 +1 @@
|
|||
Subproject commit f6efe0c5770bcdb36f25e915b64eaaa8ae176597
|
||||
Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6
|
||||
|
|
@ -678,50 +678,6 @@ void Analyzer::FlipRoles()
|
|||
resp_supporters = tmp;
|
||||
}
|
||||
|
||||
void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag)
|
||||
{
|
||||
if ( protocol_confirmed )
|
||||
return;
|
||||
|
||||
protocol_confirmed = true;
|
||||
|
||||
const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
|
||||
// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
|
||||
// The protocol remains just for handling scripts that haven't been updated. Once that event
|
||||
// is removed, this method is also removed.
|
||||
if ( analyzer_confirmation )
|
||||
event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
|
||||
if ( protocol_confirmation )
|
||||
event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id));
|
||||
}
|
||||
|
||||
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
|
||||
{
|
||||
if ( ! protocol_violation && ! analyzer_violation )
|
||||
return;
|
||||
|
||||
StringValPtr r;
|
||||
|
||||
if ( data && len )
|
||||
{
|
||||
const char* tmp = util::copy_string(reason);
|
||||
r = make_intrusive<StringVal>(util::fmt(
|
||||
"%s [%s%s]", tmp, util::fmt_bytes(data, min(40, len)), len > 40 ? "..." : ""));
|
||||
delete[] tmp;
|
||||
}
|
||||
else
|
||||
r = make_intrusive<StringVal>(reason);
|
||||
|
||||
const auto& tval = tag.AsVal();
|
||||
// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
|
||||
// The protocol remains just for handling scripts that haven't been updated. Once that event
|
||||
// is removed, this method is also removed.
|
||||
if ( analyzer_confirmation )
|
||||
event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
|
||||
if ( protocol_confirmation )
|
||||
event_mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
|
||||
}
|
||||
|
||||
void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
|
||||
{
|
||||
if ( analyzer_confirmed )
|
||||
|
|
|
|||
|
|
@ -522,47 +522,6 @@ public:
|
|||
*/
|
||||
void RemoveSupportAnalyzer(SupportAnalyzer* analyzer);
|
||||
|
||||
/**
|
||||
* Signals Zeek's protocol detection that the analyzer has recognized
|
||||
* the input to indeed conform to the expected protocol. This should
|
||||
* be called as early as possible during a connection's life-time. It
|
||||
* may turn into \c protocol_confirmed event at the script-layer (but
|
||||
* only once per analyzer for each connection, even if the method is
|
||||
* called multiple times).
|
||||
*
|
||||
* If tag is given, it overrides the analyzer tag passed to the
|
||||
* scripting layer; the default is the one of the analyzer itself.
|
||||
*/
|
||||
[[deprecated("Remove in v5.1. Use AnalyzerConfirmation.")]] virtual void
|
||||
ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
|
||||
|
||||
/**
|
||||
* Signals Zeek's protocol detection that the analyzer has found a
|
||||
* severe protocol violation that could indicate that it's not
|
||||
* parsing the expected protocol. This turns into \c
|
||||
* protocol_violation events at the script-layer (one such event is
|
||||
* raised for each call to this method so that the script-layer can
|
||||
* built up a notion of how prevalent protocol violations are; the
|
||||
* more, the less likely it's the right protocol).
|
||||
*
|
||||
* @param reason A textual description of the error encountered.
|
||||
*
|
||||
* @param data An optional pointer to the malformed data.
|
||||
*
|
||||
* @param len If \a data is given, the length of it.
|
||||
*/
|
||||
[[deprecated("Remove in v5.1. Use AnalyzerViolation.")]] virtual void
|
||||
ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
|
||||
|
||||
/**
|
||||
* Returns true if ProtocolConfirmation() has been called at least
|
||||
* once.
|
||||
*/
|
||||
[[deprecated("Remove in v5.1. Use AnalyzerConfirmed.")]] bool ProtocolConfirmed() const
|
||||
{
|
||||
return protocol_confirmed;
|
||||
}
|
||||
|
||||
/**
|
||||
* Signals Zeek's protocol detection that the analyzer has recognized
|
||||
* the input to indeed conform to the expected protocol. This should
|
||||
|
|
|
|||
|
|
@ -372,15 +372,12 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
|
|||
## be used to reference the analyzer when using builtin functions like
|
||||
## :zeek:id:`disable_analyzer`.
|
||||
##
|
||||
## .. zeek:see:: protocol_violation
|
||||
##
|
||||
## .. note::
|
||||
##
|
||||
## Zeek's default scripts use this event to determine the ``service`` column
|
||||
## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
|
||||
## there (and thus in ``conn.log``).
|
||||
event analyzer_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
|
||||
event protocol_confirmation%(c: connection, atype: AllAnalyzers::Tag, aid: count%) &deprecated="Remove in v5.1. Use analyzer_confirmation.";
|
||||
|
||||
## Generated if a DPD signature matched but the DPD buffer is already exhausted
|
||||
## and thus the analyzer could not be attached. While this does not confirm
|
||||
|
|
@ -417,8 +414,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
|
|||
##
|
||||
## reason: TODO.
|
||||
##
|
||||
## .. zeek:see:: protocol_confirmation
|
||||
##
|
||||
## .. note::
|
||||
##
|
||||
## Zeek's default scripts use this event to disable an analyzer via
|
||||
|
|
@ -426,7 +421,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
|
|||
## however a script-level decision and not done automatically by the event
|
||||
## engine.
|
||||
event analyzer_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
|
||||
event protocol_violation%(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string%) &deprecated="Remove in v.5.1. Use analyzer_violation.";
|
||||
|
||||
## Generated when a TCP connection terminated, passing on statistics about the
|
||||
## two endpoints. This event is always generated when Zeek flushes the internal
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ void FOO_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
|||
catch ( const binpac::Exception& e )
|
||||
{
|
||||
printf("Exception: %s\n", e.c_msg());
|
||||
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
|
||||
AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ refine flow FOO_Flow += {
|
|||
function proc_foo_message(msg: FOO_PDU): bool
|
||||
%{
|
||||
// printf("FOO %d %d\n", msg->hdr()->len(), msg->hdr_len());
|
||||
connection()->bro_analyzer()->ProtocolConfirmation();
|
||||
connection()->bro_analyzer()->AnalyzerConfirmation();
|
||||
zeek::BifEvent::Foo::enqueue_foo_message(
|
||||
connection()->bro_analyzer(),
|
||||
connection()->bro_analyzer()->Conn(),
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#include "foo_pac.h"
|
||||
#include "events.bif.h"
|
||||
|
||||
#include <zeek/analyzer/protocol/tcp/TCP_Reassembler.h>
|
||||
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
|
||||
|
||||
using namespace btest::plugin::Demo_Foo;
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ void Foo::DeliverStream(int len, const u_char* data, bool orig)
|
|||
}
|
||||
catch ( const binpac::Exception& e )
|
||||
{
|
||||
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
|
||||
AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue