Remove deprecated protocol_confirmation/violation events and methods

This commit is contained in:
Tim Wojtulewicz 2022-06-15 15:00:49 -07:00
parent 392c2f3810
commit 644ed5d314
7 changed files with 5 additions and 96 deletions

2
doc

@ -1 +1 @@
Subproject commit f6efe0c5770bcdb36f25e915b64eaaa8ae176597
Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6

View file

@ -678,50 +678,6 @@ void Analyzer::FlipRoles()
resp_supporters = tmp;
}
void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag)
{
if ( protocol_confirmed )
return;
protocol_confirmed = true;
const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
// The protocol remains just for handling scripts that haven't been updated. Once that event
// is removed, this method is also removed.
if ( analyzer_confirmation )
event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
if ( protocol_confirmation )
event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id));
}
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
{
if ( ! protocol_violation && ! analyzer_violation )
return;
StringValPtr r;
if ( data && len )
{
const char* tmp = util::copy_string(reason);
r = make_intrusive<StringVal>(util::fmt(
"%s [%s%s]", tmp, util::fmt_bytes(data, min(40, len)), len > 40 ? "..." : ""));
delete[] tmp;
}
else
r = make_intrusive<StringVal>(reason);
const auto& tval = tag.AsVal();
// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
// The protocol remains just for handling scripts that haven't been updated. Once that event
// is removed, this method is also removed.
if ( analyzer_confirmation )
event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
if ( protocol_confirmation )
event_mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
}
void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
{
if ( analyzer_confirmed )

View file

@ -522,47 +522,6 @@ public:
*/
void RemoveSupportAnalyzer(SupportAnalyzer* analyzer);
/**
* Signals Zeek's protocol detection that the analyzer has recognized
* the input to indeed conform to the expected protocol. This should
* be called as early as possible during a connection's life-time. It
* may turn into \c protocol_confirmed event at the script-layer (but
* only once per analyzer for each connection, even if the method is
* called multiple times).
*
* If tag is given, it overrides the analyzer tag passed to the
* scripting layer; the default is the one of the analyzer itself.
*/
[[deprecated("Remove in v5.1. Use AnalyzerConfirmation.")]] virtual void
ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
/**
* Signals Zeek's protocol detection that the analyzer has found a
* severe protocol violation that could indicate that it's not
* parsing the expected protocol. This turns into \c
* protocol_violation events at the script-layer (one such event is
* raised for each call to this method so that the script-layer can
* built up a notion of how prevalent protocol violations are; the
* more, the less likely it's the right protocol).
*
* @param reason A textual description of the error encountered.
*
* @param data An optional pointer to the malformed data.
*
* @param len If \a data is given, the length of it.
*/
[[deprecated("Remove in v5.1. Use AnalyzerViolation.")]] virtual void
ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
/**
* Returns true if ProtocolConfirmation() has been called at least
* once.
*/
[[deprecated("Remove in v5.1. Use AnalyzerConfirmed.")]] bool ProtocolConfirmed() const
{
return protocol_confirmed;
}
/**
* Signals Zeek's protocol detection that the analyzer has recognized
* the input to indeed conform to the expected protocol. This should

View file

@ -372,15 +372,12 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
## be used to reference the analyzer when using builtin functions like
## :zeek:id:`disable_analyzer`.
##
## .. zeek:see:: protocol_violation
##
## .. note::
##
## Zeek's default scripts use this event to determine the ``service`` column
## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
## there (and thus in ``conn.log``).
event analyzer_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
event protocol_confirmation%(c: connection, atype: AllAnalyzers::Tag, aid: count%) &deprecated="Remove in v5.1. Use analyzer_confirmation.";
## Generated if a DPD signature matched but the DPD buffer is already exhausted
## and thus the analyzer could not be attached. While this does not confirm
@ -417,8 +414,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
##
## reason: TODO.
##
## .. zeek:see:: protocol_confirmation
##
## .. note::
##
## Zeek's default scripts use this event to disable an analyzer via
@ -426,7 +421,6 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
## however a script-level decision and not done automatically by the event
## engine.
event analyzer_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
event protocol_violation%(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string%) &deprecated="Remove in v.5.1. Use analyzer_violation.";
## Generated when a TCP connection terminated, passing on statistics about the
## two endpoints. This event is always generated when Zeek flushes the internal

View file

@ -53,7 +53,7 @@ void FOO_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
catch ( const binpac::Exception& e )
{
printf("Exception: %s\n", e.c_msg());
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
}
}

View file

@ -41,7 +41,7 @@ refine flow FOO_Flow += {
function proc_foo_message(msg: FOO_PDU): bool
%{
// printf("FOO %d %d\n", msg->hdr()->len(), msg->hdr_len());
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->bro_analyzer()->AnalyzerConfirmation();
zeek::BifEvent::Foo::enqueue_foo_message(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),

View file

@ -3,7 +3,7 @@
#include "foo_pac.h"
#include "events.bif.h"
#include <zeek/analyzer/protocol/tcp/TCP_Reassembler.h>
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
using namespace btest::plugin::Demo_Foo;
@ -45,7 +45,7 @@ void Foo::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
AnalyzerViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
}
}