From 70c2397f69bcfc1e368abff707a32efa05fb50aa Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 21 Aug 2020 09:45:16 -0700 Subject: [PATCH] Plugins: Clean up explicit uses of namespaces in places where they're not necessary. This commit covers all of the plugin classes. --- src/analyzer/protocol/arp/ARP.cc | 34 +- src/analyzer/protocol/arp/ARP.h | 16 +- src/analyzer/protocol/ayiya/AYIYA.cc | 6 +- src/analyzer/protocol/ayiya/AYIYA.h | 8 +- .../protocol/bittorrent/BitTorrent.cc | 18 +- src/analyzer/protocol/bittorrent/BitTorrent.h | 6 +- .../protocol/bittorrent/BitTorrentTracker.cc | 94 ++-- .../protocol/bittorrent/BitTorrentTracker.h | 16 +- src/analyzer/protocol/conn-size/ConnSize.cc | 38 +- src/analyzer/protocol/conn-size/ConnSize.h | 12 +- src/analyzer/protocol/dce-rpc/DCE_RPC.cc | 6 +- src/analyzer/protocol/dce-rpc/DCE_RPC.h | 6 +- src/analyzer/protocol/dhcp/DHCP.cc | 6 +- src/analyzer/protocol/dhcp/DHCP.h | 8 +- src/analyzer/protocol/dnp3/DNP3.cc | 26 +- src/analyzer/protocol/dnp3/DNP3.h | 18 +- src/analyzer/protocol/dns/DNS.cc | 444 +++++++++--------- src/analyzer/protocol/dns/DNS.h | 76 +-- src/analyzer/protocol/file/File.cc | 40 +- src/analyzer/protocol/file/File.h | 14 +- src/analyzer/protocol/finger/Finger.cc | 26 +- src/analyzer/protocol/finger/Finger.h | 10 +- src/analyzer/protocol/ftp/FTP.cc | 68 +-- src/analyzer/protocol/ftp/FTP.h | 14 +- src/analyzer/protocol/gnutella/Gnutella.cc | 42 +- src/analyzer/protocol/gnutella/Gnutella.h | 6 +- src/analyzer/protocol/gssapi/GSSAPI.cc | 14 +- src/analyzer/protocol/gssapi/GSSAPI.h | 8 +- src/analyzer/protocol/gtpv1/GTPv1.cc | 6 +- src/analyzer/protocol/gtpv1/GTPv1.h | 8 +- src/analyzer/protocol/http/HTTP.cc | 366 +++++++-------- src/analyzer/protocol/http/HTTP.h | 70 +-- src/analyzer/protocol/icmp/ICMP.cc | 290 ++++++------ src/analyzer/protocol/icmp/ICMP.h | 58 +-- src/analyzer/protocol/ident/Ident.cc | 78 +-- src/analyzer/protocol/ident/Ident.h | 10 +- src/analyzer/protocol/imap/IMAP.cc | 16 +- src/analyzer/protocol/imap/IMAP.h | 8 +- src/analyzer/protocol/irc/IRC.cc | 314 ++++++------- src/analyzer/protocol/irc/IRC.h | 10 +- src/analyzer/protocol/krb/KRB.cc | 36 +- src/analyzer/protocol/krb/KRB.h | 14 +- src/analyzer/protocol/krb/KRB_TCP.cc | 14 +- src/analyzer/protocol/krb/KRB_TCP.h | 16 +- src/analyzer/protocol/login/Login.cc | 114 ++--- src/analyzer/protocol/login/Login.h | 14 +- src/analyzer/protocol/login/NVT.cc | 22 +- src/analyzer/protocol/login/NVT.h | 4 +- src/analyzer/protocol/login/RSH.cc | 41 +- src/analyzer/protocol/login/RSH.h | 8 +- src/analyzer/protocol/login/Rlogin.cc | 24 +- src/analyzer/protocol/login/Rlogin.h | 8 +- src/analyzer/protocol/login/Telnet.cc | 2 +- src/analyzer/protocol/login/Telnet.h | 4 +- src/analyzer/protocol/mime/MIME.cc | 172 +++---- src/analyzer/protocol/mime/MIME.h | 104 ++-- src/analyzer/protocol/modbus/Modbus.cc | 2 +- src/analyzer/protocol/modbus/Modbus.h | 6 +- src/analyzer/protocol/mqtt/MQTT.cc | 14 +- src/analyzer/protocol/mqtt/MQTT.h | 6 +- src/analyzer/protocol/mysql/MySQL.cc | 14 +- src/analyzer/protocol/mysql/MySQL.h | 8 +- src/analyzer/protocol/ncp/NCP.cc | 38 +- src/analyzer/protocol/ncp/NCP.h | 14 +- src/analyzer/protocol/netbios/NetbiosSSN.cc | 60 +-- src/analyzer/protocol/netbios/NetbiosSSN.h | 22 +- src/analyzer/protocol/ntlm/NTLM.cc | 14 +- src/analyzer/protocol/ntlm/NTLM.h | 8 +- src/analyzer/protocol/ntp/NTP.cc | 8 +- src/analyzer/protocol/ntp/NTP.h | 8 +- src/analyzer/protocol/pia/PIA.cc | 66 +-- src/analyzer/protocol/pia/PIA.h | 56 +-- src/analyzer/protocol/pop3/POP3.cc | 48 +- src/analyzer/protocol/pop3/POP3.h | 14 +- src/analyzer/protocol/radius/RADIUS.cc | 8 +- src/analyzer/protocol/radius/RADIUS.h | 8 +- src/analyzer/protocol/rdp/RDP.cc | 20 +- src/analyzer/protocol/rdp/RDP.h | 8 +- src/analyzer/protocol/rdp/RDPEUDP.cc | 8 +- src/analyzer/protocol/rdp/RDPEUDP.h | 8 +- src/analyzer/protocol/rfb/RFB.cc | 14 +- src/analyzer/protocol/rfb/RFB.h | 8 +- src/analyzer/protocol/rpc/MOUNT.cc | 72 +-- src/analyzer/protocol/rpc/MOUNT.h | 18 +- src/analyzer/protocol/rpc/NFS.cc | 206 ++++---- src/analyzer/protocol/rpc/NFS.h | 82 ++-- src/analyzer/protocol/rpc/Portmap.cc | 68 +-- src/analyzer/protocol/rpc/Portmap.h | 14 +- src/analyzer/protocol/rpc/RPC.cc | 86 ++-- src/analyzer/protocol/rpc/RPC.h | 22 +- src/analyzer/protocol/sip/SIP.cc | 8 +- src/analyzer/protocol/sip/SIP.h | 8 +- src/analyzer/protocol/sip/SIP_TCP.cc | 14 +- src/analyzer/protocol/sip/SIP_TCP.h | 8 +- src/analyzer/protocol/smb/SMB.cc | 6 +- src/analyzer/protocol/smb/SMB.h | 6 +- src/analyzer/protocol/smtp/SMTP.cc | 62 +-- src/analyzer/protocol/smtp/SMTP.h | 14 +- src/analyzer/protocol/snmp/SNMP.cc | 6 +- src/analyzer/protocol/snmp/SNMP.h | 8 +- src/analyzer/protocol/socks/SOCKS.cc | 16 +- src/analyzer/protocol/socks/SOCKS.h | 8 +- src/analyzer/protocol/ssh/SSH.cc | 26 +- src/analyzer/protocol/ssh/SSH.h | 8 +- src/analyzer/protocol/ssl/DTLS.cc | 8 +- src/analyzer/protocol/ssl/DTLS.h | 8 +- src/analyzer/protocol/ssl/SSL.cc | 16 +- src/analyzer/protocol/ssl/SSL.h | 8 +- .../protocol/stepping-stone/SteppingStone.cc | 38 +- .../protocol/stepping-stone/SteppingStone.h | 22 +- src/analyzer/protocol/syslog/Syslog.cc | 16 +- src/analyzer/protocol/syslog/Syslog.h | 14 +- src/analyzer/protocol/tcp/ContentLine.cc | 12 +- src/analyzer/protocol/tcp/ContentLine.h | 4 +- src/analyzer/protocol/tcp/Stats.cc | 2 +- src/analyzer/protocol/tcp/Stats.h | 2 +- src/analyzer/protocol/tcp/TCP.cc | 259 +++++----- src/analyzer/protocol/tcp/TCP.h | 56 +-- src/analyzer/protocol/tcp/TCP_Endpoint.cc | 20 +- src/analyzer/protocol/tcp/TCP_Endpoint.h | 14 +- src/analyzer/protocol/tcp/TCP_Reassembler.cc | 74 +-- src/analyzer/protocol/tcp/TCP_Reassembler.h | 22 +- src/analyzer/protocol/teredo/Teredo.cc | 46 +- src/analyzer/protocol/teredo/Teredo.h | 14 +- src/analyzer/protocol/udp/UDP.cc | 58 +-- src/analyzer/protocol/udp/UDP.h | 14 +- src/analyzer/protocol/vxlan/VXLAN.cc | 30 +- src/analyzer/protocol/vxlan/VXLAN.h | 8 +- src/analyzer/protocol/xmpp/XMPP.cc | 16 +- src/analyzer/protocol/xmpp/XMPP.h | 8 +- src/analyzer/protocol/zip/ZIP.cc | 6 +- src/analyzer/protocol/zip/ZIP.h | 4 +- .../analyzer/data_event/DataEvent.cc | 32 +- .../analyzer/data_event/DataEvent.h | 14 +- src/file_analysis/analyzer/entropy/Entropy.cc | 32 +- src/file_analysis/analyzer/entropy/Entropy.h | 10 +- src/file_analysis/analyzer/extract/Extract.cc | 30 +- src/file_analysis/analyzer/extract/Extract.h | 8 +- src/file_analysis/analyzer/hash/Hash.cc | 14 +- src/file_analysis/analyzer/hash/Hash.h | 30 +- src/file_analysis/analyzer/pe/PE.cc | 8 +- src/file_analysis/analyzer/pe/PE.h | 8 +- .../analyzer/unified2/Unified2.cc | 8 +- .../analyzer/unified2/Unified2.h | 8 +- src/file_analysis/analyzer/x509/OCSP.cc | 134 +++--- src/file_analysis/analyzer/x509/OCSP.h | 12 +- src/file_analysis/analyzer/x509/X509.cc | 118 ++--- src/file_analysis/analyzer/x509/X509.h | 28 +- src/file_analysis/analyzer/x509/X509Common.cc | 50 +- src/file_analysis/analyzer/x509/X509Common.h | 20 +- src/input/readers/ascii/Ascii.cc | 58 +-- src/input/readers/ascii/Ascii.h | 16 +- src/input/readers/benchmark/Benchmark.cc | 78 +-- src/input/readers/benchmark/Benchmark.h | 10 +- src/input/readers/binary/Binary.cc | 46 +- src/input/readers/binary/Binary.h | 6 +- src/input/readers/config/Config.cc | 74 +-- src/input/readers/config/Config.h | 10 +- src/input/readers/raw/Plugin.h | 4 +- src/input/readers/raw/Raw.cc | 90 ++-- src/input/readers/raw/Raw.h | 6 +- src/input/readers/sqlite/SQLite.cc | 50 +- src/input/readers/sqlite/SQLite.h | 12 +- src/logging/writers/ascii/Ascii.cc | 170 +++---- src/logging/writers/ascii/Ascii.h | 18 +- src/logging/writers/none/None.cc | 6 +- src/logging/writers/none/None.h | 6 +- src/logging/writers/sqlite/SQLite.cc | 84 ++-- src/logging/writers/sqlite/SQLite.h | 8 +- 169 files changed, 3139 insertions(+), 3141 deletions(-) diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index 8896d911ba..f45e45b959 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -76,7 +76,7 @@ ARP_Analyzer::~ARP_Analyzer() #endif -void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt) +void ARP_Analyzer::NextPacket(double t, const Packet* pkt) { const u_char *data = pkt->data; // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). @@ -180,7 +180,7 @@ void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt) } } -void ARP_Analyzer::Describe(zeek::ODesc* d) const +void ARP_Analyzer::Describe(ODesc* d) const { d->Add(""); d->NL(); @@ -191,20 +191,20 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg) if ( ! bad_arp ) return; - zeek::event_mgr.Enqueue(bad_arp, - ToAddrVal(ar_spa(hdr)), - ToEthAddrStr((const u_char*) ar_sha(hdr)), - ToAddrVal(ar_tpa(hdr)), - ToEthAddrStr((const u_char*) ar_tha(hdr)), - zeek::make_intrusive(msg)); + event_mgr.Enqueue(bad_arp, + ToAddrVal(ar_spa(hdr)), + ToEthAddrStr((const u_char*) ar_sha(hdr)), + ToAddrVal(ar_tpa(hdr)), + ToEthAddrStr((const u_char*) ar_tha(hdr)), + make_intrusive(msg)); } void ARP_Analyzer::Corrupted(const char* msg) { - zeek::reporter->Weird(msg); + reporter->Weird(msg); } -void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e, +void ARP_Analyzer::RREvent(EventHandlerPtr e, const u_char* src, const u_char *dst, const char* spa, const char* sha, const char* tpa, const char* tha) @@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e, if ( ! e ) return; - zeek::event_mgr.Enqueue(e, + event_mgr.Enqueue(e, ToEthAddrStr(src), ToEthAddrStr(dst), ToAddrVal(spa), @@ -221,24 +221,24 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e, ToEthAddrStr((const u_char*) tha)); } -zeek::AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) +AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) { return ToAddrVal(addr).release(); } -zeek::AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr) +AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr) { // ### For now, we only handle IPv4 addresses. - return zeek::make_intrusive(*(const uint32_t*) addr); + return make_intrusive(*(const uint32_t*) addr); } -zeek::StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr) +StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr) { return ToEthAddrStr(addr).release(); } -zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) +StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) { char buf[1024]; snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); - return zeek::make_intrusive(buf); + return make_intrusive(buf); } } // namespace zeek::analyzer::arp diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h index 21e8b75aa9..8d2f1b5fed 100644 --- a/src/analyzer/protocol/arp/ARP.h +++ b/src/analyzer/protocol/arp/ARP.h @@ -32,27 +32,27 @@ extern "C" { namespace zeek::analyzer::arp { -class ARP_Analyzer : public zeek::Obj { +class ARP_Analyzer : public Obj { public: ARP_Analyzer(); ~ARP_Analyzer() override; - void NextPacket(double t, const zeek::Packet* pkt); + void NextPacket(double t, const Packet* pkt); - void Describe(zeek::ODesc* d) const override; - void RREvent(zeek::EventHandlerPtr e, const u_char* src, const u_char* dst, + void Describe(ODesc* d) const override; + void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst, const char* spa, const char* sha, const char* tpa, const char* tha); protected: [[deprecated("Remove in v4.1. Use ToAddrVal().")]] - zeek::AddrVal* ConstructAddrVal(const void* addr); + AddrVal* ConstructAddrVal(const void* addr); [[deprecated("Remove in v4.1. Use ToEthAddrStr().")]] - zeek::StringVal* EthAddrToStr(const u_char* addr); + StringVal* EthAddrToStr(const u_char* addr); - zeek::AddrValPtr ToAddrVal(const void* addr); - zeek::StringValPtr ToEthAddrStr(const u_char* addr); + AddrValPtr ToAddrVal(const void* addr); + StringValPtr ToEthAddrStr(const u_char* addr); void BadARP(const struct arp_pkthdr* hdr, const char* string); void Corrupted(const char* string); }; diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc index 901b8392a6..e929607dd7 100644 --- a/src/analyzer/protocol/ayiya/AYIYA.cc +++ b/src/analyzer/protocol/ayiya/AYIYA.cc @@ -4,7 +4,7 @@ namespace zeek::analyzer::ayiya { -AYIYA_Analyzer::AYIYA_Analyzer(zeek::Connection* conn) +AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer("AYIYA", conn) { interp = new binpac::AYIYA::AYIYA_Conn(this); @@ -21,7 +21,7 @@ void AYIYA_Analyzer::Done() Event(udp_session_done); } -void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -31,7 +31,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6 } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h index 3d61d7ce8f..6212045f4c 100644 --- a/src/analyzer/protocol/ayiya/AYIYA.h +++ b/src/analyzer/protocol/ayiya/AYIYA.h @@ -4,16 +4,16 @@ namespace zeek::analyzer::ayiya { -class AYIYA_Analyzer final : public zeek::analyzer::Analyzer { +class AYIYA_Analyzer final : public analyzer::Analyzer { public: - explicit AYIYA_Analyzer(zeek::Connection* conn); + explicit AYIYA_Analyzer(Connection* conn); virtual ~AYIYA_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen); + uint64_t seq, const IP_Hdr* ip, int caplen); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new AYIYA_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index 789ef6913a..22ecb33835 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -7,8 +7,8 @@ namespace zeek::analyzer::bittorrent { -BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) +BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) +: analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; @@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer() void BitTorrent_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp; bool& this_stop = orig ? stop_orig : stop_resp; - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -59,7 +59,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) Parent()->RemoveChildAnalyzer(this); else { - DeliverWeird(zeek::util::fmt("Stopping BitTorrent analysis: protocol violation (%s)", + DeliverWeird(util::fmt("Stopping BitTorrent analysis: protocol violation (%s)", e.c_msg()), orig); this_stop = true; if ( stop_orig && stop_resp ) @@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // TODO: Code commented out for now. I think that shoving data that // is definitely wrong into the parser seems like a really bad idea. @@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } @@ -121,8 +121,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) if ( bittorrent_peer_weird ) EnqueueConnEvent(bittorrent_peer_weird, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(msg)); + val_mgr->Bool(orig), + make_intrusive(msg)); } } // namespace zeek::analyzer::bittorrent diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h index 1e3ef3610d..58a758c178 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.h +++ b/src/analyzer/protocol/bittorrent/BitTorrent.h @@ -8,9 +8,9 @@ namespace zeek::analyzer::bittorrent { -class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class BitTorrent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit BitTorrent_Analyzer(zeek::Connection* conn); + explicit BitTorrent_Analyzer(Connection* conn); ~BitTorrent_Analyzer() override; void Done() override; @@ -18,7 +18,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new BitTorrent_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 34297178d7..779dfb4539 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -15,27 +15,27 @@ namespace zeek::analyzer::bittorrent { -static zeek::TableTypePtr bt_tracker_headers; -static zeek::RecordTypePtr bittorrent_peer; -static zeek::TableTypePtr bittorrent_peer_set; -static zeek::RecordTypePtr bittorrent_benc_value; -static zeek::TableTypePtr bittorrent_benc_dir; +static TableTypePtr bt_tracker_headers; +static RecordTypePtr bittorrent_peer; +static TableTypePtr bittorrent_peer_set; +static RecordTypePtr bittorrent_benc_value; +static TableTypePtr bittorrent_benc_dir; -BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) +BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) +: analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) { if ( ! bt_tracker_headers ) { bt_tracker_headers = - zeek::id::find_type("bt_tracker_headers"); + id::find_type("bt_tracker_headers"); bittorrent_peer = - zeek::id::find_type("bittorrent_peer"); + id::find_type("bittorrent_peer"); bittorrent_peer_set = - zeek::id::find_type("bittorrent_peer_set"); + id::find_type("bittorrent_peer_set"); bittorrent_benc_value = - zeek::id::find_type("bittorrent_benc_value"); + id::find_type("bittorrent_benc_value"); bittorrent_benc_dir = - zeek::id::find_type("bittorrent_benc_dir"); + id::find_type("bittorrent_benc_dir"); } keep_alive = false; @@ -45,7 +45,7 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) req_buf_pos = req_buf; req_buf_len = 0; req_val_uri = nullptr; - req_val_headers = new zeek::TableVal(bt_tracker_headers); + req_val_headers = new TableVal(bt_tracker_headers); res_state = detail::BTT_RES_STATUS; res_allow_blank_line = false; @@ -53,9 +53,9 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) res_buf_pos = res_buf; res_buf_len = 0; res_status = 0; - res_val_headers = new zeek::TableVal(bt_tracker_headers); - res_val_peers = new zeek::TableVal(bittorrent_peer_set); - res_val_benc = new zeek::TableVal(bittorrent_benc_dir); + res_val_headers = new TableVal(bt_tracker_headers); + res_val_peers = new TableVal(bittorrent_peer_set); + res_val_benc = new TableVal(bittorrent_benc_dir); InitBencParser(); @@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer() void BitTorrentTracker_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); } void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -136,7 +136,7 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data) req_buf_len -= (req_buf_pos - req_buf); memmove(req_buf, req_buf_pos, req_buf_len); req_buf_pos = req_buf; - req_val_headers = new zeek::TableVal(bt_tracker_headers); + req_val_headers = new TableVal(bt_tracker_headers); } } } @@ -198,9 +198,9 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) res_buf_pos = res_buf; res_status = 0; - res_val_headers = new zeek::TableVal(bt_tracker_headers); - res_val_peers = new zeek::TableVal(bittorrent_peer_set); - res_val_benc = new zeek::TableVal(bittorrent_benc_dir); + res_val_headers = new TableVal(bt_tracker_headers); + res_val_peers = new TableVal(bittorrent_peer_set); + res_val_benc = new TableVal(bittorrent_benc_dir); InitBencParser(); } @@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); @@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void BitTorrentTracker_Analyzer::InitBencParser(void) @@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) if ( bt_tracker_weird ) EnqueueConnEvent(bt_tracker_weird, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(msg) + val_mgr->Bool(orig), + make_intrusive(msg) ); } @@ -322,7 +322,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) case detail::BTT_REQ_DONE: if ( *line ) { - auto msg = zeek::util::fmt("Got post request data: %s\n", line); + auto msg = util::fmt("Got post request data: %s\n", line); Weird("bittorrent_tracker_data_post_request", msg); DeliverWeird(msg, true); } @@ -338,7 +338,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) void BitTorrentTracker_Analyzer::RequestGet(char* uri) { - req_val_uri = new zeek::StringVal(uri); + req_val_uri = new StringVal(uri); } void BitTorrentTracker_Analyzer::EmitRequest(void) @@ -348,8 +348,8 @@ void BitTorrentTracker_Analyzer::EmitRequest(void) if ( bt_tracker_request ) EnqueueConnEvent(bt_tracker_request, ConnVal(), - zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_uri}, - zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_headers} + IntrusivePtr{AdoptRef{}, req_val_uri}, + IntrusivePtr{AdoptRef{}, req_val_headers} ); req_val_uri = nullptr; @@ -403,8 +403,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) EnqueueConnEvent( bt_tracker_response_not_ok, ConnVal(), - zeek::val_mgr->Count(res_status), - zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers} + val_mgr->Count(res_status), + IntrusivePtr{AdoptRef{}, res_val_headers} ); res_val_headers = nullptr; res_buf_pos = res_buf + res_buf_len; @@ -456,8 +456,8 @@ void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value, } #ifdef BTTRACKER_STORE_HEADERS - zeek::StringVal* name_ = new zeek::StringVal(name); - zeek::StringVal* value_ = new zeek::StringVal(value); + auto* name_ = new StringVal(name); + auto* value_ = new StringVal(value); (is_request ? req_val_headers : res_val_headers)->Assign(name_, value_); Unref(name_); @@ -479,17 +479,17 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, uint32_t ad = extract_uint32((u_char*) value); uint16_t pt = ntohs((value[4] << 8) | value[5]); - auto peer = zeek::make_intrusive(bittorrent_peer); - peer->Assign(0, zeek::make_intrusive(ad)); - peer->Assign(1, zeek::val_mgr->Port(pt, TRANSPORT_TCP)); + auto peer = make_intrusive(bittorrent_peer); + peer->Assign(0, make_intrusive(ad)); + peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP)); res_val_peers->Assign(std::move(peer), nullptr); } } else { - auto name_ = zeek::make_intrusive(name_len, name); - auto benc_value = zeek::make_intrusive(bittorrent_benc_value); - benc_value->Assign(type, zeek::make_intrusive(value_len, value)); + auto name_ = make_intrusive(name_len, name); + auto benc_value = make_intrusive(bittorrent_benc_value); + benc_value->Assign(type, make_intrusive(value_len, value)); res_val_benc->Assign(std::move(name_), std::move(benc_value)); } } @@ -497,10 +497,10 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, detail::BTT_BencTypes type, bro_int_t value) { - auto benc_value = zeek::make_intrusive(bittorrent_benc_value); - auto name_ = zeek::make_intrusive(name_len, name); + auto benc_value = make_intrusive(bittorrent_benc_value); + auto name_ = make_intrusive(name_len, name); - benc_value->Assign(type, zeek::val_mgr->Int(value)); + benc_value->Assign(type, val_mgr->Int(value)); res_val_benc->Assign(std::move(name_), std::move(benc_value)); } @@ -785,10 +785,10 @@ void BitTorrentTracker_Analyzer::EmitResponse(void) if ( bt_tracker_response ) EnqueueConnEvent(bt_tracker_response, ConnVal(), - zeek::val_mgr->Count(res_status), - zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers}, - zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_peers}, - zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_benc} + val_mgr->Count(res_status), + IntrusivePtr{AdoptRef{}, res_val_headers}, + IntrusivePtr{AdoptRef{}, res_val_peers}, + IntrusivePtr{AdoptRef{}, res_val_benc} ); res_val_headers = nullptr; diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h index bc36b88237..507375e19b 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h @@ -47,9 +47,9 @@ enum BTT_BencStates { } // namespace detail -class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class BitTorrentTracker_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit BitTorrentTracker_Analyzer(zeek::Connection* conn); + explicit BitTorrentTracker_Analyzer(Connection* conn); ~BitTorrentTracker_Analyzer() override; void Done() override; @@ -57,7 +57,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } protected: @@ -96,8 +96,8 @@ protected: char req_buf[BTTRACKER_BUF]; char* req_buf_pos; unsigned int req_buf_len; - zeek::StringVal* req_val_uri; - zeek::TableVal* req_val_headers; + StringVal* req_val_uri; + TableVal* req_val_headers; // Response. detail::BTT_States res_state; @@ -106,9 +106,9 @@ protected: char* res_buf_pos; unsigned int res_buf_len; bro_uint_t res_status; - zeek::TableVal* res_val_headers; - zeek::TableVal* res_val_peers; - zeek::TableVal* res_val_benc; + TableVal* res_val_headers; + TableVal* res_val_peers; + TableVal* res_val_benc; std::vector benc_stack; std::vector benc_count; diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc index 849b9a7feb..f8f41e0131 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -13,7 +13,7 @@ namespace zeek::analyzer::conn_size { -ConnSize_Analyzer::ConnSize_Analyzer(zeek::Connection* c) +ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c), orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts(), orig_bytes_thresh(), resp_bytes_thresh(), orig_pkts_thresh(), resp_pkts_thresh(), duration_thresh() @@ -46,15 +46,15 @@ void ConnSize_Analyzer::Done() Analyzer::Done(); } -void ConnSize_Analyzer::ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig) +void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig) { if ( ! f ) return; EnqueueConnEvent(f, ConnVal(), - zeek::val_mgr->Count(threshold), - zeek::val_mgr->Bool(is_orig) + val_mgr->Count(threshold), + val_mgr->Bool(is_orig) ); } @@ -91,19 +91,19 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig) if ( duration_thresh != 0 ) { - if ( ( zeek::run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed ) + if ( ( run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed ) { EnqueueConnEvent(conn_duration_threshold_crossed, ConnVal(), - zeek::make_intrusive(duration_thresh), - zeek::val_mgr->Bool(is_orig) + make_intrusive(duration_thresh), + val_mgr->Bool(is_orig) ); duration_thresh = 0; } } } -void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); @@ -168,26 +168,26 @@ void ConnSize_Analyzer::SetDurationThreshold(double duration) CheckThresholds(true); } -void ConnSize_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) +void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val) { // RecordType *connection_type is decleared in NetVar.h - zeek::RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal(); - zeek::RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal(); + RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal(); + RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal(); // endpoint is the RecordType from NetVar.h - int pktidx = zeek::id::endpoint->FieldOffset("num_pkts"); - int bytesidx = zeek::id::endpoint->FieldOffset("num_bytes_ip"); + int pktidx = id::endpoint->FieldOffset("num_pkts"); + int bytesidx = id::endpoint->FieldOffset("num_bytes_ip"); if ( pktidx < 0 ) - zeek::reporter->InternalError("'endpoint' record missing 'num_pkts' field"); + reporter->InternalError("'endpoint' record missing 'num_pkts' field"); if ( bytesidx < 0 ) - zeek::reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); + reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); - orig_endp->Assign(pktidx, zeek::val_mgr->Count(orig_pkts)); - orig_endp->Assign(bytesidx, zeek::val_mgr->Count(orig_bytes)); - resp_endp->Assign(pktidx, zeek::val_mgr->Count(resp_pkts)); - resp_endp->Assign(bytesidx, zeek::val_mgr->Count(resp_bytes)); + orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts)); + orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes)); + resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts)); + resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes)); Analyzer::UpdateConnVal(conn_val); } diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h index d195ac0582..37fda7df71 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.h +++ b/src/analyzer/protocol/conn-size/ConnSize.h @@ -8,16 +8,16 @@ namespace zeek::analyzer::conn_size { -class ConnSize_Analyzer : public zeek::analyzer::Analyzer { +class ConnSize_Analyzer : public analyzer::Analyzer { public: - explicit ConnSize_Analyzer(zeek::Connection* c); + explicit ConnSize_Analyzer(Connection* c); ~ConnSize_Analyzer() override; void Init() override; void Done() override; // from Analyzer.h - void UpdateConnVal(zeek::RecordVal *conn_val) override; + void UpdateConnVal(RecordVal *conn_val) override; void FlipRoles() override; void SetByteAndPacketThreshold(uint64_t threshold, bool bytes, bool orig); @@ -26,15 +26,15 @@ public: void SetDurationThreshold(double duration); double GetDurationThreshold() { return duration_thresh; }; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new ConnSize_Analyzer(conn); } protected: void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void CheckThresholds(bool is_orig); - void ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig); + void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig); uint64_t orig_bytes; uint64_t resp_bytes; diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc index f01983880b..a50a6e3b26 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc @@ -11,8 +11,8 @@ using namespace std; namespace zeek::analyzer::dce_rpc { -DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) +DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { had_gap = false; interp = new binpac::DCE_RPC::DCE_RPC_Conn(this); @@ -61,7 +61,7 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h index e4addaf20c..0a7fec416c 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -11,9 +11,9 @@ namespace zeek::analyzer::dce_rpc { -class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class DCE_RPC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit DCE_RPC_Analyzer(zeek::Connection* conn); + explicit DCE_RPC_Analyzer(Connection* conn); ~DCE_RPC_Analyzer() override; void Done() override; @@ -24,7 +24,7 @@ public: bool SetFileID(uint64_t fid_in) { interp->set_file_id(fid_in); return true; } - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DCE_RPC_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc index 0371a0e4dc..f5e029a2bb 100644 --- a/src/analyzer/protocol/dhcp/DHCP.cc +++ b/src/analyzer/protocol/dhcp/DHCP.cc @@ -5,7 +5,7 @@ namespace zeek::analyzer::dhcp { -DHCP_Analyzer::DHCP_Analyzer(zeek::Connection* conn) +DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); @@ -22,7 +22,7 @@ void DHCP_Analyzer::Done() } void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, - bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -32,7 +32,7 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h index 32326633d3..9df8b3d469 100644 --- a/src/analyzer/protocol/dhcp/DHCP.h +++ b/src/analyzer/protocol/dhcp/DHCP.h @@ -6,16 +6,16 @@ namespace zeek::analyzer::dhcp { -class DHCP_Analyzer final : public zeek::analyzer::Analyzer { +class DHCP_Analyzer final : public analyzer::Analyzer { public: - explicit DHCP_Analyzer(zeek::Connection* conn); + explicit DHCP_Analyzer(Connection* conn); ~DHCP_Analyzer() override; void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DHCP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 1f11cb6406..b0eecaa58c 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -113,7 +113,7 @@ namespace detail { bool DNP3_Base::crc_table_initialized = false; unsigned int DNP3_Base::crc_table[256]; -DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer) +DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; interp = new binpac::DNP3::DNP3_Conn(analyzer); @@ -235,14 +235,14 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, if ( *len < 0 ) { - zeek::reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len); + reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len); return -1; } if ( target_len < endp->buffer_len ) { - zeek::reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d", - target_len, endp->buffer_len); + reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d", + target_len, endp->buffer_len); return -1; } @@ -250,8 +250,8 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE ) { - zeek::reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d", - endp->buffer_len, to_copy); + reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d", + endp->buffer_len, to_copy); return -1; } @@ -296,9 +296,9 @@ bool DNP3_Base::ParseAppLayer(Endpoint* endp) if ( data + n >= endp->buffer + endp->buffer_len ) { - zeek::reporter->AnalyzerError(analyzer, - "dnp3 app layer parsing overflow %d - %d", - endp->buffer_len, n); + reporter->AnalyzerError(analyzer, + "dnp3 app layer parsing overflow %d - %d", + endp->buffer_len, n); return false; } @@ -350,7 +350,7 @@ bool DNP3_Base::CheckCRC(int len, const u_char* data, const u_char* crc16, const if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 ) return true; - analyzer->Weird(zeek::util::fmt("dnp3_corrupt_%s_checksum", where)); + analyzer->Weird(util::fmt("dnp3_corrupt_%s_checksum", where)); return false; } @@ -386,7 +386,7 @@ unsigned int DNP3_Base::CalcCRC(int len, const u_char* data) } } // namespace detail -DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(zeek::Connection* c) +DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(Connection* c) : DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c) { } @@ -432,7 +432,7 @@ void DNP3_TCP_Analyzer::EndpointEOF(bool is_orig) Interpreter()->FlowEOF(is_orig); } -DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(zeek::Connection* c) +DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : DNP3_Base(this), Analyzer("DNP3_UDP", c) { } @@ -441,7 +441,7 @@ DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer() { } -void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index 9c0f061ead..b840489742 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -12,7 +12,7 @@ namespace detail { class DNP3_Base { public: - explicit DNP3_Base(zeek::analyzer::Analyzer* analyzer); + explicit DNP3_Base(analyzer::Analyzer* analyzer); virtual ~DNP3_Base(); binpac::DNP3::DNP3_Conn* Interpreter() { return interp; } @@ -56,7 +56,7 @@ protected: static bool crc_table_initialized; static unsigned int crc_table[256]; - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; binpac::DNP3::DNP3_Conn* interp; Endpoint orig_state; @@ -65,9 +65,9 @@ protected: } // namespace detail -class DNP3_TCP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class DNP3_TCP_Analyzer : public detail::DNP3_Base, public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit DNP3_TCP_Analyzer(zeek::Connection* conn); + explicit DNP3_TCP_Analyzer(Connection* conn); ~DNP3_TCP_Analyzer() override; void Done() override; @@ -75,19 +75,19 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static Analyzer* Instantiate(zeek::Connection* conn) + static Analyzer* Instantiate(Connection* conn) { return new DNP3_TCP_Analyzer(conn); } }; -class DNP3_UDP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::Analyzer { +class DNP3_UDP_Analyzer : public detail::DNP3_Base, public analyzer::Analyzer { public: - explicit DNP3_UDP_Analyzer(zeek::Connection* conn); + explicit DNP3_UDP_Analyzer(Connection* conn); ~DNP3_UDP_Analyzer() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DNP3_UDP_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index bdc40499f5..18f3f24b8c 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -21,7 +21,7 @@ namespace zeek::analyzer::dns { namespace detail { -DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) +DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; first_message = true; @@ -52,9 +52,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) if ( dns_message ) analyzer->EnqueueConnEvent(dns_message, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_query), + val_mgr->Bool(is_query), msg.BuildHdrVal(), - zeek::val_mgr->Count(len) + val_mgr->Count(len) ); // There is a great deal of non-DNS traffic that runs on port 53. @@ -91,9 +91,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) int skip_addl = zeek::detail::dns_skip_all_addl; if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl. - static auto dns_skip_auth = zeek::id::find_val("dns_skip_auth"); - static auto dns_skip_addl = zeek::id::find_val("dns_skip_addl"); - auto server = zeek::make_intrusive(analyzer->Conn()->RespAddr()); + static auto dns_skip_auth = id::find_val("dns_skip_auth"); + static auto dns_skip_addl = id::find_val("dns_skip_addl"); + auto server = make_intrusive(analyzer->Conn()->RespAddr()); skip_auth = skip_auth || msg.nscount == 0 || dns_skip_auth->FindOrDefault(server); @@ -183,7 +183,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, return false; } - zeek::EventHandlerPtr dns_event = nullptr; + EventHandlerPtr dns_event = nullptr; if ( msg->QR == 0 ) dns_event = dns_request; @@ -198,14 +198,14 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, if ( dns_event && ! msg->skip_event ) { - zeek::String* original_name = new zeek::String(name, name_end - name, true); + String* original_name = new String(name, name_end - name, true); // Downcase the Name to normalize it for ( u_char* np = name; np < name_end; ++np ) if ( isupper(*np) ) *np = tolower(*np); - zeek::String* question_name = new zeek::String(name, name_end - name, true); + String* question_name = new String(name, name_end - name, true); SendReplyOrRejectEvent(msg, dns_event, data, len, question_name, original_name); } @@ -240,7 +240,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, // Note that the exact meaning of some of these fields will be // re-interpreted by other, more adventurous RR types. - msg->query_name = zeek::make_intrusive(new zeek::String(name, name_end - name, true)); + msg->query_name = make_intrusive(new String(name, name_end - name, true)); msg->atype = detail::RR_Type(ExtractShort(data, len)); msg->aclass = ExtractShort(data, len); msg->ttl = ExtractLong(data, len); @@ -352,7 +352,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, msg->BuildAnswerVal() ); - analyzer->Weird("DNS_RR_unknown_type", zeek::util::fmt("%d", msg->atype)); + analyzer->Weird("DNS_RR_unknown_type", util::fmt("%d", msg->atype)); data += rdlength; len -= rdlength; status = true; @@ -538,7 +538,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg, analyzer->Weird("DNS_RR_length_mismatch"); } - zeek::EventHandlerPtr reply_event; + EventHandlerPtr reply_event; switch ( msg->atype ) { case detail::TYPE_NS: reply_event = dns_NS_reply; @@ -564,7 +564,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(new zeek::String(name, name_end - name, true)) + make_intrusive(new String(name, name_end - name, true)) ); return true; @@ -604,15 +604,15 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg, if ( dns_SOA_reply && ! msg->skip_event ) { - static auto dns_soa = zeek::id::find_type("dns_soa"); - auto r = zeek::make_intrusive(dns_soa); - r->Assign(0, zeek::make_intrusive(new zeek::String(mname, mname_end - mname, true))); - r->Assign(1, zeek::make_intrusive(new zeek::String(rname, rname_end - rname, true))); - r->Assign(2, zeek::val_mgr->Count(serial)); - r->Assign(3, zeek::make_intrusive(double(refresh), Seconds)); - r->Assign(4, zeek::make_intrusive(double(retry), Seconds)); - r->Assign(5, zeek::make_intrusive(double(expire), Seconds)); - r->Assign(6, zeek::make_intrusive(double(minimum), Seconds)); + static auto dns_soa = id::find_type("dns_soa"); + auto r = make_intrusive(dns_soa); + r->Assign(0, make_intrusive(new String(mname, mname_end - mname, true))); + r->Assign(1, make_intrusive(new String(rname, rname_end - rname, true))); + r->Assign(2, val_mgr->Count(serial)); + r->Assign(3, make_intrusive(double(refresh), Seconds)); + r->Assign(4, make_intrusive(double(retry), Seconds)); + r->Assign(5, make_intrusive(double(expire), Seconds)); + r->Assign(6, make_intrusive(double(minimum), Seconds)); analyzer->EnqueueConnEvent(dns_SOA_reply, analyzer->ConnVal(), @@ -648,8 +648,8 @@ bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(new zeek::String(name, name_end - name, true)), - zeek::val_mgr->Count(preference) + make_intrusive(new String(name, name_end - name, true)), + val_mgr->Count(preference) ); return true; @@ -689,10 +689,10 @@ bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(new zeek::String(name, name_end - name, true)), - zeek::val_mgr->Count(priority), - zeek::val_mgr->Count(weight), - zeek::val_mgr->Count(port) + make_intrusive(new String(name, name_end - name, true)), + val_mgr->Count(priority), + val_mgr->Count(weight), + val_mgr->Count(port) ); return true; @@ -740,9 +740,9 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, // IPv6 address, depending on FAMILY, which MUST be truncated to the // number of bits indicated by the SOURCE PREFIX-LENGTH field, // padding with 0 bits to pad to the end of the last octet needed. - if ( ecs_family == zeek::L3_IPV4 ) + if ( ecs_family == L3_IPV4 ) { - opt.ecs_family = zeek::make_intrusive("v4"); + opt.ecs_family = make_intrusive("v4"); uint32_t addr = 0; for (uint16_t shift_factor = 3; option_len > 0; option_len--) { @@ -751,11 +751,11 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, shift_factor--; } addr = htonl(addr); - opt.ecs_addr = zeek::make_intrusive(addr); + opt.ecs_addr = make_intrusive(addr); } - else if ( ecs_family == zeek::L3_IPV6 ) + else if ( ecs_family == L3_IPV6 ) { - opt.ecs_family = zeek::make_intrusive("v6"); + opt.ecs_family = make_intrusive("v6"); uint32_t addr[4] = { 0 }; for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--) { @@ -769,7 +769,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, { addr[i] = htonl(addr[i]); } - opt.ecs_addr = zeek::make_intrusive(addr); + opt.ecs_addr = make_intrusive(addr); } else { @@ -784,7 +784,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, msg->BuildEDNS_ECS_Val(&opt) ); break; - } // END EDNS ECS + } // END EDNS ECS case TYPE_TCP_KA: { @@ -792,43 +792,43 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, .keepalive_timeout_omitted = true, .keepalive_timeout = 0 }; - if ( option_len == 0 || option_len == 2) - { + if ( option_len == 0 || option_len == 2) + { // 0 bytes is permitted by RFC 7828, showing that the timeout value is omitted. - if (option_len == 2) + if (option_len == 2) { edns_tcp_keepalive.keepalive_timeout = ExtractShort(data, option_len); edns_tcp_keepalive.keepalive_timeout_omitted = false; } - if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) + if (analyzer->Conn()->ConnTransport() == TRANSPORT_UDP) { /* - * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT + * Based on RFC 7828 (3.2.1/3.2.2), clients and servers MUST NOT * negotiate TCP Keepalive timeout in DNS-over-UDP. */ analyzer->Weird("EDNS_TCP_Keepalive_In_UDP"); } - + analyzer->EnqueueConnEvent(dns_EDNS_tcp_keepalive, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildEDNS_TCP_KA_Val(&edns_tcp_keepalive) ); - + } - else + else { // error. MUST BE 0 or 2 bytes. skip data += option_len; } break; - } // END EDNS TCP KEEPALIVE + } // END EDNS TCP KEEPALIVE case TYPE_COOKIE: { EDNS_COOKIE cookie{}; - if (option_len != 8 && ! (option_len >= 16 && option_len <= 40)) + if (option_len != 8 && ! (option_len >= 16 && option_len <= 40)) { /* * option length for DNS Cookie must be 8 bytes (with client cookie only) @@ -846,7 +846,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, cookie.client_cookie = ExtractStream(data, client_cookie_len, client_cookie_len); cookie.server_cookie = nullptr; - if (server_cookie_len >= 8) + if (server_cookie_len >= 8) { cookie.server_cookie = ExtractStream(data, server_cookie_len, server_cookie_len); } @@ -872,23 +872,23 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, } void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, - zeek::String** p) + String** p) { uint16_t dlen = ExtractShort(data, len); dlen = min(len, static_cast(dlen)); if ( p ) - *p = new zeek::String(data, dlen, false); + *p = new String(data, dlen, false); data += dlen; len -= dlen; } -zeek::String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l) +String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l) { l = max(l, 0); int dlen = min(len, l); // Len in bytes of the algorithm use - auto rval = new zeek::String(data, dlen, false); + auto rval = new String(data, dlen, false); data += dlen; len -= dlen; @@ -912,7 +912,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg, uint32_t sign_time_sec = ExtractLong(data, len); unsigned int sign_time_msec = ExtractShort(data, len); unsigned int fudge = ExtractShort(data, len); - zeek::String* request_MAC; + String* request_MAC; ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr); unsigned int orig_id = ExtractShort(data, len); unsigned int rr_error = ExtractShort(data, len); @@ -922,7 +922,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg, { detail::TSIG_DATA tsig; tsig.alg_name = - new zeek::String(alg_name, alg_name_end - alg_name, true); + new String(alg_name, alg_name_end - alg_name, true); tsig.sig = request_MAC; tsig.time_s = sign_time_sec; tsig.time_ms = sign_time_msec; @@ -976,11 +976,11 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, int sig_len = rdlength - ((data - data_start) + 18); detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo); - zeek::String* sign = ExtractStream(data, len, sig_len); + String* sign = ExtractStream(data, len, sig_len); switch ( dsa ) { case detail::RSA_MD5: - analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", algo)); + analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", util::fmt("%d", algo)); break; case detail::Diffie_Hellman: break; @@ -1005,16 +1005,16 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, case detail::ECDSA_curveP384withSHA384: break; case detail::Indirect: - analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", algo)); + analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo)); break; case detail::PrivateDNS: - analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", algo)); + analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", util::fmt("%d", algo)); break; case detail::PrivateOID: - analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", algo)); + analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", util::fmt("%d", algo)); break; default: - analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", zeek::util::fmt("%d", algo)); + analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", util::fmt("%d", algo)); break; } @@ -1028,7 +1028,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, rrsig.sig_exp = sign_exp; rrsig.sig_incep = sign_incp; rrsig.key_tag = key_tag; - rrsig.signer_name = new zeek::String(name, name_end - name, true); + rrsig.signer_name = new String(name, name_end - name, true); rrsig.signature = sign; analyzer->EnqueueConnEvent(dns_RRSIG, @@ -1063,24 +1063,24 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, unsigned int dalgorithm = proto_algo & 0xff; detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm); //Evaluating the size of remaining bytes for Public Key - zeek::String* key = ExtractStream(data, len, rdlength - 4); + String* key = ExtractStream(data, len, rdlength - 4); // flags bit 7: zone key // flags bit 8: revoked // flags bit 15: Secure Entry Point, key signing key if ( (dflags & 0xfe7e) != 0 ) - analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", zeek::util::fmt("%d", dflags)); + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", util::fmt("%d", dflags)); // flags bit 7, 8, and 15 all set if ( (dflags & 0x0181) == 0x0181 ) - analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", zeek::util::fmt("%d", dflags)); + analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", util::fmt("%d", dflags)); if ( dprotocol != 3 ) - analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", zeek::util::fmt("%d", dprotocol)); + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", util::fmt("%d", dprotocol)); switch ( dsa ) { case detail::RSA_MD5: - analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); + analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", util::fmt("%d", dalgorithm)); break; case detail::Diffie_Hellman: break; @@ -1105,16 +1105,16 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, case detail::ECDSA_curveP384withSHA384: break; case detail::Indirect: - analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); + analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm)); break; case detail::PrivateDNS: - analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); + analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", util::fmt("%d", dalgorithm)); break; case detail::PrivateOID: - analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); + analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", util::fmt("%d", dalgorithm)); break; default: - analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); + analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", util::fmt("%d", dalgorithm)); break; } @@ -1158,7 +1158,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg, int typebitmaps_len = rdlength - (data - data_start); - auto char_strings = zeek::make_intrusive(zeek::id::string_vec); + auto char_strings = make_intrusive(id::string_vec); while ( typebitmaps_len > 0 && len > 0 ) { @@ -1168,12 +1168,12 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg, if ( bmlen == 0 ) { - analyzer->Weird("DNSSEC_NSEC_bitmapLen0", zeek::util::fmt("%d", win_blck)); + analyzer->Weird("DNSSEC_NSEC_bitmapLen0", util::fmt("%d", win_blck)); break; } - zeek::String* bitmap = ExtractStream(data, len, bmlen); - char_strings->Assign(char_strings->Size(), zeek::make_intrusive(bitmap)); + String* bitmap = ExtractStream(data, len, bmlen); + char_strings->Assign(char_strings->Size(), make_intrusive(bitmap)); typebitmaps_len = typebitmaps_len - (2 + bmlen); } @@ -1182,7 +1182,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(new zeek::String(name, name_end - name, true)), + make_intrusive(new String(name, name_end - name, true)), std::move(char_strings) ); @@ -1233,7 +1233,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, int typebitmaps_len = rdlength - (data - data_start); - auto char_strings = zeek::make_intrusive(zeek::id::string_vec); + auto char_strings = make_intrusive(id::string_vec); while ( typebitmaps_len > 0 && len > 0 ) { @@ -1243,12 +1243,12 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, if ( bmlen == 0 ) { - analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", zeek::util::fmt("%d", win_blck)); + analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", util::fmt("%d", win_blck)); break; } - zeek::String* bitmap = ExtractStream(data, len, bmlen); - char_strings->Assign(char_strings->Size(), zeek::make_intrusive(bitmap)); + String* bitmap = ExtractStream(data, len, bmlen); + char_strings->Assign(char_strings->Size(), make_intrusive(bitmap)); typebitmaps_len = typebitmaps_len - (2 + bmlen); } @@ -1295,7 +1295,7 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff; unsigned int ds_dtype = ds_algo_dtype & 0xff; detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype); - zeek::String* ds_digest = ExtractStream(data, len, rdlength - 4); + String* ds_digest = ExtractStream(data, len, rdlength - 4); switch ( ds_digest_type ) { case detail::SHA1: @@ -1307,10 +1307,10 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, case detail::SHA384: break; case detail::reserved: - analyzer->Weird("DNSSEC_DS_ResrevedDigestType", zeek::util::fmt("%d", ds_dtype)); + analyzer->Weird("DNSSEC_DS_ResrevedDigestType", util::fmt("%d", ds_dtype)); break; default: - analyzer->Weird("DNSSEC_DS_unknown_DigestType", zeek::util::fmt("%d", ds_dtype)); + analyzer->Weird("DNSSEC_DS_unknown_DigestType", util::fmt("%d", ds_dtype)); break; } @@ -1349,7 +1349,7 @@ bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(htonl(addr)) + make_intrusive(htonl(addr)) ); return true; @@ -1374,7 +1374,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg, } } - zeek::EventHandlerPtr event; + EventHandlerPtr event; if ( msg->atype == detail::TYPE_AAAA ) event = dns_AAAA_reply; else @@ -1385,7 +1385,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::make_intrusive(addr) + make_intrusive(addr) ); return true; @@ -1409,8 +1409,8 @@ bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg, return true; } -static zeek::StringValPtr -extract_char_string(zeek::analyzer::Analyzer* analyzer, +static StringValPtr +extract_char_string(analyzer::Analyzer* analyzer, const u_char*& data, int& len, int& rdlen) { if ( rdlen <= 0 ) @@ -1428,7 +1428,7 @@ extract_char_string(zeek::analyzer::Analyzer* analyzer, return nullptr; } - auto rval = zeek::make_intrusive(str_size, reinterpret_cast(data)); + auto rval = make_intrusive(str_size, reinterpret_cast(data)); rdlen -= str_size; len -= str_size; @@ -1448,8 +1448,8 @@ bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg, return true; } - auto char_strings = zeek::make_intrusive(zeek::id::string_vec); - zeek::StringValPtr char_string; + auto char_strings = make_intrusive(id::string_vec); + StringValPtr char_string; while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) char_strings->Assign(char_strings->Size(), std::move(char_string)); @@ -1476,8 +1476,8 @@ bool DNS_Interpreter::ParseRR_SPF(detail::DNS_MsgInfo* msg, return true; } - auto char_strings = zeek::make_intrusive(zeek::id::string_vec); - zeek::StringValPtr char_string; + auto char_strings = make_intrusive(id::string_vec); + StringValPtr char_string; while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) char_strings->Assign(char_strings->Size(), std::move(char_string)); @@ -1513,11 +1513,11 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, analyzer->Weird("DNS_CAA_char_str_past_rdlen"); return false; } - zeek::String* tag = new zeek::String(data, tagLen, true); + String* tag = new String(data, tagLen, true); len -= tagLen; data += tagLen; rdlength -= tagLen; - zeek::String* value = new zeek::String(data, rdlength, false); + String* value = new String(data, rdlength, false); len -= value->Len(); data += value->Len(); @@ -1528,9 +1528,9 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), - zeek::val_mgr->Count(flags), - zeek::make_intrusive(tag), - zeek::make_intrusive(value) + val_mgr->Count(flags), + make_intrusive(tag), + make_intrusive(value) ); else { @@ -1543,10 +1543,10 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, - zeek::EventHandlerPtr event, + EventHandlerPtr event, const u_char*& data, int& len, - zeek::String* question_name, - zeek::String* original_name) + String* question_name, + String* original_name) { detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len)); int qclass = ExtractShort(data, len); @@ -1556,10 +1556,10 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, analyzer->EnqueueConnEvent(event, analyzer->ConnVal(), msg->BuildHdrVal(), - zeek::make_intrusive(question_name), - zeek::val_mgr->Count(qtype), - zeek::val_mgr->Count(qclass), - zeek::make_intrusive(original_name) + make_intrusive(question_name), + val_mgr->Count(qtype), + val_mgr->Count(qclass), + make_intrusive(original_name) ); } @@ -1594,57 +1594,57 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) skip_event = 0; } -zeek::RecordValPtr DNS_MsgInfo::BuildHdrVal() +RecordValPtr DNS_MsgInfo::BuildHdrVal() { - static auto dns_msg = zeek::id::find_type("dns_msg"); - auto r = zeek::make_intrusive(dns_msg); + static auto dns_msg = id::find_type("dns_msg"); + auto r = make_intrusive(dns_msg); - r->Assign(0, zeek::val_mgr->Count(id)); - r->Assign(1, zeek::val_mgr->Count(opcode)); - r->Assign(2, zeek::val_mgr->Count(rcode)); - r->Assign(3, zeek::val_mgr->Bool(QR)); - r->Assign(4, zeek::val_mgr->Bool(AA)); - r->Assign(5, zeek::val_mgr->Bool(TC)); - r->Assign(6, zeek::val_mgr->Bool(RD)); - r->Assign(7, zeek::val_mgr->Bool(RA)); - r->Assign(8, zeek::val_mgr->Count(Z)); - r->Assign(9, zeek::val_mgr->Count(qdcount)); - r->Assign(10, zeek::val_mgr->Count(ancount)); - r->Assign(11, zeek::val_mgr->Count(nscount)); - r->Assign(12, zeek::val_mgr->Count(arcount)); + r->Assign(0, val_mgr->Count(id)); + r->Assign(1, val_mgr->Count(opcode)); + r->Assign(2, val_mgr->Count(rcode)); + r->Assign(3, val_mgr->Bool(QR)); + r->Assign(4, val_mgr->Bool(AA)); + r->Assign(5, val_mgr->Bool(TC)); + r->Assign(6, val_mgr->Bool(RD)); + r->Assign(7, val_mgr->Bool(RA)); + r->Assign(8, val_mgr->Count(Z)); + r->Assign(9, val_mgr->Count(qdcount)); + r->Assign(10, val_mgr->Count(ancount)); + r->Assign(11, val_mgr->Count(nscount)); + r->Assign(12, val_mgr->Count(arcount)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildAnswerVal() +RecordValPtr DNS_MsgInfo::BuildAnswerVal() { - static auto dns_answer = zeek::id::find_type("dns_answer"); - auto r = zeek::make_intrusive(dns_answer); + static auto dns_answer = id::find_type("dns_answer"); + auto r = make_intrusive(dns_answer); - r->Assign(0, zeek::val_mgr->Count(int(answer_type))); + r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(1, query_name); - r->Assign(2, zeek::val_mgr->Count(atype)); - r->Assign(3, zeek::val_mgr->Count(aclass)); - r->Assign(4, zeek::make_intrusive(double(ttl), Seconds)); + r->Assign(2, val_mgr->Count(atype)); + r->Assign(3, val_mgr->Count(aclass)); + r->Assign(4, make_intrusive(double(ttl), Seconds)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val() +RecordValPtr DNS_MsgInfo::BuildEDNS_Val() { // We have to treat the additional record type in EDNS differently // than a regular resource record. - static auto dns_edns_additional = zeek::id::find_type("dns_edns_additional"); - auto r = zeek::make_intrusive(dns_edns_additional); + static auto dns_edns_additional = id::find_type("dns_edns_additional"); + auto r = make_intrusive(dns_edns_additional); - r->Assign(0, zeek::val_mgr->Count(int(answer_type))); + r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(1, query_name); // type = 0x29 or 41 = EDNS - r->Assign(2, zeek::val_mgr->Count(atype)); + r->Assign(2, val_mgr->Count(atype)); // sender's UDP payload size, per RFC 2671 4.3 - r->Assign(3, zeek::val_mgr->Count(aclass)); + r->Assign(3, val_mgr->Count(aclass)); // Need to break the TTL field into three components: // initial: [------------- ttl (32) ---------------------] @@ -1657,150 +1657,150 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val() unsigned int return_error = (ercode << 8) | rcode; - r->Assign(4, zeek::val_mgr->Count(return_error)); - r->Assign(5, zeek::val_mgr->Count(version)); - r->Assign(6, zeek::val_mgr->Count(z)); - r->Assign(7, zeek::make_intrusive(double(ttl), Seconds)); - r->Assign(8, zeek::val_mgr->Count(is_query)); + r->Assign(4, val_mgr->Count(return_error)); + r->Assign(5, val_mgr->Count(version)); + r->Assign(6, val_mgr->Count(z)); + r->Assign(7, make_intrusive(double(ttl), Seconds)); + r->Assign(8, val_mgr->Count(is_query)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) +RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) { - static auto dns_edns_ecs = zeek::id::find_type("dns_edns_ecs"); - auto r = zeek::make_intrusive(dns_edns_ecs); + static auto dns_edns_ecs = id::find_type("dns_edns_ecs"); + auto r = make_intrusive(dns_edns_ecs); r->Assign(0, opt->ecs_family); - r->Assign(1, zeek::val_mgr->Count(opt->ecs_src_pfx_len)); - r->Assign(2, zeek::val_mgr->Count(opt->ecs_scp_pfx_len)); + r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len)); + r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len)); r->Assign(3, opt->ecs_addr); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt) +RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt) { - static auto dns_edns_tcp_keepalive = zeek::id::find_type("dns_edns_tcp_keepalive"); - auto r = zeek::make_intrusive(dns_edns_tcp_keepalive); + static auto dns_edns_tcp_keepalive = id::find_type("dns_edns_tcp_keepalive"); + auto r = make_intrusive(dns_edns_tcp_keepalive); - r->Assign(0, zeek::val_mgr->Bool(opt->keepalive_timeout_omitted)); - r->Assign(1, zeek::val_mgr->Count(opt->keepalive_timeout)); + r->Assign(0, val_mgr->Bool(opt->keepalive_timeout_omitted)); + r->Assign(1, val_mgr->Count(opt->keepalive_timeout)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt) +RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt) { - static auto dns_edns_cookie = zeek::id::find_type("dns_edns_cookie"); - auto r = zeek::make_intrusive(dns_edns_cookie); + static auto dns_edns_cookie = id::find_type("dns_edns_cookie"); + auto r = make_intrusive(dns_edns_cookie); - r->Assign(0, zeek::make_intrusive(opt->client_cookie)); + r->Assign(0, make_intrusive(opt->client_cookie)); if (opt->server_cookie != nullptr) { - r->Assign(1, zeek::make_intrusive(opt->server_cookie)); + r->Assign(1, make_intrusive(opt->server_cookie)); } return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) +RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { - static auto dns_tsig_additional = zeek::id::find_type("dns_tsig_additional"); - auto r = zeek::make_intrusive(dns_tsig_additional); + static auto dns_tsig_additional = id::find_type("dns_tsig_additional"); + auto r = make_intrusive(dns_tsig_additional); double rtime = tsig->time_s + tsig->time_ms / 1000.0; - // r->Assign(0, zeek::val_mgr->Count(int(answer_type))); + // r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(0, query_name); - r->Assign(1, zeek::val_mgr->Count(int(answer_type))); - r->Assign(2, zeek::make_intrusive(tsig->alg_name)); - r->Assign(3, zeek::make_intrusive(tsig->sig)); - r->Assign(4, zeek::make_intrusive(rtime)); - r->Assign(5, zeek::make_intrusive(double(tsig->fudge))); - r->Assign(6, zeek::val_mgr->Count(tsig->orig_id)); - r->Assign(7, zeek::val_mgr->Count(tsig->rr_error)); - r->Assign(8, zeek::val_mgr->Count(is_query)); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, make_intrusive(tsig->alg_name)); + r->Assign(3, make_intrusive(tsig->sig)); + r->Assign(4, make_intrusive(rtime)); + r->Assign(5, make_intrusive(double(tsig->fudge))); + r->Assign(6, val_mgr->Count(tsig->orig_id)); + r->Assign(7, val_mgr->Count(tsig->rr_error)); + r->Assign(8, val_mgr->Count(is_query)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) +RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) { - static auto dns_rrsig_rr = zeek::id::find_type("dns_rrsig_rr"); - auto r = zeek::make_intrusive(dns_rrsig_rr); + static auto dns_rrsig_rr = id::find_type("dns_rrsig_rr"); + auto r = make_intrusive(dns_rrsig_rr); r->Assign(0, query_name); - r->Assign(1, zeek::val_mgr->Count(int(answer_type))); - r->Assign(2, zeek::val_mgr->Count(rrsig->type_covered)); - r->Assign(3, zeek::val_mgr->Count(rrsig->algorithm)); - r->Assign(4, zeek::val_mgr->Count(rrsig->labels)); - r->Assign(5, zeek::make_intrusive(double(rrsig->orig_ttl), Seconds)); - r->Assign(6, zeek::make_intrusive(double(rrsig->sig_exp))); - r->Assign(7, zeek::make_intrusive(double(rrsig->sig_incep))); - r->Assign(8, zeek::val_mgr->Count(rrsig->key_tag)); - r->Assign(9, zeek::make_intrusive(rrsig->signer_name)); - r->Assign(10, zeek::make_intrusive(rrsig->signature)); - r->Assign(11, zeek::val_mgr->Count(is_query)); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(rrsig->type_covered)); + r->Assign(3, val_mgr->Count(rrsig->algorithm)); + r->Assign(4, val_mgr->Count(rrsig->labels)); + r->Assign(5, make_intrusive(double(rrsig->orig_ttl), Seconds)); + r->Assign(6, make_intrusive(double(rrsig->sig_exp))); + r->Assign(7, make_intrusive(double(rrsig->sig_incep))); + r->Assign(8, val_mgr->Count(rrsig->key_tag)); + r->Assign(9, make_intrusive(rrsig->signer_name)); + r->Assign(10, make_intrusive(rrsig->signature)); + r->Assign(11, val_mgr->Count(is_query)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) +RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) { - static auto dns_dnskey_rr = zeek::id::find_type("dns_dnskey_rr"); - auto r = zeek::make_intrusive(dns_dnskey_rr); + static auto dns_dnskey_rr = id::find_type("dns_dnskey_rr"); + auto r = make_intrusive(dns_dnskey_rr); r->Assign(0, query_name); - r->Assign(1, zeek::val_mgr->Count(int(answer_type))); - r->Assign(2, zeek::val_mgr->Count(dnskey->dflags)); - r->Assign(3, zeek::val_mgr->Count(dnskey->dprotocol)); - r->Assign(4, zeek::val_mgr->Count(dnskey->dalgorithm)); - r->Assign(5, zeek::make_intrusive(dnskey->public_key)); - r->Assign(6, zeek::val_mgr->Count(is_query)); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(dnskey->dflags)); + r->Assign(3, val_mgr->Count(dnskey->dprotocol)); + r->Assign(4, val_mgr->Count(dnskey->dalgorithm)); + r->Assign(5, make_intrusive(dnskey->public_key)); + r->Assign(6, val_mgr->Count(is_query)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) +RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) { - static auto dns_nsec3_rr = zeek::id::find_type("dns_nsec3_rr"); - auto r = zeek::make_intrusive(dns_nsec3_rr); + static auto dns_nsec3_rr = id::find_type("dns_nsec3_rr"); + auto r = make_intrusive(dns_nsec3_rr); r->Assign(0, query_name); - r->Assign(1, zeek::val_mgr->Count(int(answer_type))); - r->Assign(2, zeek::val_mgr->Count(nsec3->nsec_flags)); - r->Assign(3, zeek::val_mgr->Count(nsec3->nsec_hash_algo)); - r->Assign(4, zeek::val_mgr->Count(nsec3->nsec_iter)); - r->Assign(5, zeek::val_mgr->Count(nsec3->nsec_salt_len)); - r->Assign(6, zeek::make_intrusive(nsec3->nsec_salt)); - r->Assign(7, zeek::val_mgr->Count(nsec3->nsec_hlen)); - r->Assign(8, zeek::make_intrusive(nsec3->nsec_hash)); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(nsec3->nsec_flags)); + r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo)); + r->Assign(4, val_mgr->Count(nsec3->nsec_iter)); + r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len)); + r->Assign(6, make_intrusive(nsec3->nsec_salt)); + r->Assign(7, val_mgr->Count(nsec3->nsec_hlen)); + r->Assign(8, make_intrusive(nsec3->nsec_hash)); r->Assign(9, std::move(nsec3->bitmaps)); - r->Assign(10, zeek::val_mgr->Count(is_query)); + r->Assign(10, val_mgr->Count(is_query)); return r; } -zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) +RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) { - static auto dns_ds_rr = zeek::id::find_type("dns_ds_rr"); - auto r = zeek::make_intrusive(dns_ds_rr); + static auto dns_ds_rr = id::find_type("dns_ds_rr"); + auto r = make_intrusive(dns_ds_rr); r->Assign(0, query_name); - r->Assign(1, zeek::val_mgr->Count(int(answer_type))); - r->Assign(2, zeek::val_mgr->Count(ds->key_tag)); - r->Assign(3, zeek::val_mgr->Count(ds->algorithm)); - r->Assign(4, zeek::val_mgr->Count(ds->digest_type)); - r->Assign(5, zeek::make_intrusive(ds->digest_val)); - r->Assign(6, zeek::val_mgr->Count(is_query)); + r->Assign(1, val_mgr->Count(int(answer_type))); + r->Assign(2, val_mgr->Count(ds->key_tag)); + r->Assign(3, val_mgr->Count(ds->algorithm)); + r->Assign(4, val_mgr->Count(ds->digest_type)); + r->Assign(5, make_intrusive(ds->digest_val)); + r->Assign(6, val_mgr->Count(is_query)); return r; } } // namespace detail -Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig, +Contents_DNS::Contents_DNS(Connection* conn, bool orig, detail::DNS_Interpreter* arg_interp) -: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) +: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1856,13 +1856,13 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) if ( buf_len < msg_size ) { buf_len = msg_size; - msg_buf = (u_char*) zeek::util::safe_realloc((void*) msg_buf, buf_len); + msg_buf = (u_char*) util::safe_realloc((void*) msg_buf, buf_len); } } else { buf_len = msg_size; - msg_buf = (u_char*) zeek::util::safe_malloc(buf_len); + msg_buf = (u_char*) util::safe_malloc(buf_len); } ++data; @@ -1892,8 +1892,8 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) state = detail::DNS_LEN_HI; } -DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn) +DNS_Analyzer::DNS_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn) { interp = new detail::DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = nullptr; @@ -1908,7 +1908,7 @@ DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn) else { ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer, - zeek::run_state::network_time + zeek::detail::dns_session_timeout, true, + run_state::network_time + zeek::detail::dns_session_timeout, true, zeek::detail::TIMER_DNS_EXPIRE); } } @@ -1924,7 +1924,7 @@ void DNS_Analyzer::Init() void DNS_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( Conn()->ConnTransport() == TRANSPORT_UDP ) Event(udp_session_done); @@ -1933,18 +1933,18 @@ void DNS_Analyzer::Done() } void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->ParseMessage(data, len, orig ? 1 : 0); } -void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, - zeek::analyzer::tcp::TCP_Endpoint* peer, +void DNS_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, + analyzer::tcp::TCP_Endpoint* peer, bool gen_event) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); assert(contents_dns_orig && contents_dns_resp); contents_dns_orig->Flush(); @@ -1956,10 +1956,10 @@ void DNS_Analyzer::ExpireTimer(double t) // The - 1.0 in the following is to allow 1 second for the // common case of a single request followed by a single reply, // so we don't needlessly set the timer twice in that case. - if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || zeek::run_state::terminating ) + if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || run_state::terminating ) { Event(connection_timeout); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } else ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer, diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index ec33e72d04..5e4c9f16bb 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -152,10 +152,10 @@ struct EDNS_ADDITIONAL { // size }; struct EDNS_ECS { - zeek::StringValPtr ecs_family; ///< EDNS client subnet address family + StringValPtr ecs_family; ///< EDNS client subnet address family uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length - zeek::IntrusivePtr ecs_addr; ///< EDNS client subnet address + IntrusivePtr ecs_addr; ///< EDNS client subnet address }; struct EDNS_TCP_KEEPALIVE { @@ -169,10 +169,10 @@ struct EDNS_COOKIE { }; struct TSIG_DATA { - zeek::String* alg_name; + String* alg_name; unsigned long time_s; unsigned short time_ms; - zeek::String* sig; + String* sig; unsigned short fudge; unsigned short orig_id; unsigned short rr_error; @@ -186,15 +186,15 @@ struct RRSIG_DATA { unsigned long sig_exp; // 32 unsigned long sig_incep; // 32 unsigned short key_tag; //16 - zeek::String* signer_name; - zeek::String* signature; + String* signer_name; + String* signature; }; struct DNSKEY_DATA { unsigned short dflags; // 16 : ExtractShort(data, len) unsigned short dalgorithm; // 8 unsigned short dprotocol; // 8 - zeek::String* public_key; // Variable lenght Public Key + String* public_key; // Variable lenght Public Key }; struct NSEC3_DATA { @@ -202,34 +202,34 @@ struct NSEC3_DATA { unsigned short nsec_hash_algo; unsigned short nsec_iter; unsigned short nsec_salt_len; - zeek::String* nsec_salt; + String* nsec_salt; unsigned short nsec_hlen; - zeek::String* nsec_hash; - zeek::VectorValPtr bitmaps; + String* nsec_hash; + VectorValPtr bitmaps; }; struct DS_DATA { unsigned short key_tag; // 16 : ExtractShort(data, len) unsigned short algorithm; // 8 unsigned short digest_type; // 8 - zeek::String* digest_val; // Variable lenght Digest of DNSKEY RR + String* digest_val; // Variable lenght Digest of DNSKEY RR }; class DNS_MsgInfo { public: DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query); - zeek::RecordValPtr BuildHdrVal(); - zeek::RecordValPtr BuildAnswerVal(); - zeek::RecordValPtr BuildEDNS_Val(); - zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); - zeek::RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*); - zeek::RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*); - zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); - zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); - zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); - zeek::RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*); - zeek::RecordValPtr BuildDS_Val(struct DS_DATA*); + RecordValPtr BuildHdrVal(); + RecordValPtr BuildAnswerVal(); + RecordValPtr BuildEDNS_Val(); + RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); + RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*); + RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*); + RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); + RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); + RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); + RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*); + RecordValPtr BuildDS_Val(struct DS_DATA*); int id; int opcode; ///< query type, see DNS_Opcode @@ -246,7 +246,7 @@ public: int arcount; ///< number of additional RRs int is_query; ///< whether it came from the session initiator - zeek::StringValPtr query_name; + StringValPtr query_name; RR_Type atype; int aclass; ///< normally = 1, inet uint32_t ttl; @@ -261,7 +261,7 @@ public: class DNS_Interpreter { public: - explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer); + explicit DNS_Interpreter(analyzer::Analyzer* analyzer); void ParseMessage(const u_char* data, int len, int is_query); @@ -292,9 +292,9 @@ protected: uint16_t ExtractShort(const u_char*& data, int& len); uint32_t ExtractLong(const u_char*& data, int& len); - void ExtractOctets(const u_char*& data, int& len, zeek::String** p); + void ExtractOctets(const u_char*& data, int& len, String** p); - zeek::String* ExtractStream(const u_char*& data, int& len, int sig_len); + String* ExtractStream(const u_char*& data, int& len, int sig_len); bool ParseRR_Name(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, @@ -352,12 +352,12 @@ protected: bool ParseRR_DS(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); - void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event, + void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data, int& len, - zeek::String* question_name, - zeek::String* original_name); + String* question_name, + String* original_name); - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; bool first_message; }; @@ -371,9 +371,9 @@ enum TCP_DNS_state { // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. -class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { +class Contents_DNS final : public analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_DNS(zeek::Connection* c, bool orig, detail::DNS_Interpreter* interp); + Contents_DNS(Connection* c, bool orig, detail::DNS_Interpreter* interp); ~Contents_DNS() override; void Flush(); ///< process any partially-received data @@ -394,21 +394,21 @@ protected: }; // Works for both TCP and UDP. -class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class DNS_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit DNS_Analyzer(zeek::Connection* conn); + explicit DNS_Analyzer(Connection* conn); ~DNS_Analyzer() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void Init() override; void Done() override; - void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, - zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; + void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, + analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; void ExpireTimer(double t); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DNS_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index ed23402667..7353adb7be 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -11,7 +11,7 @@ namespace zeek::analyzer::file { -File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn) +File_Analyzer::File_Analyzer(const char* name, Connection* conn) : TCP_ApplicationAnalyzer(name, conn) { buffer_len = 0; @@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); int n = std::min(len, BUFFER_SIZE - buffer_len); @@ -33,11 +33,11 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } if ( orig ) - file_id_orig = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), - orig, file_id_orig); + file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), + orig, file_id_orig); else - file_id_resp = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), - orig, file_id_resp); + file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), + orig, file_id_resp); } void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) @@ -45,35 +45,35 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); if ( orig ) - file_id_orig = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, - file_id_orig); + file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, + file_id_orig); else - file_id_resp = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, - file_id_resp); + file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, + file_id_resp); } void File_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); if ( ! file_id_orig.empty() ) - zeek::file_mgr->EndOfFile(file_id_orig); + file_mgr->EndOfFile(file_id_orig); else - zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); + file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); if ( ! file_id_resp.empty() ) - zeek::file_mgr->EndOfFile(file_id_resp); + file_mgr->EndOfFile(file_id_resp); else - zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); + file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); } void File_Analyzer::Identify() { - zeek::detail::RuleMatcher::MIME_Matches matches; - zeek::file_mgr->DetectMIME(reinterpret_cast(buffer), buffer_len, + detail::RuleMatcher::MIME_Matches matches; + file_mgr->DetectMIME(reinterpret_cast(buffer), buffer_len, &matches); std::string match = matches.empty() ? "" : *(matches.begin()->second.begin()); @@ -82,9 +82,9 @@ void File_Analyzer::Identify() EnqueueConnEvent( file_transferred, ConnVal(), - zeek::make_intrusive(buffer_len, buffer), - zeek::make_intrusive(""), - zeek::make_intrusive(match) + make_intrusive(buffer_len, buffer), + make_intrusive(""), + make_intrusive(match) ); } diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h index bacdc6819c..fcf1883ece 100644 --- a/src/analyzer/protocol/file/File.h +++ b/src/analyzer/protocol/file/File.h @@ -8,9 +8,9 @@ namespace zeek::analyzer::file { -class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class File_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - File_Analyzer(const char* name, zeek::Connection* conn); + File_Analyzer(const char* name, Connection* conn); void Done() override; @@ -18,7 +18,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; -// static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) +// static analyzer::Analyzer* Instantiate(Connection* conn) // { return new File_Analyzer(conn); } protected: @@ -33,21 +33,21 @@ protected: class IRC_Data : public File_Analyzer { public: - explicit IRC_Data(zeek::Connection* conn) + explicit IRC_Data(Connection* conn) : File_Analyzer("IRC_Data", conn) { } - static Analyzer* Instantiate(zeek::Connection* conn) + static Analyzer* Instantiate(Connection* conn) { return new IRC_Data(conn); } }; class FTP_Data : public File_Analyzer { public: - explicit FTP_Data(zeek::Connection* conn) + explicit FTP_Data(Connection* conn) : File_Analyzer("FTP_Data", conn) { } - static Analyzer* Instantiate(zeek::Connection* conn) + static Analyzer* Instantiate(Connection* conn) { return new FTP_Data(conn); } }; diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index 86ff1e4060..8868cfc914 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -13,25 +13,25 @@ namespace zeek::analyzer::finger { -Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn) +Finger_Analyzer::Finger_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); + content_line_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); + content_line_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } void Finger_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || content_line_orig->HasPartialLine()) && - (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_finger_request"); } @@ -50,12 +50,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( ! finger_request ) return; - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); // Check for /W. int long_cnt = (line + 2 <= end_of_line && line[0] == '/' && toupper(line[1]) == 'W'); if ( long_cnt ) - line = zeek::util::skip_whitespace(line+2, end_of_line); + line = util::skip_whitespace(line+2, end_of_line); assert(line <= end_of_line); size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on. @@ -69,9 +69,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( finger_request ) EnqueueConnEvent(finger_request, ConnVal(), - zeek::val_mgr->Bool(long_cnt), - zeek::make_intrusive(at - line, line), - zeek::make_intrusive(end_of_line - host, host) + val_mgr->Bool(long_cnt), + make_intrusive(at - line, line), + make_intrusive(end_of_line - host, host) ); Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line, @@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig EnqueueConnEvent(finger_reply, ConnVal(), - zeek::make_intrusive(end_of_line - line, line) + make_intrusive(end_of_line - line, line) ); } } diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h index b6a3b072ef..c2546e9027 100644 --- a/src/analyzer/protocol/finger/Finger.h +++ b/src/analyzer/protocol/finger/Finger.h @@ -7,21 +7,21 @@ namespace zeek::analyzer::finger { -class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class Finger_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit Finger_Analyzer(zeek::Connection* conn); + explicit Finger_Analyzer(Connection* conn); ~Finger_Analyzer() override {} void Done() override; // Line-based input. void DeliverStream(int len, const u_char* data, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Finger_Analyzer(conn); } protected: - zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; + analyzer::tcp::ContentLine_Analyzer* content_line_orig; + analyzer::tcp::ContentLine_Analyzer* content_line_resp; int did_deliver; }; diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index d64108bd93..bb9b730323 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -17,18 +17,18 @@ namespace zeek::analyzer::ftp { -FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn) +FTP_Analyzer::FTP_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; - nvt_orig = new zeek::analyzer::login::NVT_Analyzer(conn, true); + nvt_orig = new analyzer::login::NVT_Analyzer(conn, true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL); - nvt_resp = new zeek::analyzer::login::NVT_Analyzer(conn, false); + nvt_resp = new analyzer::login::NVT_Analyzer(conn, false); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetCRLFAsEOL(LF_as_EOL); @@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) void FTP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( nvt_orig->HasPartialLine() && - (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_ftp_request"); } @@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) return; @@ -75,31 +75,31 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) // Could emit "ftp empty request/reply" weird, but maybe not worth it. return; - zeek::Args vl; + Args vl; - zeek::EventHandlerPtr f; + EventHandlerPtr f; if ( orig ) { int cmd_len; const char* cmd; - zeek::StringVal* cmd_str; + StringVal* cmd_str; - line = zeek::util::skip_whitespace(line, end_of_line); - zeek::util::get_word(end_of_line - line, line, cmd_len, cmd); - line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); + line = util::skip_whitespace(line, end_of_line); + util::get_word(end_of_line - line, line, cmd_len, cmd); + line = util::skip_whitespace(line + cmd_len, end_of_line); if ( cmd_len == 0 ) { // Weird("FTP command missing", end_of_line - orig_line, orig_line); - cmd_str = new zeek::StringVal(""); + cmd_str = new StringVal(""); } else - cmd_str = (new zeek::StringVal(cmd_len, cmd))->ToUpper(); + cmd_str = (new StringVal(cmd_len, cmd))->ToUpper(); vl = { ConnVal(), - zeek::IntrusivePtr{zeek::AdoptRef{}, cmd_str}, - zeek::make_intrusive(end_of_line - line, line), + IntrusivePtr{AdoptRef{}, cmd_str}, + make_intrusive(end_of_line - line, line), }; f = ftp_request; @@ -109,7 +109,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) "AUTH", cmd_len) == 0 ) auth_requested = std::string(line, end_of_line - line); - if ( zeek::detail::rule_matcher ) + if ( detail::rule_matcher ) Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd, end_of_line - cmd, true, true, true, true); } @@ -125,7 +125,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) length > 3 && line[3] == ' ' ) { // This is the end of the reply. - line = zeek::util::skip_whitespace(line + 3, end_of_line); + line = util::skip_whitespace(line + 3, end_of_line); pending_reply = 0; cont_resp = 0; } @@ -140,7 +140,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) if ( reply_code > 0 && length > 3 && line[3] == '-' ) { // a continued reply pending_reply = reply_code; - line = zeek::util::skip_whitespace(line + 4, end_of_line); + line = util::skip_whitespace(line + 4, end_of_line); cont_resp = 1; } else @@ -152,7 +152,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) (const char*) data, length); if ( line < end_of_line ) - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); else line = end_of_line; @@ -166,7 +166,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) // Server wants to proceed with an ADAT exchange and we // know how to analyze the GSI mechanism, so attach analyzer // to look for that. - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) { ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); @@ -177,9 +177,9 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) vl = { ConnVal(), - zeek::val_mgr->Count(reply_code), - zeek::make_intrusive(end_of_line - line, line), - zeek::val_mgr->Bool(cont_resp) + val_mgr->Count(reply_code), + make_intrusive(end_of_line - line, line), + val_mgr->Bool(cont_resp) }; f = ftp_reply; @@ -204,20 +204,20 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) const char* line = (const char*) data; const char* end_of_line = line + len; - zeek::String* decoded_adat = nullptr; + String* decoded_adat = nullptr; if ( orig ) { int cmd_len; const char* cmd; - line = zeek::util::skip_whitespace(line, end_of_line); - zeek::util::get_word(len, line, cmd_len, cmd); + line = util::skip_whitespace(line, end_of_line); + util::get_word(len, line, cmd_len, cmd); if ( strncmp(cmd, "ADAT", cmd_len) == 0 ) { - line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); - zeek::StringVal encoded(end_of_line - line, line); - decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn()); + line = util::skip_whitespace(line + cmd_len, end_of_line); + StringVal encoded(end_of_line - line, line); + decoded_adat = detail::decode_base64(encoded.AsString(), nullptr, Conn()); if ( first_token ) { @@ -286,12 +286,12 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( len > 3 && line[0] == '-' ) line++; - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); if ( end_of_line - line >= 5 && strncmp(line, "ADAT=", 5) == 0 ) { line += 5; - zeek::StringVal encoded(end_of_line - line, line); + StringVal encoded(end_of_line - line, line); decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn()); } diff --git a/src/analyzer/protocol/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h index d0eed1fe83..cd5ff8d6ad 100644 --- a/src/analyzer/protocol/ftp/FTP.h +++ b/src/analyzer/protocol/ftp/FTP.h @@ -8,21 +8,21 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login); namespace zeek::analyzer::ftp { -class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class FTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit FTP_Analyzer(zeek::Connection* conn); + explicit FTP_Analyzer(Connection* conn); void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new FTP_Analyzer(conn); } protected: - zeek::analyzer::login::NVT_Analyzer* nvt_orig; - zeek::analyzer::login::NVT_Analyzer* nvt_resp; + analyzer::login::NVT_Analyzer* nvt_orig; + analyzer::login::NVT_Analyzer* nvt_resp; uint32_t pending_reply; // code associated with multi-line reply, or 0 std::string auth_requested; // AUTH method requested }; @@ -34,9 +34,9 @@ protected: * analyzer just decodes the tokens and passes them on to the parent, which must * be an SSL analyzer instance. */ -class FTP_ADAT_Analyzer final : public zeek::analyzer::SupportAnalyzer { +class FTP_ADAT_Analyzer final : public analyzer::SupportAnalyzer { public: - FTP_ADAT_Analyzer(zeek::Connection* conn, bool arg_orig) + FTP_ADAT_Analyzer(Connection* conn, bool arg_orig) : SupportAnalyzer("FTP_ADAT", conn, arg_orig), first_token(true) { } diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc index 26c8ec67c6..4d3d81aea6 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -36,8 +36,8 @@ GnutellaMsgState::GnutellaMsgState() } // namespace detail -Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) +Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -57,7 +57,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer() void Gnutella_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { @@ -76,9 +76,9 @@ void Gnutella_Analyzer::Done() if ( ! p->msg_sent && p->msg_pos ) EnqueueConnEvent(gnutella_partial_binary_msg, ConnVal(), - zeek::make_intrusive(p->msg), - zeek::val_mgr->Bool((i == 0)), - zeek::val_mgr->Count(p->msg_pos)); + make_intrusive(p->msg), + val_mgr->Bool((i == 0)), + val_mgr->Count(p->msg_pos)); else if ( ! p->msg_sent && p->payload_left ) SendEvents(p, (i == 0)); @@ -122,16 +122,16 @@ bool Gnutella_Analyzer::IsHTTP(std::string header) if ( gnutella_http_notify ) EnqueueConnEvent(gnutella_http_notify, ConnVal()); - zeek::analyzer::Analyzer* a = zeek::analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); + analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); if ( a && Parent()->AddChildAnalyzer(a) ) { if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - zeek::analyzer::pia::PIA* pia = static_cast(Parent())->GetPIA(); + analyzer::pia::PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) - static_cast(pia)->ReplayStreamBuffer(a); + static_cast(pia)->ReplayStreamBuffer(a); } Parent()->RemoveChildAnalyzer(this); @@ -180,8 +180,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig) if ( gnutella_text_msg ) EnqueueConnEvent(gnutella_text_msg, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(ms->headers.data())); + val_mgr->Bool(orig), + make_intrusive(ms->headers.data())); ms->headers = ""; state |= new_state; @@ -217,15 +217,15 @@ void Gnutella_Analyzer::SendEvents(detail::GnutellaMsgState* p, bool is_orig) if ( gnutella_binary_msg ) EnqueueConnEvent(gnutella_binary_msg, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::val_mgr->Count(p->msg_type), - zeek::val_mgr->Count(p->msg_ttl), - zeek::val_mgr->Count(p->msg_hops), - zeek::val_mgr->Count(p->msg_len), - zeek::make_intrusive(p->payload), - zeek::val_mgr->Count(p->payload_len), - zeek::val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))), - zeek::val_mgr->Bool((p->payload_left == 0))); + val_mgr->Bool(is_orig), + val_mgr->Count(p->msg_type), + val_mgr->Count(p->msg_ttl), + val_mgr->Count(p->msg_hops), + val_mgr->Count(p->msg_len), + make_intrusive(p->payload), + val_mgr->Count(p->payload_len), + val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))), + val_mgr->Bool((p->payload_left == 0))); } @@ -304,7 +304,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); ms = orig ? orig_msg_state : resp_msg_state; ms->current_offset = 0; diff --git a/src/analyzer/protocol/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h index c33a3b5a99..649c15a9ce 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.h +++ b/src/analyzer/protocol/gnutella/Gnutella.h @@ -36,15 +36,15 @@ public: } // namespace detail -class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class Gnutella_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit Gnutella_Analyzer(zeek::Connection* conn); + explicit Gnutella_Analyzer(Connection* conn); ~Gnutella_Analyzer() override; void Done () override; void DeliverStream(int len, const u_char* data, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Gnutella_Analyzer(conn); } private: diff --git a/src/analyzer/protocol/gssapi/GSSAPI.cc b/src/analyzer/protocol/gssapi/GSSAPI.cc index e9dc7a7b0a..991c7ab34a 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.cc +++ b/src/analyzer/protocol/gssapi/GSSAPI.cc @@ -7,8 +7,8 @@ namespace zeek::analyzer::gssapi { -GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c) +GSSAPI_Analyzer::GSSAPI_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c) { interp = new binpac::GSSAPI::GSSAPI_Conn(this); } @@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer() void GSSAPI_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done() void GSSAPI_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -45,13 +45,13 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/gssapi/GSSAPI.h b/src/analyzer/protocol/gssapi/GSSAPI.h index e7a1909489..e7e30f5aa1 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.h +++ b/src/analyzer/protocol/gssapi/GSSAPI.h @@ -9,10 +9,10 @@ namespace zeek::analyzer::gssapi { -class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class GSSAPI_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit GSSAPI_Analyzer(zeek::Connection* conn); + explicit GSSAPI_Analyzer(Connection* conn); ~GSSAPI_Analyzer() override; // Overriden from Analyzer. @@ -21,10 +21,10 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new GSSAPI_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc index c5aa6e89bc..2cf261cc99 100644 --- a/src/analyzer/protocol/gtpv1/GTPv1.cc +++ b/src/analyzer/protocol/gtpv1/GTPv1.cc @@ -6,7 +6,7 @@ namespace zeek::analyzer::gtpv1 { -GTPv1_Analyzer::GTPv1_Analyzer(zeek::Connection* conn) +GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) : Analyzer("GTPV1", conn) { interp = new binpac::GTPv1::GTPv1_Conn(this); @@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done() Event(udp_session_done); } -void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); try @@ -32,7 +32,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6 } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h index f80798aded..257de6e0c7 100644 --- a/src/analyzer/protocol/gtpv1/GTPv1.h +++ b/src/analyzer/protocol/gtpv1/GTPv1.h @@ -4,16 +4,16 @@ namespace zeek::analyzer::gtpv1 { -class GTPv1_Analyzer final : public zeek::analyzer::Analyzer { +class GTPv1_Analyzer final : public analyzer::Analyzer { public: - explicit GTPv1_Analyzer(zeek::Connection* conn); + explicit GTPv1_Analyzer(Connection* conn); virtual ~GTPv1_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen); + uint64_t seq, const IP_Hdr* ip, int caplen); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new GTPv1_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index d5066ae9c8..5c661e72b3 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -36,9 +36,9 @@ enum HTTP_ExpectReply { EXPECT_REPLY_NOTHING, }; -HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, zeek::analyzer::mime::MIME_Entity* parent_entity, +HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, analyzer::mime::MIME_Entity* parent_entity, int arg_expect_body) - : zeek::analyzer::mime::MIME_Entity(arg_message, parent_entity) + : analyzer::mime::MIME_Entity(arg_message, parent_entity) { http_message = arg_message; expect_body = arg_expect_body; @@ -62,7 +62,7 @@ HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, zeek::analyzer::mime::MIME_E void HTTP_Entity::EndOfData() { if ( DEBUG_http ) - DEBUG_MSG("%.6f: end of data\n", zeek::run_state::network_time); + DEBUG_MSG("%.6f: end of data\n", run_state::network_time); if ( zip ) { @@ -76,7 +76,7 @@ void HTTP_Entity::EndOfData() http_message->MyHTTP_Analyzer()-> ForwardEndOfData(http_message->IsOrig()); - zeek::analyzer::mime::MIME_Entity::EndOfData(); + analyzer::mime::MIME_Entity::EndOfData(); } void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) @@ -84,13 +84,13 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) if ( DEBUG_http ) { DEBUG_MSG("%.6f HTTP_Entity::Deliver len=%d, in_header=%d\n", - zeek::run_state::network_time, len, in_header); + run_state::network_time, len, in_header); } if ( end_of_data ) { // Multipart entities may have trailers - if ( content_type != zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) + if ( content_type != analyzer::mime::CONTENT_TYPE_MULTIPART ) IllegalFormat("data trailing the end of entity"); return; } @@ -101,13 +101,13 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) http_message->MyHTTP_Analyzer()->Weird("http_no_crlf_in_header_list"); header_length += len; - zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); + analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); return; } // Entity body. - if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART || - content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE ) + if ( content_type == analyzer::mime::CONTENT_TYPE_MULTIPART || + content_type == analyzer::mime::CONTENT_TYPE_MESSAGE ) DeliverBody(len, data, trailing_CRLF); else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) @@ -115,7 +115,7 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) switch ( chunked_transfer_state ) { case EXPECT_CHUNK_SIZE: ASSERT(trailing_CRLF); - if ( ! zeek::util::atoi_n(len, data, nullptr, 16, expect_data_length) ) + if ( ! util::atoi_n(len, data, nullptr, 16, expect_data_length) ) { http_message->Weird("HTTP_bad_chunk_size"); expect_data_length = 0; @@ -174,7 +174,7 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public zeek::analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } void DeliverStream(int len, const u_char* data, bool orig) override @@ -189,14 +189,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, bool trailing_CRLF) { if ( encoding == GZIP || encoding == DEFLATE ) { - zeek::analyzer::zip::ZIP_Analyzer::Method method = + analyzer::zip::ZIP_Analyzer::Method method = encoding == GZIP ? - zeek::analyzer::zip::ZIP_Analyzer::GZIP : zeek::analyzer::zip::ZIP_Analyzer::DEFLATE; + analyzer::zip::ZIP_Analyzer::GZIP : analyzer::zip::ZIP_Analyzer::DEFLATE; if ( ! zip ) { // We don't care about the direction here. - zip = new zeek::analyzer::zip::ZIP_Analyzer( + zip = new analyzer::zip::ZIP_Analyzer( http_message->MyHTTP_Analyzer()->Conn(), false, method); zip->SetOutputHandler(new UncompressedOutput(this)); @@ -217,7 +217,7 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, bool trailing_CRLF body_length += 2; if ( deliver_body ) - zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); + analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); zeek::detail::Rule::PatternType rule = http_message->IsOrig() ? @@ -249,7 +249,7 @@ bool HTTP_Entity::Undelivered(int64_t len) if ( is_partial_content ) { - precomputed_file_id = zeek::file_mgr->Gap( + precomputed_file_id = file_mgr->Gap( body_length, len, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), http_message->MyHTTP_Analyzer()->Conn(), @@ -258,7 +258,7 @@ bool HTTP_Entity::Undelivered(int64_t len) offset += len; } else - precomputed_file_id = zeek::file_mgr->Gap( + precomputed_file_id = file_mgr->Gap( body_length, len, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), http_message->MyHTTP_Analyzer()->Conn(), @@ -308,7 +308,7 @@ bool HTTP_Entity::Undelivered(int64_t len) void HTTP_Entity::SubmitData(int len, const char* buf) { if ( deliver_body ) - zeek::analyzer::mime::MIME_Entity::SubmitData(len, buf); + analyzer::mime::MIME_Entity::SubmitData(len, buf); if ( send_size && ( encoding == GZIP || encoding == DEFLATE ) ) // Auto-decompress in DeliverBody invalidates sizes derived from headers @@ -317,13 +317,13 @@ void HTTP_Entity::SubmitData(int len, const char* buf) if ( is_partial_content ) { if ( send_size && instance_length > 0 ) - precomputed_file_id = zeek::file_mgr->SetSize( + precomputed_file_id = file_mgr->SetSize( instance_length, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), http_message->MyHTTP_Analyzer()->Conn(), http_message->IsOrig(), precomputed_file_id); - precomputed_file_id = zeek::file_mgr->DataIn( + precomputed_file_id = file_mgr->DataIn( reinterpret_cast(buf), len, offset, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), http_message->MyHTTP_Analyzer()->Conn(), @@ -334,14 +334,14 @@ void HTTP_Entity::SubmitData(int len, const char* buf) else { if ( send_size && content_length > 0 ) - precomputed_file_id = zeek::file_mgr->SetSize( + precomputed_file_id = file_mgr->SetSize( content_length, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), http_message->MyHTTP_Analyzer()->Conn(), http_message->IsOrig(), precomputed_file_id); - precomputed_file_id = zeek::file_mgr->DataIn( + precomputed_file_id = file_mgr->DataIn( reinterpret_cast(buf), len, http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), @@ -365,15 +365,15 @@ void HTTP_Entity::SetPlainDelivery(int64_t length) // expect_data_length. } -void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) +void HTTP_Entity::SubmitHeader(analyzer::mime::MIME_Header* h) { - if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-length") ) + if ( analyzer::mime::istrequal(h->get_name(), "content-length") ) { - zeek::data_chunk_t vt = h->get_value_token(); - if ( ! zeek::analyzer::mime::is_null_data_chunk(vt) ) + data_chunk_t vt = h->get_value_token(); + if ( ! analyzer::mime::is_null_data_chunk(vt) ) { int64_t n; - if ( zeek::util::atoi_n(vt.length, vt.data, nullptr, 10, n) ) + if ( util::atoi_n(vt.length, vt.data, nullptr, 10, n) ) { content_length = n; @@ -393,10 +393,10 @@ void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) } // Figure out content-length for HTTP 206 Partial Content response - else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-range") && + else if ( analyzer::mime::istrequal(h->get_name(), "content-range") && http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) { - zeek::data_chunk_t vt = h->get_value_token(); + data_chunk_t vt = h->get_value_token(); string byte_unit(vt.data, vt.length); vt = h->get_value_after_token(); string byte_range(vt.data, vt.length); @@ -435,8 +435,8 @@ void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) instance_length_str.c_str()); int64_t f, l; - zeek::util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f); - zeek::util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l); + util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f); + util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l); int64_t len = l - f + 1; if ( DEBUG_http ) @@ -446,7 +446,7 @@ void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) { if ( instance_length_str != "*" ) { - if ( ! zeek::util::atoi_n(instance_length_str.size(), + if ( ! util::atoi_n(instance_length_str.size(), instance_length_str.c_str(), nullptr, 10, instance_length) ) instance_length = 0; @@ -478,7 +478,7 @@ void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) } } - else if ( zeek::analyzer::mime::istrequal(h->get_name(), "transfer-encoding") ) + else if ( analyzer::mime::istrequal(h->get_name(), "transfer-encoding") ) { HTTP_Analyzer::HTTP_VersionNumber http_version; @@ -487,22 +487,22 @@ void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) else // reply_ongoing http_version = http_message->analyzer->GetReplyVersionNumber(); - zeek::data_chunk_t vt = h->get_value_token(); - if ( zeek::analyzer::mime::istrequal(vt, "chunked") && + data_chunk_t vt = h->get_value_token(); + if ( analyzer::mime::istrequal(vt, "chunked") && http_version == HTTP_Analyzer::HTTP_VersionNumber{1, 1} ) chunked_transfer_state = BEFORE_CHUNK; } - else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-encoding") ) + else if ( analyzer::mime::istrequal(h->get_name(), "content-encoding") ) { - zeek::data_chunk_t vt = h->get_value_token(); - if ( zeek::analyzer::mime::istrequal(vt, "gzip") || zeek::analyzer::mime::istrequal(vt, "x-gzip") ) + data_chunk_t vt = h->get_value_token(); + if ( analyzer::mime::istrequal(vt, "gzip") || analyzer::mime::istrequal(vt, "x-gzip") ) encoding = GZIP; - if ( zeek::analyzer::mime::istrequal(vt, "deflate") ) + if ( analyzer::mime::istrequal(vt, "deflate") ) encoding = DEFLATE; } - zeek::analyzer::mime::MIME_Entity::SubmitHeader(h); + analyzer::mime::MIME_Entity::SubmitHeader(h); } void HTTP_Entity::SubmitAllHeaders() @@ -511,10 +511,10 @@ void HTTP_Entity::SubmitAllHeaders() ASSERT(! in_header); if ( DEBUG_http ) - DEBUG_MSG("%.6f end of headers\n", zeek::run_state::network_time); + DEBUG_MSG("%.6f end of headers\n", run_state::network_time); if ( Parent() && - Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) + Parent()->MIMEContentType() == analyzer::mime::CONTENT_TYPE_MULTIPART ) { // Don't treat single \r or \n characters in the multipart body content // as lines because the MIME_Entity code will implicitly add back a @@ -538,7 +538,7 @@ void HTTP_Entity::SubmitAllHeaders() return; } - zeek::analyzer::mime::MIME_Entity::SubmitAllHeaders(); + analyzer::mime::MIME_Entity::SubmitAllHeaders(); if ( expect_body == HTTP_BODY_NOT_EXPECTED ) { @@ -546,8 +546,8 @@ void HTTP_Entity::SubmitAllHeaders() return; } - if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART || - content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE ) + if ( content_type == analyzer::mime::CONTENT_TYPE_MULTIPART || + content_type == analyzer::mime::CONTENT_TYPE_MESSAGE ) { // Do nothing. // Make sure that we check for multiple/message contents first, @@ -596,9 +596,9 @@ void HTTP_Entity::SubmitAllHeaders() } HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, - zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, + analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, int expect_body, int64_t init_header_length) -: zeek::analyzer::mime::MIME_Message (arg_analyzer) +: analyzer::mime::MIME_Message (arg_analyzer) { analyzer = arg_analyzer; content_line = arg_cl; @@ -609,7 +609,7 @@ HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, entity_data_buffer = nullptr; BeginEntity(top_level); - start_time = zeek::run_state::network_time; + start_time = run_state::network_time; body_length = 0; content_gap_length = 0; header_length = init_header_length; @@ -621,17 +621,17 @@ HTTP_Message::~HTTP_Message() delete [] entity_data_buffer; } -zeek::RecordValPtr HTTP_Message::BuildMessageStat(bool interrupted, const char* msg) +RecordValPtr HTTP_Message::BuildMessageStat(bool interrupted, const char* msg) { - static auto http_message_stat = zeek::id::find_type("http_message_stat"); - auto stat = zeek::make_intrusive(http_message_stat); + static auto http_message_stat = id::find_type("http_message_stat"); + auto stat = make_intrusive(http_message_stat); int field = 0; - stat->Assign(field++, zeek::make_intrusive(start_time)); - stat->Assign(field++, zeek::val_mgr->Bool(interrupted)); - stat->Assign(field++, zeek::make_intrusive(msg)); - stat->Assign(field++, zeek::val_mgr->Count(body_length)); - stat->Assign(field++, zeek::val_mgr->Count(content_gap_length)); - stat->Assign(field++, zeek::val_mgr->Count(header_length)); + stat->Assign(field++, make_intrusive(start_time)); + stat->Assign(field++, val_mgr->Bool(interrupted)); + stat->Assign(field++, make_intrusive(msg)); + stat->Assign(field++, val_mgr->Count(body_length)); + stat->Assign(field++, val_mgr->Count(content_gap_length)); + stat->Assign(field++, val_mgr->Count(header_length)); return stat; } @@ -640,9 +640,9 @@ void HTTP_Message::Done(bool interrupted, const char* detail) if ( finished ) return; - zeek::analyzer::mime::MIME_Message::Done(); + analyzer::mime::MIME_Message::Done(); - // DEBUG_MSG("%.6f HTTP message done.\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f HTTP message done.\n", run_state::network_time); top_level->EndOfData(); if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) @@ -651,16 +651,16 @@ void HTTP_Message::Done(bool interrupted, const char* detail) HTTP_Entity* he = dynamic_cast(top_level); if ( he && ! he->FileID().empty() ) - zeek::file_mgr->EndOfFile(he->FileID()); + file_mgr->EndOfFile(he->FileID()); else - zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), + file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), MyHTTP_Analyzer()->Conn(), is_orig); } if ( http_message_done ) GetAnalyzer()->EnqueueConnEvent(http_message_done, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig), + val_mgr->Bool(is_orig), BuildMessageStat(interrupted, detail) ); @@ -681,24 +681,24 @@ bool HTTP_Message::Undelivered(int64_t len) return false; } -void HTTP_Message::BeginEntity(zeek::analyzer::mime::MIME_Entity* entity) +void HTTP_Message::BeginEntity(analyzer::mime::MIME_Entity* entity) { if ( DEBUG_http ) - DEBUG_MSG("%.6f: begin entity (%d)\n", zeek::run_state::network_time, is_orig); + DEBUG_MSG("%.6f: begin entity (%d)\n", run_state::network_time, is_orig); current_entity = (HTTP_Entity*) entity; if ( http_begin_entity ) analyzer->EnqueueConnEvent(http_begin_entity, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig) + val_mgr->Bool(is_orig) ); } -void HTTP_Message::EndEntity(zeek::analyzer::mime::MIME_Entity* entity) +void HTTP_Message::EndEntity(analyzer::mime::MIME_Entity* entity) { if ( DEBUG_http ) - DEBUG_MSG("%.6f: end entity (%d)\n", zeek::run_state::network_time, is_orig); + DEBUG_MSG("%.6f: end entity (%d)\n", run_state::network_time, is_orig); if ( entity == top_level ) { @@ -709,13 +709,13 @@ void HTTP_Message::EndEntity(zeek::analyzer::mime::MIME_Entity* entity) if ( http_end_entity ) analyzer->EnqueueConnEvent(http_end_entity, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig) + val_mgr->Bool(is_orig) ); current_entity = (HTTP_Entity*) entity->Parent(); if ( entity->Parent() && - entity->Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) + entity->Parent()->MIMEContentType() == analyzer::mime::CONTENT_TYPE_MULTIPART ) { content_line->SupressWeirds(false); content_line->SetCRLFAsEOL(); @@ -731,37 +731,37 @@ void HTTP_Message::EndEntity(zeek::analyzer::mime::MIME_Entity* entity) HTTP_Entity* he = dynamic_cast(entity); if ( he && ! he->FileID().empty() ) - zeek::file_mgr->EndOfFile(he->FileID()); + file_mgr->EndOfFile(he->FileID()); else - zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), + file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), MyHTTP_Analyzer()->Conn(), is_orig); } } -void HTTP_Message::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) +void HTTP_Message::SubmitHeader(analyzer::mime::MIME_Header* h) { MyHTTP_Analyzer()->HTTP_Header(is_orig, h); } -void HTTP_Message::SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& hlist) +void HTTP_Message::SubmitAllHeaders(analyzer::mime::MIME_HeaderList& hlist) { if ( http_all_headers ) analyzer->EnqueueConnEvent(http_all_headers, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig), + val_mgr->Bool(is_orig), ToHeaderTable(hlist) ); if ( http_content_type ) analyzer->EnqueueConnEvent(http_content_type, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig), + val_mgr->Bool(is_orig), current_entity->GetContentType(), current_entity->GetContentSubType() ); } -void HTTP_Message::SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) +void HTTP_Message::SubmitTrailingHeaders(analyzer::mime::MIME_HeaderList& /* hlist */) { // Do nothing for now. Note that if this ever changes do something // which relies on the header list argument, that's currently not @@ -773,7 +773,7 @@ void HTTP_Message::SubmitData(int len, const char* buf) { if ( http_entity_data ) MyHTTP_Analyzer()->HTTP_EntityData(is_orig, - new zeek::String(reinterpret_cast(buf), len, false)); + new String(reinterpret_cast(buf), len, false)); } bool HTTP_Message::RequestBuffer(int* plen, char** pbuf) @@ -796,20 +796,20 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail) const char* category = ""; switch ( event_type ) { - case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT: + case analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT: category = "illegal format"; break; - case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING: + case analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING: category = "illegal encoding"; break; - case zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP: + case analyzer::mime::MIME_EVENT_CONTENT_GAP: category = "content gap"; break; default: - zeek::reporter->AnalyzerError(MyHTTP_Analyzer(), + reporter->AnalyzerError(MyHTTP_Analyzer(), "unrecognized HTTP message event"); return; } @@ -821,7 +821,7 @@ void HTTP_Message::SetPlainDelivery(int64_t length) { content_line->SetPlainDelivery(length); - if ( length > 0 && zeek::BifConst::skip_http_data ) + if ( length > 0 && BifConst::skip_http_data ) content_line->SkipBytesAfterThisLine(length); } @@ -836,8 +836,8 @@ void HTTP_Message::Weird(const char* msg) analyzer->Weird(msg); } -HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("HTTP", conn) +HTTP_Analyzer::HTTP_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -859,10 +859,10 @@ HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn) upgrade_connection = false; upgrade_protocol.clear(); - content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); + content_line_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(content_line_orig); - content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); + content_line_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false); content_line_resp->SetSkipPartial(true); AddSupportAnalyzer(content_line_resp); } @@ -872,7 +872,7 @@ void HTTP_Analyzer::Done() if ( IsFinished() ) return; - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); RequestMade(true, "message interrupted when connection done"); ReplyMade(true, "message interrupted when connection done"); @@ -887,18 +887,18 @@ void HTTP_Analyzer::Done() unanswered_requests = {}; - zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); + file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); /* TODO: this might be nice to have, but reply code is cleared by now. if ( HTTP_ReplyCode() != 206 ) // multipart/byteranges may span multiple connections - zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); + file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); */ } void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( TCP() && TCP()->IsPartial() ) return; @@ -917,7 +917,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) const char* line = reinterpret_cast(data); const char* end_of_line = line + len; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line = + analyzer::tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( content_line->IsPlainDelivery() ) @@ -972,7 +972,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { if ( ! RequestExpected() ) HTTP_Event("crud_trailing_HTTP_request", - zeek::analyzer::mime::to_string_val(line, end_of_line)); + analyzer::mime::to_string_val(line, end_of_line)); else { // We do see HTTP requests with a @@ -1049,7 +1049,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { // End of message header reached, set up // tunnel decapsulation. - pia = new zeek::analyzer::pia::PIA_TCP(Conn()); + pia = new analyzer::pia::PIA_TCP(Conn()); if ( AddChildAnalyzer(pia) ) { @@ -1081,21 +1081,21 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); // DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length); HTTP_Message* msg = is_orig ? request_message : reply_message; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line = + analyzer::tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( ! content_line->IsSkippedContents(seq, len) ) { if ( msg ) - msg->SubmitEvent(zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP, - zeek::util::fmt("seq=%" PRIu64", len=%d", seq, len)); + msg->SubmitEvent(analyzer::mime::MIME_EVENT_CONTENT_GAP, + util::fmt("seq=%" PRIu64", len=%d", seq, len)); } // Check if the content gap falls completely within a message body @@ -1124,9 +1124,9 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - // DEBUG_MSG("%.6f eof\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f eof\n", run_state::network_time); if ( is_orig ) RequestMade(false, "message ends as connection contents are completely delivered"); @@ -1136,16 +1136,16 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::ConnectionFinished(bool half_finished) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); - // DEBUG_MSG("%.6f connection finished\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f connection finished\n", run_state::network_time); RequestMade(true, "message ends as connection is finished"); ReplyMade(true, "message ends as connection is finished"); } void HTTP_Analyzer::ConnectionReset() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset(); + analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset(); RequestMade(true, "message interrupted by RST"); ReplyMade(true, "message interrupted by RST"); @@ -1153,7 +1153,7 @@ void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::PacketWithRST() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST(); + analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST(); RequestMade(true, "message interrupted by RST"); ReplyMade(true, "message interrupted by RST"); @@ -1163,14 +1163,14 @@ void HTTP_Analyzer::GenStats() { if ( http_stats ) { - static auto http_stats_rec = zeek::id::find_type("http_stats_rec"); - auto r = zeek::make_intrusive(http_stats_rec); - r->Assign(0, zeek::val_mgr->Count(num_requests)); - r->Assign(1, zeek::val_mgr->Count(num_replies)); - r->Assign(2, zeek::make_intrusive(request_version.ToDouble())); - r->Assign(3, zeek::make_intrusive(reply_version.ToDouble())); + static auto http_stats_rec = id::find_type("http_stats_rec"); + auto r = make_intrusive(http_stats_rec); + r->Assign(0, val_mgr->Count(num_requests)); + r->Assign(1, val_mgr->Count(num_replies)); + r->Assign(2, make_intrusive(request_version.ToDouble())); + r->Assign(3, make_intrusive(reply_version.ToDouble())); - // DEBUG_MSG("%.6f http_stats\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f http_stats\n", run_state::network_time); EnqueueConnEvent(http_stats, ConnVal(), std::move(r)); } } @@ -1198,7 +1198,7 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line, return nullptr; const char* orig_line = line; - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); if ( line == orig_line ) // Word didn't end at prefix. @@ -1242,18 +1242,18 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) goto error; } - rest = zeek::util::skip_whitespace(end_of_method, end_of_line); + rest = util::skip_whitespace(end_of_method, end_of_line); if ( rest == end_of_method ) goto error; if ( ! ParseRequest(rest, end_of_line) ) { - zeek::reporter->AnalyzerError(this, "HTTP ParseRequest failed"); + reporter->AnalyzerError(this, "HTTP ParseRequest failed"); return -1; } - request_method = zeek::make_intrusive(end_of_method - line, line); + request_method = make_intrusive(end_of_method - line, line); Conn()->Match(zeek::detail::Rule::HTTP_REQUEST, (const u_char*) unescaped_URI->AsString()->Bytes(), @@ -1262,11 +1262,11 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) return 1; bad_http_request_with_version: - zeek::reporter->Weird(Conn(), "bad_HTTP_request_with_version"); + reporter->Weird(Conn(), "bad_HTTP_request_with_version"); return 0; error: - zeek::reporter->Weird(Conn(), "bad_HTTP_request"); + reporter->Weird(Conn(), "bad_HTTP_request"); return 0; } @@ -1293,7 +1293,7 @@ bool HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) for ( version_start = end_of_uri; version_start < end_of_line; ++version_start ) { end_of_uri = version_start; - version_start = zeek::util::skip_whitespace(version_start, end_of_line); + version_start = util::skip_whitespace(version_start, end_of_line); if ( PrefixMatch(version_start, end_of_line, "HTTP/") ) break; } @@ -1313,18 +1313,18 @@ bool HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) version_start)); version_end = version_start + 3; - if ( zeek::util::skip_whitespace(version_end, end_of_line) != end_of_line ) + if ( util::skip_whitespace(version_end, end_of_line) != end_of_line ) HTTP_Event("crud after HTTP version is ignored", - zeek::analyzer::mime::to_string_val(line, end_of_line)); + analyzer::mime::to_string_val(line, end_of_line)); } else - HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_version", analyzer::mime::to_string_val(line, end_of_line)); } // NormalizeURI(line, end_of_uri); - request_URI = zeek::make_intrusive(end_of_uri - line, line); - unescaped_URI = zeek::make_intrusive( + request_URI = make_intrusive(end_of_uri - line, line); + unescaped_URI = make_intrusive( unescape_URI((const u_char*) line, (const u_char*) end_of_uri, this)); return true; @@ -1344,7 +1344,7 @@ HTTP_Analyzer::HTTP_VersionNumber HTTP_Analyzer::HTTP_Version(int len, const cha } else { - HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(len, data)); + HTTP_Event("bad_HTTP_version", analyzer::mime::to_string_val(len, data)); return {}; } } @@ -1363,23 +1363,23 @@ void HTTP_Analyzer::SetVersion(HTTP_VersionNumber* version, HTTP_VersionNumber n void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail) { - HTTP_Event(category, zeek::make_intrusive(detail)); + HTTP_Event(category, make_intrusive(detail)); } -void HTTP_Analyzer::HTTP_Event(const char* category, zeek::StringValPtr detail) +void HTTP_Analyzer::HTTP_Event(const char* category, StringValPtr detail) { if ( http_event ) - // DEBUG_MSG("%.6f http_event\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f http_event\n", run_state::network_time); EnqueueConnEvent(http_event, ConnVal(), - zeek::make_intrusive(category), + make_intrusive(category), std::move(detail)); } -zeek::StringValPtr -HTTP_Analyzer::TruncateURI(const zeek::StringValPtr& uri) +StringValPtr +HTTP_Analyzer::TruncateURI(const StringValPtr& uri) { - const zeek::String* str = uri->AsString(); + const String* str = uri->AsString(); if ( zeek::detail::truncate_http_URI >= 0 && str->Len() > zeek::detail::truncate_http_URI ) { @@ -1403,13 +1403,13 @@ void HTTP_Analyzer::HTTP_Request() connect_request = true; if ( http_request ) - // DEBUG_MSG("%.6f http_request\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f http_request\n", run_state::network_time); EnqueueConnEvent(http_request, ConnVal(), request_method, TruncateURI(request_URI), TruncateURI(unescaped_URI), - zeek::make_intrusive(zeek::util::fmt("%.1f", request_version.ToDouble())) + make_intrusive(util::fmt("%.1f", request_version.ToDouble())) ); } @@ -1418,11 +1418,11 @@ void HTTP_Analyzer::HTTP_Reply() if ( http_reply ) EnqueueConnEvent(http_reply, ConnVal(), - zeek::make_intrusive(zeek::util::fmt("%.1f", reply_version.ToDouble())), - zeek::val_mgr->Count(reply_code), + make_intrusive(util::fmt("%.1f", reply_version.ToDouble())), + val_mgr->Count(reply_code), reply_reason_phrase ? reply_reason_phrase : - zeek::make_intrusive("") + make_intrusive("") ); else reply_reason_phrase = nullptr; @@ -1438,7 +1438,7 @@ void HTTP_Analyzer::RequestMade(bool interrupted, const char* msg) if ( request_message ) request_message->Done(interrupted, msg); - // DEBUG_MSG("%.6f request made\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f request made\n", run_state::network_time); request_method = nullptr; unescaped_URI = nullptr; @@ -1459,7 +1459,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg) reply_ongoing = 0; - // DEBUG_MSG("%.6f reply made\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f reply made\n", run_state::network_time); if ( reply_message ) reply_message->Done(interrupted, msg); @@ -1484,7 +1484,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg) if ( http_connection_upgrade ) EnqueueConnEvent(http_connection_upgrade, ConnVal(), - zeek::make_intrusive(upgrade_protocol) + make_intrusive(upgrade_protocol) ); } @@ -1498,7 +1498,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg) reply_state = EXPECT_REPLY_LINE; } -void HTTP_Analyzer::RequestClash(zeek::Val* /* clash_val */) +void HTTP_Analyzer::RequestClash(Val* /* clash_val */) { Weird("multiple_HTTP_request_elements"); @@ -1506,7 +1506,7 @@ void HTTP_Analyzer::RequestClash(zeek::Val* /* clash_val */) RequestMade(true, "request clash"); } -const zeek::String* HTTP_Analyzer::UnansweredRequestMethod() +const String* HTTP_Analyzer::UnansweredRequestMethod() { return unanswered_requests.empty() ? nullptr : unanswered_requests.front()->AsString(); } @@ -1520,49 +1520,49 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) // ##TODO: some server replies with an HTML document // without a status line and a MIME header, when the // request is malformed. - HTTP_Event("bad_HTTP_reply", zeek::analyzer::mime::to_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_reply", analyzer::mime::to_string_val(line, end_of_line)); return 0; } SetVersion(&reply_version, HTTP_Version(end_of_line - rest, rest)); for ( ; rest < end_of_line; ++rest ) - if ( zeek::analyzer::mime::is_lws(*rest) ) + if ( analyzer::mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - zeek::analyzer::mime::to_string_val(line, end_of_line)); + analyzer::mime::to_string_val(line, end_of_line)); return 0; } - rest = zeek::util::skip_whitespace(rest, end_of_line); + rest = util::skip_whitespace(rest, end_of_line); if ( rest + 3 > end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - zeek::analyzer::mime::to_string_val(line, end_of_line)); + analyzer::mime::to_string_val(line, end_of_line)); return 0; } reply_code = HTTP_ReplyCode(rest); for ( rest += 3; rest < end_of_line; ++rest ) - if ( zeek::analyzer::mime::is_lws(*rest) ) + if ( analyzer::mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_reason_phrase_missing", - zeek::analyzer::mime::to_string_val(line, end_of_line)); + analyzer::mime::to_string_val(line, end_of_line)); // Tolerate missing reason phrase? return 1; } - rest = zeek::util::skip_whitespace(rest, end_of_line); + rest = util::skip_whitespace(rest, end_of_line); reply_reason_phrase = - zeek::make_intrusive(end_of_line - rest, (const char *) rest); + make_intrusive(end_of_line - rest, (const char *) rest); return 1; } @@ -1590,7 +1590,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody() // MUST NOT include a message-body. All other responses do include a // message-body, although it MAY be of zero length. - const zeek::String* method = UnansweredRequestMethod(); + const String* method = UnansweredRequestMethod(); if ( method && strncasecmp((const char*) (method->Bytes()), "HEAD", method->Len()) == 0 ) return HTTP_BODY_NOT_EXPECTED; @@ -1602,29 +1602,29 @@ int HTTP_Analyzer::ExpectReplyMessageBody() return HTTP_BODY_EXPECTED; } -void HTTP_Analyzer::HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h) +void HTTP_Analyzer::HTTP_Header(bool is_orig, analyzer::mime::MIME_Header* h) { // To be "liberal", we only look at "keep-alive" on the client // side, and if seen assume the connection to be persistent. // This seems fairly safe - at worst, the client does indeed // send additional requests, and the server ignores them. - if ( is_orig && zeek::analyzer::mime::istrequal(h->get_name(), "connection") ) + if ( is_orig && analyzer::mime::istrequal(h->get_name(), "connection") ) { - if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "keep-alive") ) + if ( analyzer::mime::istrequal(h->get_value_token(), "keep-alive") ) keep_alive = 1; } if ( ! is_orig && - zeek::analyzer::mime::istrequal(h->get_name(), "connection") ) + analyzer::mime::istrequal(h->get_name(), "connection") ) { - if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "close") ) + if ( analyzer::mime::istrequal(h->get_value_token(), "close") ) connection_close = 1; - else if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "upgrade") ) + else if ( analyzer::mime::istrequal(h->get_value_token(), "upgrade") ) upgrade_connection = true; } if ( ! is_orig && - zeek::analyzer::mime::istrequal(h->get_name(), "upgrade") ) + analyzer::mime::istrequal(h->get_name(), "upgrade") ) upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length); if ( http_header ) @@ -1633,8 +1633,8 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* is_orig ? zeek::detail::Rule::HTTP_REQUEST_HEADER : zeek::detail::Rule::HTTP_REPLY_HEADER; - zeek::data_chunk_t hd_name = h->get_name(); - zeek::data_chunk_t hd_value = h->get_value(); + data_chunk_t hd_name = h->get_name(); + data_chunk_t hd_value = h->get_value(); Conn()->Match(rule, (const u_char*) hd_name.data, hd_name.length, is_orig, true, false, true); @@ -1644,29 +1644,29 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* is_orig, false, true, false); if ( DEBUG_http ) - DEBUG_MSG("%.6f http_header\n", zeek::run_state::network_time); + DEBUG_MSG("%.6f http_header\n", run_state::network_time); - auto upper_hn = zeek::analyzer::mime::to_string_val(h->get_name()); + auto upper_hn = analyzer::mime::to_string_val(h->get_name()); upper_hn->ToUpper(); EnqueueConnEvent(http_header, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::analyzer::mime::to_string_val(h->get_name()), + val_mgr->Bool(is_orig), + analyzer::mime::to_string_val(h->get_name()), std::move(upper_hn), - zeek::analyzer::mime::to_string_val(h->get_value()) + analyzer::mime::to_string_val(h->get_value()) ); } } -void HTTP_Analyzer::HTTP_EntityData(bool is_orig, zeek::String* entity_data) +void HTTP_Analyzer::HTTP_EntityData(bool is_orig, String* entity_data) { if ( http_entity_data ) EnqueueConnEvent(http_entity_data, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::val_mgr->Count(entity_data->Len()), - zeek::make_intrusive(entity_data) + val_mgr->Bool(is_orig), + val_mgr->Count(entity_data->Len()), + make_intrusive(entity_data) ); else delete entity_data; @@ -1681,7 +1681,7 @@ void HTTP_Analyzer::HTTP_MessageDone(bool is_orig, HTTP_Message* /* message */) ReplyMade(false, "message ends normally"); } -void HTTP_Analyzer::InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, +void HTTP_Analyzer::InitHTTPMessage(analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length) { if ( message ) @@ -1692,7 +1692,7 @@ void HTTP_Analyzer::InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* c delete message; } - // DEBUG_MSG("%.6f init http message\n", zeek::run_state::network_time); + // DEBUG_MSG("%.6f init http message\n", run_state::network_time); message = new HTTP_Message(this, cl, is_orig, expect_body, init_header_length); } @@ -1718,15 +1718,15 @@ bool is_unreserved_URI_char(unsigned char ch) void escape_URI_char(unsigned char ch, unsigned char*& p) { *p++ = '%'; - *p++ = zeek::util::encode_hex((ch >> 4) & 0xf); - *p++ = zeek::util::encode_hex(ch & 0xf); + *p++ = util::encode_hex((ch >> 4) & 0xf); + *p++ = util::encode_hex(ch & 0xf); } -zeek::String* unescape_URI(const u_char* line, const u_char* line_end, - zeek::analyzer::Analyzer* analyzer) +String* unescape_URI(const u_char* line, const u_char* line_end, + analyzer::Analyzer* analyzer) { - zeek::byte_vec decoded_URI = new u_char[line_end - line + 1]; - zeek::byte_vec URI_p = decoded_URI; + byte_vec decoded_URI = new u_char[line_end - line + 1]; + byte_vec URI_p = decoded_URI; while ( line < line_end ) { @@ -1766,8 +1766,8 @@ zeek::String* unescape_URI(const u_char* line, const u_char* line_end, else if ( isxdigit(line[0]) && isxdigit(line[1]) ) { - *URI_p++ = (zeek::util::decode_hex(line[0]) << 4) + - zeek::util::decode_hex(line[1]); + *URI_p++ = (util::decode_hex(line[0]) << 4) + + util::decode_hex(line[1]); ++line; // place line at the last hex digit } @@ -1792,11 +1792,11 @@ zeek::String* unescape_URI(const u_char* line, const u_char* line_end, // It could just be ASCII encoded into this // unicode escaping structure. if ( ! (line[1] == '0' && line[2] == '0' ) ) - *URI_p++ = (zeek::util::decode_hex(line[1]) << 4) + - zeek::util::decode_hex(line[2]); + *URI_p++ = (util::decode_hex(line[1]) << 4) + + util::decode_hex(line[2]); - *URI_p++ = (zeek::util::decode_hex(line[3]) << 4) + - zeek::util::decode_hex(line[4]); + *URI_p++ = (util::decode_hex(line[3]) << 4) + + util::decode_hex(line[4]); line += 4; } @@ -1818,7 +1818,7 @@ zeek::String* unescape_URI(const u_char* line, const u_char* line_end, URI_p[0] = 0; - return new zeek::String(true, decoded_URI, URI_p - decoded_URI); + return new String(true, decoded_URI, URI_p - decoded_URI); } } // namespace zeek::analyzer::http diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h index 70af9187fd..d9a5a6812d 100644 --- a/src/analyzer/protocol/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -27,9 +27,9 @@ class HTTP_Entity; class HTTP_Message; class HTTP_Analyzer; -class HTTP_Entity final : public zeek::analyzer::mime::MIME_Entity { +class HTTP_Entity final : public analyzer::mime::MIME_Entity { public: - HTTP_Entity(HTTP_Message* msg, zeek::analyzer::mime::MIME_Entity* parent_entity, + HTTP_Entity(HTTP_Message* msg, analyzer::mime::MIME_Entity* parent_entity, int expect_body); ~HTTP_Entity() override { @@ -58,7 +58,7 @@ protected: int64_t body_length; int64_t header_length; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; - zeek::analyzer::zip::ZIP_Analyzer* zip; + analyzer::zip::ZIP_Analyzer* zip; bool deliver_body; bool is_partial_content; uint64_t offset; @@ -66,7 +66,7 @@ protected: bool send_size; // whether to send size indication to FAF std::string precomputed_file_id; - zeek::analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); } + analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); } void DeliverBody(int len, const char* data, bool trailing_CRLF); void DeliverBodyClear(int len, const char* data, bool trailing_CRLF); @@ -75,7 +75,7 @@ protected: void SetPlainDelivery(int64_t length); - void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; + void SubmitHeader(analyzer::mime::MIME_Header* h) override; void SubmitAllHeaders() override; }; @@ -96,11 +96,11 @@ enum { // HTTP_Message::EndEntity -> Message::Done // HTTP_MessageDone -> {Request,Reply}Made -class HTTP_Message final : public zeek::analyzer::mime::MIME_Message { +class HTTP_Message final : public analyzer::mime::MIME_Message { friend class HTTP_Entity; public: - HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl, + HTTP_Message(HTTP_Analyzer* analyzer, analyzer::tcp::ContentLine_Analyzer* cl, bool is_orig, int expect_body, int64_t init_header_length); ~HTTP_Message() override; void Done(bool interrupted, const char* msg); @@ -108,16 +108,16 @@ public: bool Undelivered(int64_t len); - void BeginEntity(zeek::analyzer::mime::MIME_Entity* /* entity */) override; - void EndEntity(zeek::analyzer::mime::MIME_Entity* entity) override; - void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; - void SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) override; + void BeginEntity(analyzer::mime::MIME_Entity* /* entity */) override; + void EndEntity(analyzer::mime::MIME_Entity* entity) override; + void SubmitHeader(analyzer::mime::MIME_Header* h) override; + void SubmitAllHeaders(analyzer::mime::MIME_HeaderList& /* hlist */) override; void SubmitData(int len, const char* buf) override; bool RequestBuffer(int* plen, char** pbuf) override; void SubmitAllData(); void SubmitEvent(int event_type, const char* detail) override; - void SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */); + void SubmitTrailingHeaders(analyzer::mime::MIME_HeaderList& /* hlist */); void SetPlainDelivery(int64_t length); void SkipEntityData(); @@ -129,7 +129,7 @@ public: protected: HTTP_Analyzer* analyzer; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line; + analyzer::tcp::ContentLine_Analyzer* content_line; bool is_orig; char* entity_data_buffer; @@ -145,18 +145,18 @@ protected: HTTP_Entity* current_entity; - zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg); + RecordValPtr BuildMessageStat(bool interrupted, const char* msg); }; -class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class HTTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - HTTP_Analyzer(zeek::Connection* conn); + HTTP_Analyzer(Connection* conn); - void HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h); - void HTTP_EntityData(bool is_orig, zeek::String* entity_data); + void HTTP_Header(bool is_orig, analyzer::mime::MIME_Header* h); + void HTTP_EntityData(bool is_orig, String* entity_data); void HTTP_MessageDone(bool is_orig, HTTP_Message* message); void HTTP_Event(const char* category, const char* detail); - void HTTP_Event(const char* category, zeek::StringValPtr detail); + void HTTP_Event(const char* category, StringValPtr detail); void SkipEntityData(bool is_orig); @@ -168,7 +168,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer void EndpointEOF(bool is_orig) override; void ConnectionFinished(bool half_finished) override; void ConnectionReset() override; @@ -195,7 +195,7 @@ public: int GetRequestOngoing() { return request_ongoing; }; int GetReplyOngoing() { return reply_ongoing; }; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new HTTP_Analyzer(conn); } static bool Available() @@ -210,7 +210,7 @@ protected: int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line); - void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, + void InitHTTPMessage(analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length); const char* PrefixMatch(const char* line, const char* end_of_line, @@ -230,14 +230,14 @@ protected: void RequestMade(bool interrupted, const char* msg); void ReplyMade(bool interrupted, const char* msg); - void RequestClash(zeek::Val* clash_val); + void RequestClash(Val* clash_val); - const zeek::String* UnansweredRequestMethod(); + const String* UnansweredRequestMethod(); int HTTP_ReplyCode(const char* code_str); int ExpectReplyMessageBody(); - zeek::StringValPtr TruncateURI(const zeek::StringValPtr& uri); + StringValPtr TruncateURI(const StringValPtr& uri); int request_state, reply_state; int num_requests, num_replies; @@ -248,7 +248,7 @@ protected: int request_ongoing, reply_ongoing; bool connect_request; - zeek::analyzer::pia::PIA_TCP *pia; + analyzer::pia::PIA_TCP *pia; // set to true after a connection was upgraded bool upgraded; // set to true when encountering an "connection" header in a reply. @@ -257,22 +257,22 @@ protected: // in a reply. std::string upgrade_protocol; - zeek::StringValPtr request_method; + StringValPtr request_method; // request_URI is in the original form (may contain '%' // sequences). - zeek::StringValPtr request_URI; + StringValPtr request_URI; // unescaped_URI does not contain escaped sequences. - zeek::StringValPtr unescaped_URI; + StringValPtr unescaped_URI; - std::queue unanswered_requests; + std::queue unanswered_requests; int reply_code; - zeek::StringValPtr reply_reason_phrase; + StringValPtr reply_reason_phrase; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; - zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; + analyzer::tcp::ContentLine_Analyzer* content_line_orig; + analyzer::tcp::ContentLine_Analyzer* content_line_resp; HTTP_Message* request_message; HTTP_Message* reply_message; @@ -281,8 +281,8 @@ protected: extern bool is_reserved_URI_char(unsigned char ch); extern bool is_unreserved_URI_char(unsigned char ch); extern void escape_URI_char(unsigned char ch, unsigned char*& p); -extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end, - zeek::analyzer::Analyzer* analyzer); +extern String* unescape_URI(const u_char* line, const u_char* line_end, + analyzer::Analyzer* analyzer); } // namespace zeek::analyzer::http diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 3684e57741..ea3ce1f046 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -20,7 +20,7 @@ namespace zeek::analyzer::icmp { -ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c) +ICMP_Analyzer::ICMP_Analyzer(Connection* c) : TransportLayerAnalyzer("ICMP", c), icmp_conn_val(), type(), code(), request_len(-1), reply_len(-1) { @@ -35,7 +35,7 @@ void ICMP_Analyzer::Done() } void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, - bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) { assert(ip); @@ -64,7 +64,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, break; default: - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "unexpected IP proto in ICMP analyzer: %d", ip->NextProto()); return; } @@ -76,7 +76,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, } } - Conn()->SetLastTime(zeek::run_state::current_timestamp); + Conn()->SetLastTime(run_state::current_timestamp); if ( zeek::detail::rule_matcher ) { @@ -99,12 +99,12 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, len_stat += len; if ( ip->NextProto() == IPPROTO_ICMP ) - NextICMP4(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip); + NextICMP4(run_state::current_timestamp, icmpp, len, caplen, data, ip); else if ( ip->NextProto() == IPPROTO_ICMPV6 ) - NextICMP6(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip); + NextICMP6(run_state::current_timestamp, icmpp, len, caplen, data, ip); else { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "expected ICMP as IP packet's protocol, got %d", ip->NextProto()); return; } @@ -119,7 +119,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, } void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr ) + const u_char*& data, const IP_Hdr* ip_hdr ) { switch ( icmpp->icmp_type ) { @@ -140,7 +140,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c } void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr ) + const u_char*& data, const IP_Hdr* ip_hdr ) { switch ( icmpp->icmp_type ) { @@ -199,7 +199,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, const u_char* data, - const zeek::IP_Hdr* ip_hdr) + const IP_Hdr* ip_hdr) { if ( icmp_sent ) EnqueueConnEvent(icmp_sent, @@ -210,51 +210,51 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, if ( icmp_sent_payload ) { - zeek::String* payload = new zeek::String(data, std::min(len, caplen), false); + String* payload = new String(data, std::min(len, caplen), false); EnqueueConnEvent(icmp_sent_payload, ConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), BuildInfo(icmpp, len, icmpv6, ip_hdr), - zeek::make_intrusive(payload) + make_intrusive(payload) ); } } -zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, - int icmpv6, const zeek::IP_Hdr* ip_hdr) +RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, + int icmpv6, const IP_Hdr* ip_hdr) { if ( ! icmp_conn_val ) { - static auto icmp_conn = zeek::id::find_type("icmp_conn"); - icmp_conn_val = zeek::make_intrusive(icmp_conn); + static auto icmp_conn = id::find_type("icmp_conn"); + icmp_conn_val = make_intrusive(icmp_conn); - icmp_conn_val->Assign(0, zeek::make_intrusive(Conn()->OrigAddr())); - icmp_conn_val->Assign(1, zeek::make_intrusive(Conn()->RespAddr())); - icmp_conn_val->Assign(2, zeek::val_mgr->Count(icmpp->icmp_type)); - icmp_conn_val->Assign(3, zeek::val_mgr->Count(icmpp->icmp_code)); - icmp_conn_val->Assign(4, zeek::val_mgr->Count(len)); - icmp_conn_val->Assign(5, zeek::val_mgr->Count(ip_hdr->TTL())); - icmp_conn_val->Assign(6, zeek::val_mgr->Bool(icmpv6)); + icmp_conn_val->Assign(0, make_intrusive(Conn()->OrigAddr())); + icmp_conn_val->Assign(1, make_intrusive(Conn()->RespAddr())); + icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type)); + icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code)); + icmp_conn_val->Assign(4, val_mgr->Count(len)); + icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL())); + icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6)); } return icmp_conn_val; } -zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len, - bool icmpv6, const zeek::IP_Hdr* ip_hdr) +RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len, + bool icmpv6, const IP_Hdr* ip_hdr) { - static auto icmp_info = zeek::id::find_type("icmp_info"); - auto rval = zeek::make_intrusive(icmp_info); - rval->Assign(0, zeek::val_mgr->Bool(icmpv6)); - rval->Assign(1, zeek::val_mgr->Count(icmpp->icmp_type)); - rval->Assign(2, zeek::val_mgr->Count(icmpp->icmp_code)); - rval->Assign(3, zeek::val_mgr->Count(len)); - rval->Assign(4, zeek::val_mgr->Count(ip_hdr->TTL())); + static auto icmp_info = id::find_type("icmp_info"); + auto rval = make_intrusive(icmp_info); + rval->Assign(0, val_mgr->Bool(icmpv6)); + rval->Assign(1, val_mgr->Count(icmpp->icmp_type)); + rval->Assign(2, val_mgr->Count(icmpp->icmp_code)); + rval->Assign(3, val_mgr->Count(len)); + rval->Assign(4, val_mgr->Count(ip_hdr->TTL())); return rval; } -TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port) +TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port) { const u_char* transport_hdr; uint32_t ip_hdr_len = ip_hdr->HdrLen(); @@ -319,17 +319,17 @@ TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uin return proto; } -zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data) +RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data) { - const zeek::IP_Hdr ip_hdr_data((const struct ip*) data, false); - const zeek::IP_Hdr* ip_hdr = &ip_hdr_data; + const IP_Hdr ip_hdr_data((const struct ip*) data, false); + const IP_Hdr* ip_hdr = &ip_hdr_data; uint32_t ip_hdr_len = ip_hdr->HdrLen(); uint32_t ip_len, frag_offset; TransportProto proto = TRANSPORT_UNKNOWN; int DF, MF, bad_hdr_len, bad_checksum; - zeek::IPAddr src_addr, dst_addr; + IPAddr src_addr, dst_addr; uint32_t src_port, dst_port; if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) ) @@ -345,7 +345,7 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da { bad_hdr_len = 0; ip_len = ip_hdr->TotalLen(); - bad_checksum = ! zeek::run_state::current_pkt->l3_checksummed && + bad_checksum = ! run_state::current_pkt->l3_checksummed && (ones_complement_checksum((void*) ip_hdr->IP4_Hdr(), ip_hdr_len, 0) != 0xffff); src_addr = ip_hdr->SrcAddr(); @@ -366,34 +366,34 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da } } - static auto icmp_context = zeek::id::find_type("icmp_context"); - auto iprec = zeek::make_intrusive(icmp_context); - auto id_val = zeek::make_intrusive(zeek::id::conn_id); + static auto icmp_context = id::find_type("icmp_context"); + auto iprec = make_intrusive(icmp_context); + auto id_val = make_intrusive(id::conn_id); - id_val->Assign(0, zeek::make_intrusive(src_addr)); - id_val->Assign(1, zeek::val_mgr->Port(src_port, proto)); - id_val->Assign(2, zeek::make_intrusive(dst_addr)); - id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto)); + id_val->Assign(0, make_intrusive(src_addr)); + id_val->Assign(1, val_mgr->Port(src_port, proto)); + id_val->Assign(2, make_intrusive(dst_addr)); + id_val->Assign(3, val_mgr->Port(dst_port, proto)); iprec->Assign(0, std::move(id_val)); - iprec->Assign(1, zeek::val_mgr->Count(ip_len)); - iprec->Assign(2, zeek::val_mgr->Count(proto)); - iprec->Assign(3, zeek::val_mgr->Count(frag_offset)); - iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len)); - iprec->Assign(5, zeek::val_mgr->Bool(bad_checksum)); - iprec->Assign(6, zeek::val_mgr->Bool(MF)); - iprec->Assign(7, zeek::val_mgr->Bool(DF)); + iprec->Assign(1, val_mgr->Count(ip_len)); + iprec->Assign(2, val_mgr->Count(proto)); + iprec->Assign(3, val_mgr->Count(frag_offset)); + iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); + iprec->Assign(5, val_mgr->Bool(bad_checksum)); + iprec->Assign(6, val_mgr->Bool(MF)); + iprec->Assign(7, val_mgr->Bool(DF)); return iprec; } -zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data) +RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data) { int DF = 0, MF = 0, bad_hdr_len = 0; TransportProto proto = TRANSPORT_UNKNOWN; - zeek::IPAddr src_addr; - zeek::IPAddr dst_addr; + IPAddr src_addr; + IPAddr dst_addr; uint32_t ip_len, frag_offset = 0; uint32_t src_port, dst_port; @@ -405,8 +405,8 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da } else { - const zeek::IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len); - const zeek::IP_Hdr* ip_hdr = &ip_hdr_data; + const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len); + const IP_Hdr* ip_hdr = &ip_hdr_data; ip_len = ip_hdr->TotalLen(); src_addr = ip_hdr->SrcAddr(); @@ -426,24 +426,24 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da } } - static auto icmp_context = zeek::id::find_type("icmp_context"); - auto iprec = zeek::make_intrusive(icmp_context); - auto id_val = zeek::make_intrusive(zeek::id::conn_id); + static auto icmp_context = id::find_type("icmp_context"); + auto iprec = make_intrusive(icmp_context); + auto id_val = make_intrusive(id::conn_id); - id_val->Assign(0, zeek::make_intrusive(src_addr)); - id_val->Assign(1, zeek::val_mgr->Port(src_port, proto)); - id_val->Assign(2, zeek::make_intrusive(dst_addr)); - id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto)); + id_val->Assign(0, make_intrusive(src_addr)); + id_val->Assign(1, val_mgr->Port(src_port, proto)); + id_val->Assign(2, make_intrusive(dst_addr)); + id_val->Assign(3, val_mgr->Port(dst_port, proto)); iprec->Assign(0, std::move(id_val)); - iprec->Assign(1, zeek::val_mgr->Count(ip_len)); - iprec->Assign(2, zeek::val_mgr->Count(proto)); - iprec->Assign(3, zeek::val_mgr->Count(frag_offset)); - iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len)); + iprec->Assign(1, val_mgr->Count(ip_len)); + iprec->Assign(2, val_mgr->Count(proto)); + iprec->Assign(3, val_mgr->Count(frag_offset)); + iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); // bad_checksum is always false since IPv6 layer doesn't have a checksum. - iprec->Assign(5, zeek::val_mgr->False()); - iprec->Assign(6, zeek::val_mgr->Bool(MF)); - iprec->Assign(7, zeek::val_mgr->Bool(DF)); + iprec->Assign(5, val_mgr->False()); + iprec->Assign(6, val_mgr->Bool(MF)); + iprec->Assign(7, val_mgr->Bool(DF)); return iprec; } @@ -453,7 +453,7 @@ bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */) return false; } -void ICMP_Analyzer::Describe(zeek::ODesc* d) const +void ICMP_Analyzer::Describe(ODesc* d) const { d->Add(Conn()->StartTime()); d->Add("("); @@ -472,7 +472,7 @@ void ICMP_Analyzer::Describe(zeek::ODesc* d) const d->Add(Conn()->RespAddr()); } -void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) +void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val) { const auto& orig_endp = conn_val->GetField("orig"); const auto& resp_endp = conn_val->GetField("resp"); @@ -484,7 +484,7 @@ void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) Analyzer::UpdateConnVal(conn_val); } -void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig) +void ICMP_Analyzer::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig) { Conn()->EnableStatusUpdateTimer(); @@ -493,30 +493,30 @@ void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig if ( size < 0 ) { - endp->Assign(0, zeek::val_mgr->Count(0)); - endp->Assign(1, zeek::val_mgr->Count(int(ICMP_INACTIVE))); + endp->Assign(0, val_mgr->Count(0)); + endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE))); } else { - endp->Assign(0, zeek::val_mgr->Count(size)); - endp->Assign(1, zeek::val_mgr->Count(int(ICMP_ACTIVE))); + endp->Assign(0, val_mgr->Count(size)); + endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE))); } } unsigned int ICMP_Analyzer::MemoryAllocation() const { return Analyzer::MemoryAllocation() - + padded_sizeof(*this) - padded_sizeof(zeek::Connection) + + padded_sizeof(*this) - padded_sizeof(Connection) + (icmp_conn_val ? icmp_conn_val->MemoryAllocation() : 0); } void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { // For handling all Echo related ICMP messages - zeek::EventHandlerPtr f = nullptr; + EventHandlerPtr f = nullptr; if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 ) f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST) @@ -531,23 +531,23 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, int iid = ntohs(icmpp->icmp_hun.ih_idseq.icd_id); int iseq = ntohs(icmpp->icmp_hun.ih_idseq.icd_seq); - zeek::String* payload = new zeek::String(data, caplen, false); + String* payload = new String(data, caplen, false); EnqueueConnEvent(f, ConnVal(), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), - zeek::val_mgr->Count(iid), - zeek::val_mgr->Count(iseq), - zeek::make_intrusive(payload) + val_mgr->Count(iid), + val_mgr->Count(iseq), + make_intrusive(payload) ); } void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = icmp_router_advertisement; + EventHandlerPtr f = icmp_router_advertisement; if ( ! f ) return; @@ -566,33 +566,33 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr), - zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit - zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed - zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other - zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent - zeek::val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref - zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy - zeek::val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved - zeek::make_intrusive((double)ntohs(icmpp->icmp_lifetime), Seconds), - zeek::make_intrusive((double)ntohl(reachable), Milliseconds), - zeek::make_intrusive((double)ntohl(retrans), Milliseconds), + val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit + val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed + val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other + val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent + val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref + val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy + val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved + make_intrusive((double)ntohs(icmpp->icmp_lifetime), Seconds), + make_intrusive((double)ntohl(reachable), Milliseconds), + make_intrusive((double)ntohl(retrans), Milliseconds), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) ); } void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = icmp_neighbor_advertisement; + EventHandlerPtr f = icmp_neighbor_advertisement; if ( ! f ) return; - zeek::IPAddr tgtaddr; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) - tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); + tgtaddr = IPAddr(*((const in6_addr*)data)); int opt_offset = sizeof(in6_addr); @@ -600,27 +600,27 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr), - zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router - zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited - zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override - zeek::make_intrusive(tgtaddr), + val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router + val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited + val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override + make_intrusive(tgtaddr), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) ); } void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = icmp_neighbor_solicitation; + EventHandlerPtr f = icmp_neighbor_solicitation; if ( ! f ) return; - zeek::IPAddr tgtaddr; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) - tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); + tgtaddr = IPAddr(*((const in6_addr*)data)); int opt_offset = sizeof(in6_addr); @@ -628,27 +628,27 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr), - zeek::make_intrusive(tgtaddr), + make_intrusive(tgtaddr), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) ); } void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = icmp_redirect; + EventHandlerPtr f = icmp_redirect; if ( ! f ) return; - zeek::IPAddr tgtaddr, dstaddr; + IPAddr tgtaddr, dstaddr; if ( caplen >= (int)sizeof(in6_addr) ) - tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); + tgtaddr = IPAddr(*((const in6_addr*)data)); if ( caplen >= 2 * (int)sizeof(in6_addr) ) - dstaddr = zeek::IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); + dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); int opt_offset = 2 * sizeof(in6_addr); @@ -656,17 +656,17 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr), - zeek::make_intrusive(tgtaddr), - zeek::make_intrusive(dstaddr), + make_intrusive(tgtaddr), + make_intrusive(dstaddr), BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) ); } void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = icmp_router_solicitation; + EventHandlerPtr f = icmp_router_solicitation; if ( ! f ) return; @@ -681,9 +681,9 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, - int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = nullptr; + EventHandlerPtr f = nullptr; switch ( icmpp->icmp_type ) { @@ -701,16 +701,16 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, ConnVal(), BuildICMPVal(icmpp, len, 0, ip_hdr), BuildInfo(icmpp, len, 0, ip_hdr), - zeek::val_mgr->Count(icmpp->icmp_code), + val_mgr->Count(icmpp->icmp_code), ExtractICMP4Context(caplen, data) ); } void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, - int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) + int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - zeek::EventHandlerPtr f = nullptr; + EventHandlerPtr f = nullptr; switch ( icmpp->icmp_type ) { @@ -740,18 +740,18 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, ConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr), - zeek::val_mgr->Count(icmpp->icmp_code), + val_mgr->Count(icmpp->icmp_code), ExtractICMP6Context(caplen, data) ); } -zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) +VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) { - static auto icmp6_nd_option_type = zeek::id::find_type("icmp6_nd_option"); - static auto icmp6_nd_prefix_info_type = zeek::id::find_type("icmp6_nd_prefix_info"); + static auto icmp6_nd_option_type = id::find_type("icmp6_nd_option"); + static auto icmp6_nd_prefix_info_type = id::find_type("icmp6_nd_prefix_info"); - auto vv = zeek::make_intrusive( - zeek::id::find_type("icmp6_nd_options")); + auto vv = make_intrusive( + id::find_type("icmp6_nd_options")); while ( caplen > 0 ) { @@ -771,9 +771,9 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da break; } - auto rv = zeek::make_intrusive(icmp6_nd_option_type); - rv->Assign(0, zeek::val_mgr->Count(type)); - rv->Assign(1, zeek::val_mgr->Count(length)); + auto rv = make_intrusive(icmp6_nd_option_type); + rv->Assign(0, val_mgr->Count(type)); + rv->Assign(1, val_mgr->Count(length)); // Adjust length to be in units of bytes, exclude type/length fields. length = length * 8 - 2; @@ -791,8 +791,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da { if ( caplen >= length ) { - zeek::String* link_addr = new zeek::String(data, length, false); - rv->Assign(2, zeek::make_intrusive(link_addr)); + String* link_addr = new String(data, length, false); + rv->Assign(2, make_intrusive(link_addr)); } else set_payload_field = true; @@ -805,19 +805,19 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da { if ( caplen >= 30 ) { - auto info = zeek::make_intrusive(icmp6_nd_prefix_info_type); + auto info = make_intrusive(icmp6_nd_prefix_info_type); uint8_t prefix_len = *((const uint8_t*)(data)); bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0; bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0; uint32_t valid_life = *((const uint32_t*)(data + 2)); uint32_t prefer_life = *((const uint32_t*)(data + 6)); in6_addr prefix = *((const in6_addr*)(data + 14)); - info->Assign(0, zeek::val_mgr->Count(prefix_len)); - info->Assign(1, zeek::val_mgr->Bool(L_flag)); - info->Assign(2, zeek::val_mgr->Bool(A_flag)); - info->Assign(3, zeek::make_intrusive((double)ntohl(valid_life), Seconds)); - info->Assign(4, zeek::make_intrusive((double)ntohl(prefer_life), Seconds)); - info->Assign(5, zeek::make_intrusive(zeek::IPAddr(prefix))); + info->Assign(0, val_mgr->Count(prefix_len)); + info->Assign(1, val_mgr->Bool(L_flag)); + info->Assign(2, val_mgr->Bool(A_flag)); + info->Assign(3, make_intrusive((double)ntohl(valid_life), Seconds)); + info->Assign(4, make_intrusive((double)ntohl(prefer_life), Seconds)); + info->Assign(5, make_intrusive(IPAddr(prefix))); rv->Assign(3, std::move(info)); } @@ -845,7 +845,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da // MTU option { if ( caplen >= 6 ) - rv->Assign(5, zeek::val_mgr->Count(ntohl(*((const uint32_t*)(data + 2))))); + rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2))))); else set_payload_field = true; @@ -861,8 +861,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da if ( set_payload_field ) { - zeek::String* payload = new zeek::String(data, std::min((int)length, caplen), false); - rv->Assign(6, zeek::make_intrusive(payload)); + String* payload = new String(data, std::min((int)length, caplen), false); + rv->Assign(6, make_intrusive(payload)); } data += length; diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h index 8cf6c8572a..b2f20df694 100644 --- a/src/analyzer/protocol/icmp/ICMP.h +++ b/src/analyzer/protocol/icmp/ICMP.h @@ -8,7 +8,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek); namespace zeek { -using VectorValPtr = zeek::IntrusivePtr; +using VectorValPtr = IntrusivePtr; } namespace zeek::analyzer::icmp { @@ -20,77 +20,77 @@ enum ICMP_EndpointState { // We do not have an PIA for ICMP (yet) and therefore derive from // RuleMatcherState to perform our own matching. -class ICMP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { +class ICMP_Analyzer final : public analyzer::TransportLayerAnalyzer { public: - explicit ICMP_Analyzer(zeek::Connection* conn); + explicit ICMP_Analyzer(Connection* conn); - void UpdateConnVal(zeek::RecordVal *conn_val) override; + void UpdateConnVal(RecordVal *conn_val) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new ICMP_Analyzer(conn); } protected: void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; bool IsReuse(double t, const u_char* pkt) override; unsigned int MemoryAllocation() const override; void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, - const u_char* data, const zeek::IP_Hdr* ip_hdr); + const u_char* data, const IP_Hdr* ip_hdr); void Echo(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void Redirect(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void RouterAdvert(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void NeighborAdvert(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void NeighborSolicit(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void RouterSolicit(double t, const struct icmp* icmpp, int len, - int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); + int caplen, const u_char*& data, const IP_Hdr* ip_hdr); - void Describe(zeek::ODesc* d) const; + void Describe(ODesc* d) const; - zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len, - int icmpv6, const zeek::IP_Hdr* ip_hdr); + RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len, + int icmpv6, const IP_Hdr* ip_hdr); - zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len, - bool icmpv6, const zeek::IP_Hdr* ip_hdr); + RecordValPtr BuildInfo(const struct icmp* icmpp, int len, + bool icmpv6, const IP_Hdr* ip_hdr); void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr ); + const u_char*& data, const IP_Hdr* ip_hdr ); - zeek::RecordValPtr ExtractICMP4Context(int len, const u_char*& data); + RecordValPtr ExtractICMP4Context(int len, const u_char*& data); void Context4(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr); + const u_char*& data, const IP_Hdr* ip_hdr); - TransportProto GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, + TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port); void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr ); + const u_char*& data, const IP_Hdr* ip_hdr ); - zeek::RecordValPtr ExtractICMP6Context(int len, const u_char*& data); + RecordValPtr ExtractICMP6Context(int len, const u_char*& data); void Context6(double t, const struct icmp* icmpp, int len, int caplen, - const u_char*& data, const zeek::IP_Hdr* ip_hdr); + const u_char*& data, const IP_Hdr* ip_hdr); // RFC 4861 Neighbor Discover message options - zeek::VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data); + VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data); - zeek::RecordValPtr icmp_conn_val; + RecordValPtr icmp_conn_val; int type; int code; int request_len, reply_len; - zeek::detail::RuleMatcherState matcher_state; + detail::RuleMatcherState matcher_state; private: - void UpdateEndpointVal(const zeek::ValPtr& endp, bool is_orig); + void UpdateEndpointVal(const ValPtr& endp, bool is_orig); }; // Returns the counterpart type to the given type (e.g., the counterpart diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index 9207ea8517..4a4bdd1b4a 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -13,13 +13,13 @@ namespace zeek::analyzer::ident { -Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn) +Ident_Analyzer::Ident_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = false; - orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); - resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); + orig_ident = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); + resp_ident = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); @@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) void Ident_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || orig_ident->HasPartialLine()) && - (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) && - TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && - TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && - TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE && - TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ) + (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) && + TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL && + TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL && + TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE && + TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE ) Weird("partial_ident_request"); } void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); int remote_port, local_port; const char* line = (const char*) data; const char* orig_line = line; const char* end_of_line = line + length; - zeek::analyzer::tcp::TCP_Endpoint* s = nullptr; + analyzer::tcp::TCP_Endpoint* s = nullptr; if ( TCP() ) s = is_orig ? TCP()->Orig() : TCP()->Resp(); @@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = ParsePair(line, end_of_line, remote_port, local_port); if ( ! line ) { - if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && - (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || - s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -80,14 +80,14 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( line != end_of_line ) { - zeek::String s((const u_char*)orig_line, length, true); + String s((const u_char*)orig_line, length, true); Weird("ident_request_addendum", s.CheckString()); } EnqueueConnEvent(ident_request, ConnVal(), - zeek::val_mgr->Port(local_port, TRANSPORT_TCP), - zeek::val_mgr->Port(remote_port, TRANSPORT_TCP) + val_mgr->Port(local_port, TRANSPORT_TCP), + val_mgr->Port(remote_port, TRANSPORT_TCP) ); did_deliver = true; @@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( ! line || line == end_of_line || line[0] != ':' ) { - if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && - (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || - s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -112,7 +112,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) return; } - line = zeek::util::skip_whitespace(line + 1, end_of_line); + line = util::skip_whitespace(line + 1, end_of_line); int restlen = end_of_line - line; int is_error; @@ -132,7 +132,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) return; } - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); if ( line >= end_of_line || line[0] != ':' ) { @@ -140,16 +140,16 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) return; } - line = zeek::util::skip_whitespace(line + 1, end_of_line); + line = util::skip_whitespace(line + 1, end_of_line); if ( is_error ) { if ( ident_error ) EnqueueConnEvent(ident_error, ConnVal(), - zeek::val_mgr->Port(local_port, TRANSPORT_TCP), - zeek::val_mgr->Port(remote_port, TRANSPORT_TCP), - zeek::make_intrusive(end_of_line - line, line) + val_mgr->Port(local_port, TRANSPORT_TCP), + val_mgr->Port(remote_port, TRANSPORT_TCP), + make_intrusive(end_of_line - line, line) ); } @@ -172,18 +172,18 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) while ( --sys_end > sys_type && isspace(*sys_end) ) ; - zeek::String* sys_type_s = - new zeek::String((const u_char*) sys_type, + String* sys_type_s = + new String((const u_char*) sys_type, sys_end - sys_type + 1, true); - line = zeek::util::skip_whitespace(colon + 1, end_of_line); + line = util::skip_whitespace(colon + 1, end_of_line); EnqueueConnEvent(ident_reply, ConnVal(), - zeek::val_mgr->Port(local_port, TRANSPORT_TCP), - zeek::val_mgr->Port(remote_port, TRANSPORT_TCP), - zeek::make_intrusive(end_of_line - line, line), - zeek::make_intrusive(sys_type_s) + val_mgr->Port(local_port, TRANSPORT_TCP), + val_mgr->Port(remote_port, TRANSPORT_TCP), + make_intrusive(end_of_line - line, line), + make_intrusive(sys_type_s) ); } } @@ -214,7 +214,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line, { int n = 0; - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); if ( line >= end_of_line || ! isdigit(*line) ) return nullptr; @@ -227,7 +227,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line, } while ( line < end_of_line && isdigit(*line) ); - line = zeek::util::skip_whitespace(line, end_of_line); + line = util::skip_whitespace(line, end_of_line); if ( n < 0 || n > 65535 ) { @@ -242,7 +242,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line, void Ident_Analyzer::BadRequest(int length, const char* line) { - zeek::String s((const u_char*)line, length, true); + String s((const u_char*)line, length, true); Weird("bad_ident_request", s.CheckString()); } @@ -250,7 +250,7 @@ void Ident_Analyzer::BadReply(int length, const char* line) { if ( ! did_bad_reply ) { - zeek::String s((const u_char*)line, length, true); + String s((const u_char*)line, length, true); Weird("bad_ident_reply", s.CheckString()); did_bad_reply = true; } diff --git a/src/analyzer/protocol/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h index c5ffb00494..a57849e011 100644 --- a/src/analyzer/protocol/ident/Ident.h +++ b/src/analyzer/protocol/ident/Ident.h @@ -7,14 +7,14 @@ namespace zeek::analyzer::ident { -class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class Ident_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit Ident_Analyzer(zeek::Connection* conn); + explicit Ident_Analyzer(Connection* conn); void Done() override; void DeliverStream(int length, const u_char* data, bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Ident_Analyzer(conn); } protected: @@ -26,8 +26,8 @@ protected: void BadRequest(int length, const char* line); void BadReply(int length, const char* line); - zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident; - zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident; + analyzer::tcp::ContentLine_Analyzer* orig_ident; + analyzer::tcp::ContentLine_Analyzer* resp_ident; bool did_deliver; bool did_bad_reply; diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc index 3ed2fb4712..2bd4ff2bd4 100644 --- a/src/analyzer/protocol/imap/IMAP.cc +++ b/src/analyzer/protocol/imap/IMAP.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::imap { -IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn) +IMAP_Analyzer::IMAP_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn) { interp = new binpac::IMAP::IMAP_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer() void IMAP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void IMAP_Analyzer::Done() void IMAP_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls_active ) { @@ -61,13 +61,13 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } @@ -79,7 +79,7 @@ void IMAP_Analyzer::StartTLS() // TLS datastream. tls_active = true; - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) AddChildAnalyzer(ssl); } diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h index e39560ac9f..e287bbc055 100644 --- a/src/analyzer/protocol/imap/IMAP.h +++ b/src/analyzer/protocol/imap/IMAP.h @@ -10,21 +10,21 @@ namespace zeek::analyzer::imap { -class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class IMAP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit IMAP_Analyzer(zeek::Connection* conn); + explicit IMAP_Analyzer(Connection* conn); ~IMAP_Analyzer() override; void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; void StartTLS(); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new IMAP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index 162959f016..f52f51bb60 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -13,8 +13,8 @@ using namespace std; namespace zeek::analyzer::irc { -IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn) +IRC_Analyzer::IRC_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; @@ -23,15 +23,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; starttls = false; - cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); + cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); AddSupportAnalyzer(cl_orig); - cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); + cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(cl_resp); } void IRC_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); } inline void IRC_Analyzer::SkipLeadingWhitespace(string& str) @@ -45,9 +45,9 @@ inline void IRC_Analyzer::SkipLeadingWhitespace(string& str) void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - static auto irc_join_list = zeek::id::find_type("irc_join_list"); - static auto irc_join_info = zeek::id::find_type("irc_join_info"); - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + static auto irc_join_list = id::find_type("irc_join_list"); + static auto irc_join_info = id::find_type("irc_join_info"); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); if ( starttls ) { @@ -239,10 +239,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_network_info, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::val_mgr->Int(users), - zeek::val_mgr->Int(services), - zeek::val_mgr->Int(servers)); + val_mgr->Bool(orig), + val_mgr->Int(users), + val_mgr->Int(services), + val_mgr->Int(servers)); } break; @@ -273,21 +273,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - auto set = zeek::make_intrusive(zeek::id::string_set); + auto set = make_intrusive(id::string_set); for ( auto& part : parts ) { if ( part[0] == '@' ) part = part.substr(1); - auto idx = zeek::make_intrusive(part); + auto idx = make_intrusive(part); set->Assign(std::move(idx), nullptr); } EnqueueConnEvent(irc_names_info, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(type.c_str()), - zeek::make_intrusive(channel.c_str()), + val_mgr->Bool(orig), + make_intrusive(type.c_str()), + make_intrusive(channel.c_str()), std::move(set)); } break; @@ -318,10 +318,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_server_info, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::val_mgr->Int(users), - zeek::val_mgr->Int(services), - zeek::val_mgr->Int(servers)); + val_mgr->Bool(orig), + val_mgr->Int(users), + val_mgr->Int(services), + val_mgr->Int(servers)); } break; @@ -339,8 +339,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_channel_info, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::val_mgr->Int(channels)); + val_mgr->Bool(orig), + val_mgr->Int(channels)); } break; @@ -370,9 +370,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_global_users, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(eop - prefix, prefix), - zeek::make_intrusive(++msg)); + val_mgr->Bool(orig), + make_intrusive(eop - prefix, prefix), + make_intrusive(++msg)); break; } @@ -392,13 +392,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) return; } - zeek::Args vl; + Args vl; vl.reserve(6); vl.emplace_back(ConnVal()); - vl.emplace_back(zeek::val_mgr->Bool(orig)); - vl.emplace_back(zeek::make_intrusive(parts[0].c_str())); - vl.emplace_back(zeek::make_intrusive(parts[1].c_str())); - vl.emplace_back(zeek::make_intrusive(parts[2].c_str())); + vl.emplace_back(val_mgr->Bool(orig)); + vl.emplace_back(make_intrusive(parts[0].c_str())); + vl.emplace_back(make_intrusive(parts[1].c_str())); + vl.emplace_back(make_intrusive(parts[2].c_str())); parts.erase(parts.begin(), parts.begin() + 4); @@ -409,7 +409,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( real_name[0] == ':' ) real_name = real_name.substr(1); - vl.emplace_back(zeek::make_intrusive(real_name.c_str())); + vl.emplace_back(make_intrusive(real_name.c_str())); EnqueueConnEvent(irc_whois_user_line, std::move(vl)); } @@ -434,8 +434,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_whois_operator_line, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(parts[0].c_str())); + val_mgr->Bool(orig), + make_intrusive(parts[0].c_str())); } break; @@ -461,18 +461,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - auto set = zeek::make_intrusive(zeek::id::string_set); + auto set = make_intrusive(id::string_set); for ( const auto& part : parts ) { - auto idx = zeek::make_intrusive(part); + auto idx = make_intrusive(part); set->Assign(std::move(idx), nullptr); } EnqueueConnEvent(irc_whois_channel_line, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(nick.c_str()), + val_mgr->Bool(orig), + make_intrusive(nick.c_str()), std::move(set)); } break; @@ -501,9 +501,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_channel_topic, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(parts[1].c_str()), - zeek::make_intrusive(t)); + val_mgr->Bool(orig), + make_intrusive(parts[1].c_str()), + make_intrusive(t)); } else { @@ -534,16 +534,16 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_who_line, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(parts[0].c_str()), - zeek::make_intrusive(parts[1].c_str()), - zeek::make_intrusive(parts[2].c_str()), - zeek::make_intrusive(parts[3].c_str()), - zeek::make_intrusive(parts[4].c_str()), - zeek::make_intrusive(parts[5].c_str()), - zeek::make_intrusive(parts[6].c_str()), - zeek::val_mgr->Int(atoi(parts[7].c_str())), - zeek::make_intrusive(parts[8].c_str())); + val_mgr->Bool(orig), + make_intrusive(parts[0].c_str()), + make_intrusive(parts[1].c_str()), + make_intrusive(parts[2].c_str()), + make_intrusive(parts[3].c_str()), + make_intrusive(parts[4].c_str()), + make_intrusive(parts[5].c_str()), + make_intrusive(parts[6].c_str()), + val_mgr->Int(atoi(parts[7].c_str())), + make_intrusive(parts[8].c_str())); } break; @@ -555,7 +555,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( irc_invalid_nick ) EnqueueConnEvent(irc_invalid_nick, ConnVal(), - zeek::val_mgr->Bool(orig)); + val_mgr->Bool(orig)); break; // Operator responses. @@ -564,8 +564,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( irc_oper_response ) EnqueueConnEvent(irc_oper_response, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::val_mgr->Bool(code == 381)); + val_mgr->Bool(orig), + val_mgr->Bool(code == 381)); break; case 670: @@ -578,10 +578,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( irc_reply ) EnqueueConnEvent(irc_reply, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::val_mgr->Count(code), - zeek::make_intrusive(params.c_str())); + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + val_mgr->Count(code), + make_intrusive(params.c_str())); break; } return; @@ -648,14 +648,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( irc_dcc_message ) EnqueueConnEvent(irc_dcc_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(target.c_str()), - zeek::make_intrusive(parts[1].c_str()), - zeek::make_intrusive(parts[2].c_str()), - zeek::make_intrusive(htonl(raw_ip)), - zeek::val_mgr->Count(atoi(parts[4].c_str())), - parts.size() >= 6 ? zeek::val_mgr->Count(atoi(parts[5].c_str())) : zeek::val_mgr->Count(0) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(target.c_str()), + make_intrusive(parts[1].c_str()), + make_intrusive(parts[2].c_str()), + make_intrusive(htonl(raw_ip)), + val_mgr->Count(atoi(parts[4].c_str())), + parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0) ); } @@ -664,10 +664,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( irc_privmsg_message ) EnqueueConnEvent(irc_privmsg_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(target.c_str()), - zeek::make_intrusive(message.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(target.c_str()), + make_intrusive(message.c_str()) ); } } @@ -689,10 +689,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_notice_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(target.c_str()), - zeek::make_intrusive(message.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(target.c_str()), + make_intrusive(message.c_str()) ); } @@ -713,10 +713,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_squery_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(target.c_str()), - zeek::make_intrusive(message.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(target.c_str()), + make_intrusive(message.c_str()) ); } @@ -724,22 +724,22 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { // extract username and real name vector parts = SplitWords(params, ' '); - zeek::Args vl; + Args vl; vl.reserve(6); vl.emplace_back(ConnVal()); - vl.emplace_back(zeek::val_mgr->Bool(orig)); + vl.emplace_back(val_mgr->Bool(orig)); if ( parts.size() > 0 ) - vl.emplace_back(zeek::make_intrusive(parts[0].c_str())); - else vl.emplace_back(zeek::val_mgr->EmptyString()); + vl.emplace_back(make_intrusive(parts[0].c_str())); + else vl.emplace_back(val_mgr->EmptyString()); if ( parts.size() > 1 ) - vl.emplace_back(zeek::make_intrusive(parts[1].c_str())); - else vl.emplace_back(zeek::val_mgr->EmptyString()); + vl.emplace_back(make_intrusive(parts[1].c_str())); + else vl.emplace_back(val_mgr->EmptyString()); if ( parts.size() > 2 ) - vl.emplace_back(zeek::make_intrusive(parts[2].c_str())); - else vl.emplace_back(zeek::val_mgr->EmptyString()); + vl.emplace_back(make_intrusive(parts[2].c_str())); + else vl.emplace_back(val_mgr->EmptyString()); string realname; for ( size_t i = 3; i < parts.size(); i++ ) @@ -750,7 +750,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) } const char* name = realname.c_str(); - vl.emplace_back(zeek::make_intrusive(*name == ':' ? name + 1 : name)); + vl.emplace_back(make_intrusive(*name == ':' ? name + 1 : name)); EnqueueConnEvent(irc_user_message, std::move(vl)); } @@ -762,9 +762,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() == 2 ) EnqueueConnEvent(irc_oper_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(parts[0].c_str()), - zeek::make_intrusive(parts[1].c_str()) + val_mgr->Bool(orig), + make_intrusive(parts[0].c_str()), + make_intrusive(parts[1].c_str()) ); else @@ -781,13 +781,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) return; } - zeek::Args vl; + Args vl; vl.reserve(6); vl.emplace_back(ConnVal()); - vl.emplace_back(zeek::val_mgr->Bool(orig)); - vl.emplace_back(zeek::make_intrusive(prefix.c_str())); - vl.emplace_back(zeek::make_intrusive(parts[0].c_str())); - vl.emplace_back(zeek::make_intrusive(parts[1].c_str())); + vl.emplace_back(val_mgr->Bool(orig)); + vl.emplace_back(make_intrusive(prefix.c_str())); + vl.emplace_back(make_intrusive(parts[0].c_str())); + vl.emplace_back(make_intrusive(parts[1].c_str())); if ( parts.size() > 2 ) { @@ -798,10 +798,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( comment[0] == ':' ) comment = comment.substr(1); - vl.emplace_back(zeek::make_intrusive(comment.c_str())); + vl.emplace_back(make_intrusive(comment.c_str())); } else - vl.emplace_back(zeek::val_mgr->EmptyString()); + vl.emplace_back(val_mgr->EmptyString()); EnqueueConnEvent(irc_kick_message, std::move(vl)); } @@ -827,7 +827,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nickname = prefix.substr(0, pos); } - auto list = zeek::make_intrusive(irc_join_list); + auto list = make_intrusive(irc_join_list); vector channels = SplitWords(parts[0], ','); vector passwords; @@ -838,21 +838,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) string empty_string = ""; for ( size_t i = 0; i < channels.size(); ++i ) { - auto info = zeek::make_intrusive(irc_join_info); - info->Assign(0, zeek::make_intrusive(nickname.c_str())); - info->Assign(1, zeek::make_intrusive(channels[i].c_str())); + auto info = make_intrusive(irc_join_info); + info->Assign(0, make_intrusive(nickname.c_str())); + info->Assign(1, make_intrusive(channels[i].c_str())); if ( i < passwords.size() ) - info->Assign(2, zeek::make_intrusive(passwords[i].c_str())); + info->Assign(2, make_intrusive(passwords[i].c_str())); else - info->Assign(2, zeek::make_intrusive(empty_string.c_str())); + info->Assign(2, make_intrusive(empty_string.c_str())); // User mode. - info->Assign(3, zeek::make_intrusive(empty_string.c_str())); + info->Assign(3, make_intrusive(empty_string.c_str())); list->Assign(std::move(info), nullptr); } EnqueueConnEvent(irc_join_message, ConnVal(), - zeek::val_mgr->Bool(orig), + val_mgr->Bool(orig), std::move(list) ); } @@ -871,13 +871,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) parts[1] = parts[1].substr(1); vector users = SplitWords(parts[1], ','); - auto list = zeek::make_intrusive(irc_join_list); + auto list = make_intrusive(irc_join_list); string empty_string = ""; for ( unsigned int i = 0; i < users.size(); ++i ) { - auto info = zeek::make_intrusive(irc_join_info); + auto info = make_intrusive(irc_join_info); string nick = users[i]; string mode = "none"; @@ -901,18 +901,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) mode = "voice"; } - info->Assign(0, zeek::make_intrusive(nick.c_str())); - info->Assign(1, zeek::make_intrusive(channel.c_str())); + info->Assign(0, make_intrusive(nick.c_str())); + info->Assign(1, make_intrusive(channel.c_str())); // Password: - info->Assign(2, zeek::make_intrusive(empty_string.c_str())); + info->Assign(2, make_intrusive(empty_string.c_str())); // User mode: - info->Assign(3, zeek::make_intrusive(mode.c_str())); + info->Assign(3, make_intrusive(mode.c_str())); list->Assign(std::move(info), nullptr); } EnqueueConnEvent(irc_join_message, ConnVal(), - zeek::val_mgr->Bool(orig), + val_mgr->Bool(orig), std::move(list) ); } @@ -941,20 +941,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nick = nick.substr(0, pos); vector channelList = SplitWords(channels, ','); - auto set = zeek::make_intrusive(zeek::id::string_set); + auto set = make_intrusive(id::string_set); for ( const auto& channel : channelList ) { - auto idx = zeek::make_intrusive(channel); + auto idx = make_intrusive(channel); set->Assign(std::move(idx), nullptr); } EnqueueConnEvent(irc_part_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(nick.c_str()), + val_mgr->Bool(orig), + make_intrusive(nick.c_str()), std::move(set), - zeek::make_intrusive(message.c_str()) + make_intrusive(message.c_str()) ); } @@ -974,9 +974,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_quit_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(nickname.c_str()), - zeek::make_intrusive(message.c_str()) + val_mgr->Bool(orig), + make_intrusive(nickname.c_str()), + make_intrusive(message.c_str()) ); } @@ -988,9 +988,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_nick_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(nick.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(nick.c_str()) ); } @@ -1013,11 +1013,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_who_message, ConnVal(), - zeek::val_mgr->Bool(orig), + val_mgr->Bool(orig), parts.size() > 0 ? - zeek::make_intrusive(parts[0].c_str()) : - zeek::val_mgr->EmptyString(), - zeek::val_mgr->Bool(oper) + make_intrusive(parts[0].c_str()) : + val_mgr->EmptyString(), + val_mgr->Bool(oper) ); } @@ -1043,9 +1043,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_whois_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(server.c_str()), - zeek::make_intrusive(users.c_str()) + val_mgr->Bool(orig), + make_intrusive(server.c_str()), + make_intrusive(users.c_str()) ); } @@ -1056,9 +1056,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_error_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(params.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(params.c_str()) ); } @@ -1072,10 +1072,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_invite_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(parts[0].c_str()), - zeek::make_intrusive(parts[1].c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(parts[0].c_str()), + make_intrusive(parts[1].c_str()) ); } else @@ -1087,9 +1087,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( params.size() > 0 ) EnqueueConnEvent(irc_mode_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(params.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(params.c_str()) ); else @@ -1100,8 +1100,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { EnqueueConnEvent(irc_password_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(params.c_str()) + val_mgr->Bool(orig), + make_intrusive(params.c_str()) ); } @@ -1122,10 +1122,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) EnqueueConnEvent(irc_squit_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(server.c_str()), - zeek::make_intrusive(message.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(server.c_str()), + make_intrusive(message.c_str()) ); } @@ -1136,10 +1136,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { EnqueueConnEvent(irc_request, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(command.c_str()), - zeek::make_intrusive(params.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(command.c_str()), + make_intrusive(params.c_str()) ); } } @@ -1150,10 +1150,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { EnqueueConnEvent(irc_message, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(prefix.c_str()), - zeek::make_intrusive(command.c_str()), - zeek::make_intrusive(params.c_str()) + val_mgr->Bool(orig), + make_intrusive(prefix.c_str()), + make_intrusive(command.c_str()), + make_intrusive(params.c_str()) ); } } @@ -1163,8 +1163,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { orig_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED; - AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), true)); - AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), false)); + AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), true)); + AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), false)); } return; @@ -1179,7 +1179,7 @@ void IRC_Analyzer::StartTLS() RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_resp); - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) AddChildAnalyzer(ssl); diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h index 5f7b6bdfc0..03edb411bf 100644 --- a/src/analyzer/protocol/irc/IRC.h +++ b/src/analyzer/protocol/irc/IRC.h @@ -9,14 +9,14 @@ namespace zeek::analyzer::irc { /** * \brief Main class for analyzing IRC traffic. */ -class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class IRC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; public: /** * \brief Constructor, builds a new analyzer object. */ - explicit IRC_Analyzer(zeek::Connection* conn); + explicit IRC_Analyzer(Connection* conn); /** * \brief Called when connection is closed. @@ -32,7 +32,7 @@ public: */ void DeliverStream(int len, const u_char* data, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new IRC_Analyzer(conn); } @@ -64,8 +64,8 @@ private: */ std::vector SplitWords(const std::string& input, char split); - zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; - zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; + analyzer::tcp::ContentLine_Analyzer* cl_orig; + analyzer::tcp::ContentLine_Analyzer* cl_resp; bool starttls; // if true, connection has been upgraded to tls }; diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc index 95251efb39..d45f8c472c 100644 --- a/src/analyzer/protocol/krb/KRB.cc +++ b/src/analyzer/protocol/krb/KRB.cc @@ -16,7 +16,7 @@ krb5_keytab KRB_Analyzer::krb_keytab = nullptr; std::once_flag KRB_Analyzer::krb_initialized; #endif -KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) +KRB_Analyzer::KRB_Analyzer(Connection* conn) : Analyzer("KRB", conn) { interp = new binpac::KRB::KRB_Conn(this); @@ -29,19 +29,19 @@ KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) static void warn_krb(const char* msg, krb5_context ctx, krb5_error_code code) { auto err = krb5_get_error_message(ctx, code); - zeek::reporter->Warning("%s (%s)", msg, err); + reporter->Warning("%s (%s)", msg, err); krb5_free_error_message(ctx, err); } void KRB_Analyzer::Initialize_Krb() { - if ( zeek::BifConst::KRB::keytab->Len() == 0 ) + if ( BifConst::KRB::keytab->Len() == 0 ) return; // no keytab set - const char* keytab_filename = zeek::BifConst::KRB::keytab->CheckString(); + const char* keytab_filename = BifConst::KRB::keytab->CheckString(); if ( access(keytab_filename, R_OK) != 0 ) { - zeek::reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename); + reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename); return; } @@ -73,7 +73,7 @@ void KRB_Analyzer::Done() } void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -83,30 +83,30 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } -zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* principal, - const zeek::String* ciphertext, - const bro_uint_t enctype) +StringValPtr KRB_Analyzer::GetAuthenticationInfo(const String* principal, + const String* ciphertext, + const bro_uint_t enctype) { #ifdef USE_KRB5 if ( !krb_available ) return nullptr; - zeek::String delim("/"); + String delim("/"); int pos = principal->FindSubstring(&delim); if ( pos == -1 ) { - zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); + reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); return nullptr; } - std::unique_ptr service = unique_ptr(principal->GetSubstring(0, pos)); - std::unique_ptr hostname = unique_ptr(principal->GetSubstring(pos + 1, -1)); + std::unique_ptr service = unique_ptr(principal->GetSubstring(0, pos)); + std::unique_ptr hostname = unique_ptr(principal->GetSubstring(pos + 1, -1)); if ( !service || !hostname ) { - zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); + reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); return nullptr; } krb5_principal sprinc; @@ -117,13 +117,13 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ return nullptr; } - auto tkt = static_cast(zeek::util::safe_malloc(sizeof(krb5_ticket))); + auto tkt = static_cast(util::safe_malloc(sizeof(krb5_ticket))); memset(tkt, 0, sizeof(krb5_ticket)); tkt->server = sprinc; tkt->enc_part.enctype = enctype; - auto ctd = static_cast(zeek::util::safe_malloc(ciphertext->Len())); + auto ctd = static_cast(util::safe_malloc(ciphertext->Len())); memcpy(ctd, ciphertext->Bytes(), ciphertext->Len()); tkt->enc_part.ciphertext.data = ctd; tkt->enc_part.ciphertext.length = ciphertext->Len(); @@ -147,7 +147,7 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ return nullptr; } - auto ret = zeek::make_intrusive(cp); + auto ret = make_intrusive(cp); krb5_free_unparsed_name(krb_context, cp); krb5_free_ticket(krb_context, tkt); diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h index 7e72946de1..27cc7faa37 100644 --- a/src/analyzer/protocol/krb/KRB.h +++ b/src/analyzer/protocol/krb/KRB.h @@ -12,22 +12,22 @@ namespace zeek::analyzer::krb { -class KRB_Analyzer final : public zeek::analyzer::Analyzer { +class KRB_Analyzer final : public analyzer::Analyzer { public: - explicit KRB_Analyzer(zeek::Connection* conn); + explicit KRB_Analyzer(Connection* conn); virtual ~KRB_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen); + uint64_t seq, const IP_Hdr* ip, int caplen); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new KRB_Analyzer(conn); } - zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal, - const zeek::String* ciphertext, - const bro_uint_t enctype); + StringValPtr GetAuthenticationInfo(const String* principal, + const String* ciphertext, + const bro_uint_t enctype); protected: diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc index eafe39f342..1e39eb340b 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.cc +++ b/src/analyzer/protocol/krb/KRB_TCP.cc @@ -7,8 +7,8 @@ namespace zeek::analyzer::krb_tcp { -KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) +KRB_Analyzer::KRB_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) { interp = new binpac::KRB_TCP::KRB_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer() void KRB_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void KRB_Analyzer::Done() void KRB_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -53,13 +53,13 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h index d8e85a6d77..7d4cdceefd 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.h +++ b/src/analyzer/protocol/krb/KRB_TCP.h @@ -8,25 +8,25 @@ namespace zeek::analyzer::krb_tcp { -class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class KRB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit KRB_Analyzer(zeek::Connection* conn); + explicit KRB_Analyzer(Connection* conn); ~KRB_Analyzer() override; void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal, - const zeek::String* ciphertext, - const bro_uint_t enctype) - { return zeek::val_mgr->EmptyString(); } + StringValPtr GetAuthenticationInfo(const String* principal, + const String* ciphertext, + const bro_uint_t enctype) + { return val_mgr->EmptyString(); } - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new KRB_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc index 0f734eb897..2c3eb02f5c 100644 --- a/src/analyzer/protocol/login/Login.cc +++ b/src/analyzer/protocol/login/Login.cc @@ -17,18 +17,18 @@ namespace zeek::analyzer::login { -static zeek::RE_Matcher* re_skip_authentication = nullptr; -static zeek::RE_Matcher* re_direct_login_prompts; -static zeek::RE_Matcher* re_login_prompts; -static zeek::RE_Matcher* re_login_non_failure_msgs; -static zeek::RE_Matcher* re_login_failure_msgs; -static zeek::RE_Matcher* re_login_success_msgs; -static zeek::RE_Matcher* re_login_timeouts; +static RE_Matcher* re_skip_authentication = nullptr; +static RE_Matcher* re_direct_login_prompts; +static RE_Matcher* re_login_prompts; +static RE_Matcher* re_login_non_failure_msgs; +static RE_Matcher* re_login_failure_msgs; +static RE_Matcher* re_login_success_msgs; +static RE_Matcher* re_login_timeouts; -static zeek::RE_Matcher* init_RE(zeek::ListVal* l); +static RE_Matcher* init_RE(ListVal* l); -Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text() +Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text() { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; @@ -45,13 +45,13 @@ Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn) if ( ! re_skip_authentication ) { - zeek::ListValPtr skip_authentication = zeek::id::find_val("skip_authentication")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr direct_login_prompts = zeek::id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr login_prompts = zeek::id::find_val("login_prompts")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr login_non_failure_msgs = zeek::id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr login_failure_msgs = zeek::id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr login_success_msgs = zeek::id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal(); - zeek::ListValPtr login_timeouts = zeek::id::find_val("login_timeouts")->AsTableVal()->ToPureListVal(); + ListValPtr skip_authentication = id::find_val("skip_authentication")->AsTableVal()->ToPureListVal(); + ListValPtr direct_login_prompts = id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal(); + ListValPtr login_prompts = id::find_val("login_prompts")->AsTableVal()->ToPureListVal(); + ListValPtr login_non_failure_msgs = id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal(); + ListValPtr login_failure_msgs = id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal(); + ListValPtr login_success_msgs = id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal(); + ListValPtr login_timeouts = id::find_val("login_timeouts")->AsTableVal()->ToPureListVal(); #ifdef USE_PERFTOOLS_DEBUG HeapLeakChecker::Disabler disabler; @@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer() void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); char* str = new char[length+1]; @@ -91,7 +91,7 @@ void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) str[j++] = line[i]; else { - if ( Conn()->FlagEvent(zeek::NUL_IN_LINE) ) + if ( Conn()->FlagEvent(NUL_IN_LINE) ) Weird("NUL_in_line"); } @@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state == LOGIN_STATE_AUTHENTICATE ) { - if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || - TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ) + if ( TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL || + TCP()->RespState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL ) state = LOGIN_STATE_CONFUSED; // unknown login state else { @@ -129,7 +129,7 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state != LOGIN_STATE_CONFUSED ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "bad state in Login_Analyzer::NewLine"); return; } @@ -323,38 +323,38 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else { - if ( zeek::util::streq(name, "USER") ) + if ( util::streq(name, "USER") ) { if ( username ) { - const zeek::String* u = username->AsString(); - const zeek::byte_vec ub = u->Bytes(); + const String* u = username->AsString(); + const byte_vec ub = u->Bytes(); const char* us = (const char*) ub; - if ( ! zeek::util::streq(val, us) ) + if ( ! util::streq(val, us) ) Confused("multiple_USERs", val); Unref(username); } // "val" gets copied here. - username = new zeek::StringVal(val); + username = new StringVal(val); } - else if ( login_terminal && zeek::util::streq(name, "TERM") ) + else if ( login_terminal && util::streq(name, "TERM") ) EnqueueConnEvent(login_terminal, ConnVal(), - zeek::make_intrusive(val) + make_intrusive(val) ); - else if ( login_display && zeek::util::streq(name, "DISPLAY") ) + else if ( login_display && util::streq(name, "DISPLAY") ) EnqueueConnEvent(login_display, ConnVal(), - zeek::make_intrusive(val) + make_intrusive(val) ); - else if ( login_prompt && zeek::util::streq(name, "TTYPROMPT") ) + else if ( login_prompt && util::streq(name, "TTYPROMPT") ) EnqueueConnEvent(login_prompt, ConnVal(), - zeek::make_intrusive(val) + make_intrusive(val) ); } @@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) void Login_Analyzer::EndpointEOF(bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) { @@ -373,7 +373,7 @@ void Login_Analyzer::EndpointEOF(bool orig) } } -void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line, +void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line, bool no_user_okay) { if ( ! f ) @@ -389,7 +389,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line, if ( no_user_okay ) { Unref(username); - username = new zeek::StringVal(""); + username = new StringVal(""); } else @@ -414,7 +414,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line, if ( no_user_okay ) { Unref(username); - username = new zeek::StringVal(""); + username = new StringVal(""); } else @@ -425,16 +425,16 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line, } } - zeek::Val* password = HaveTypeahead() ? - PopUserTextVal() : new zeek::StringVal(""); + Val* password = HaveTypeahead() ? + PopUserTextVal() : new StringVal(""); EnqueueConnEvent(f, ConnVal(), - zeek::IntrusivePtr{zeek::NewRef{}, username}, - client_name ? zeek::IntrusivePtr{zeek::NewRef{}, client_name} - : zeek::val_mgr->EmptyString(), - zeek::IntrusivePtr{zeek::AdoptRef{}, password}, - zeek::make_intrusive(line) + IntrusivePtr{NewRef{}, username}, + client_name ? IntrusivePtr{NewRef{}, client_name} + : val_mgr->EmptyString(), + IntrusivePtr{AdoptRef{}, password}, + make_intrusive(line) ); } @@ -446,14 +446,14 @@ const char* Login_Analyzer::GetUsername(const char* line) const return line; } -void Login_Analyzer::LineEvent(zeek::EventHandlerPtr f, const char* line) +void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line) { if ( ! f ) return; EnqueueConnEvent(f, ConnVal(), - zeek::make_intrusive(line) + make_intrusive(line) ); } @@ -465,8 +465,8 @@ void Login_Analyzer::Confused(const char* msg, const char* line) if ( login_confused ) EnqueueConnEvent(login_confused, ConnVal(), - zeek::make_intrusive(msg), - zeek::make_intrusive(line) + make_intrusive(msg), + make_intrusive(line) ); if ( login_confused_text ) @@ -489,7 +489,7 @@ void Login_Analyzer::ConfusionText(const char* line) if ( login_confused_text ) EnqueueConnEvent(login_confused_text, ConnVal(), - zeek::make_intrusive(line) + make_intrusive(line) ); } @@ -562,7 +562,7 @@ void Login_Analyzer::AddUserText(const char* line) if ( ++user_text_last == MAX_USER_TEXT ) user_text_last = 0; - user_text[user_text_last] = zeek::util::copy_string(line); + user_text[user_text_last] = util::copy_string(line); ++num_user_text; } @@ -572,7 +572,7 @@ char* Login_Analyzer::PeekUserText() { if ( num_user_text <= 0 ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "underflow in Login_Analyzer::PeekUserText()"); return nullptr; } @@ -595,14 +595,14 @@ char* Login_Analyzer::PopUserText() return s; } -zeek::Val* Login_Analyzer::PopUserTextVal() +Val* Login_Analyzer::PopUserTextVal() { char* s = PopUserText(); if ( s ) - return new zeek::StringVal(new zeek::String(true, zeek::byte_vec(s), strlen(s))); + return new StringVal(new String(true, byte_vec(s), strlen(s))); else - return zeek::val_mgr->EmptyString()->Ref(); + return val_mgr->EmptyString()->Ref(); } bool Login_Analyzer::MatchesTypeahead(const char* line) const @@ -612,7 +612,7 @@ bool Login_Analyzer::MatchesTypeahead(const char* line) const if ( i == MAX_USER_TEXT ) i = 0; - if ( zeek::util::streq(user_text[i], line) ) + if ( util::streq(user_text[i], line) ) return true; } @@ -625,9 +625,9 @@ void Login_Analyzer::FlushEmptyTypeahead() delete [] PopUserText(); } -zeek::RE_Matcher* init_RE(zeek::ListVal* l) +RE_Matcher* init_RE(ListVal* l) { - zeek::RE_Matcher* re = l->BuildRE(); + RE_Matcher* re = l->BuildRE(); if ( re ) re->Compile(); diff --git a/src/analyzer/protocol/login/Login.h b/src/analyzer/protocol/login/Login.h index 26cc414e77..07527efde1 100644 --- a/src/analyzer/protocol/login/Login.h +++ b/src/analyzer/protocol/login/Login.h @@ -19,9 +19,9 @@ enum login_state { // Maximum # lines look after login for failure. #define MAX_LOGIN_LOOKAHEAD 10 -class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class Login_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - Login_Analyzer(const char* name, zeek::Connection* conn); + Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer() override; void DeliverStream(int len, const u_char* data, bool orig) override; @@ -37,9 +37,9 @@ protected: void NewLine(bool orig, char* line); void AuthenticationDialog(bool orig, char* line); - void LoginEvent(zeek::EventHandlerPtr f, const char* line, bool no_user_okay=false); + void LoginEvent(EventHandlerPtr f, const char* line, bool no_user_okay=false); const char* GetUsername(const char* line) const; - void LineEvent(zeek::EventHandlerPtr f, const char* line); + void LineEvent(EventHandlerPtr f, const char* line); void Confused(const char* msg, const char* addl); void ConfusionText(const char* line); @@ -55,7 +55,7 @@ protected: void AddUserText(const char* line); // complains on overflow char* PeekUserText(); // internal warning on underflow char* PopUserText(); // internal warning on underflow - zeek::Val* PopUserTextVal(); + Val* PopUserTextVal(); bool MatchesTypeahead(const char* line) const; bool HaveTypeahead() const { return num_user_text > 0; } @@ -68,8 +68,8 @@ protected: int user_text_first, user_text_last; // indices into user_text int num_user_text; // number of entries in user_text - zeek::Val* username; // last username reported - zeek::Val* client_name; // rlogin client name (or nil if none) + Val* username; // last username reported + Val* client_name; // rlogin client name (or nil if none) login_state state; int lines_scanned; diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index 22f8d3e957..a540026b3f 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -44,7 +44,7 @@ void TelnetOption::RecvOption(unsigned int type) if ( ! peer ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( endp, "option peer missing in TelnetOption::RecvOption"); return; } @@ -92,7 +92,7 @@ void TelnetOption::RecvOption(unsigned int type) break; default: - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( endp, "bad option type in TelnetOption::RecvOption"); return; } @@ -176,7 +176,7 @@ void TelnetEncryptOption::RecvSubOption(u_char* data, int len) if ( ! peer ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( endp, "option peer missing in TelnetEncryptOption::RecvSubOption"); return; } @@ -216,7 +216,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len) if ( ! peer ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( endp, "option peer missing in TelnetAuthenticateOption::RecvSubOption"); return; } @@ -251,7 +251,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len) case AUTHENTICATION_NAME: { char* auth_name = new char[len]; - zeek::util::safe_strncpy(auth_name, (char*) data + 1, len); + util::safe_strncpy(auth_name, (char*) data + 1, len); endp->SetAuthName(auth_name); } break; @@ -309,7 +309,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len) break; } - static_cast + static_cast (endp->Parent())->SetEnv(endp->IsOrig(), var_name, var_val); } @@ -382,8 +382,8 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) } // namespace detail -NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig) - : zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options() +NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) + : analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options() { } @@ -463,7 +463,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len) if ( login_terminal ) EnqueueConnEvent(login_terminal, ConnVal(), - zeek::make_intrusive(new zeek::String(terminal, len, false)) + make_intrusive(new String(terminal, len, false)) ); } @@ -538,7 +538,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data) else { - if ( Conn()->FlagEvent(zeek::SINGULAR_LF) ) + if ( Conn()->FlagEvent(SINGULAR_LF) ) Conn()->Weird("line_terminated_with_single_LF"); buf[offset++] = c; } @@ -576,7 +576,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data) if ( ! (CRLFAsEOL() & CR_as_EOL) && last_char == '\r' && c != '\n' && c != '\0' ) { - if ( Conn()->FlagEvent(zeek::SINGULAR_CR) ) + if ( Conn()->FlagEvent(SINGULAR_CR) ) Weird("line_terminated_with_single_CR"); } diff --git a/src/analyzer/protocol/login/NVT.h b/src/analyzer/protocol/login/NVT.h index f8349d3bbf..c0503f4d09 100644 --- a/src/analyzer/protocol/login/NVT.h +++ b/src/analyzer/protocol/login/NVT.h @@ -126,9 +126,9 @@ protected: } // namespace detail -class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { +class NVT_Analyzer final : public analyzer::tcp::ContentLine_Analyzer { public: - NVT_Analyzer(zeek::Connection* conn, bool orig); + NVT_Analyzer(Connection* conn, bool orig); ~NVT_Analyzer() override; TelnetOption* FindOption(unsigned int code); diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 6a852fc4ff..b3ceec949d 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -13,9 +13,9 @@ namespace zeek::analyzer::login { // FIXME: this code should probably be merged with Rlogin.cc. -Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, +Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) - : zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) + : analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer() void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) { - zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + analyzer::tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RSH_FIRST_NULL: - if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) + endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RSH_UNKNOWN; ++len, --data; // put back c and reprocess @@ -131,7 +131,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) break; default: - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "bad state in Contents_Rsh_Analyzer::DoDeliver"); break; } @@ -144,7 +144,7 @@ void Contents_Rsh_Analyzer::BadProlog() state = RSH_UNKNOWN; } -Rsh_Analyzer::Rsh_Analyzer(zeek::Connection* conn) +Rsh_Analyzer::Rsh_Analyzer(Connection* conn) : Login_Analyzer("RSH", conn) { contents_orig = new Contents_Rsh_Analyzer(conn, true, this); @@ -168,31 +168,31 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig) return; } - zeek::Args vl; + Args vl; vl.reserve(4 + orig); const char* line = (const char*) data; - line = zeek::util::skip_whitespace(line); + line = util::skip_whitespace(line); vl.emplace_back(ConnVal()); if ( client_name ) - vl.emplace_back(zeek::NewRef{}, client_name); + vl.emplace_back(NewRef{}, client_name); else - vl.emplace_back(zeek::make_intrusive("")); + vl.emplace_back(make_intrusive("")); if ( username ) - vl.emplace_back(zeek::NewRef{}, username); + vl.emplace_back(NewRef{}, username); else - vl.emplace_back(zeek::make_intrusive("")); + vl.emplace_back(make_intrusive("")); - vl.emplace_back(zeek::make_intrusive(line)); + vl.emplace_back(make_intrusive(line)); if ( orig ) { if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) // First input - vl.emplace_back(zeek::val_mgr->True()); + vl.emplace_back(val_mgr->True()); else - vl.emplace_back(zeek::val_mgr->False()); + vl.emplace_back(val_mgr->False()); EnqueueConnEvent(rsh_request, std::move(vl)); } @@ -205,23 +205,22 @@ void Rsh_Analyzer::ClientUserName(const char* s) { if ( client_name ) { - zeek::reporter->AnalyzerError(this, "multiple rsh client names"); + reporter->AnalyzerError(this, "multiple rsh client names"); return; } - client_name = new zeek::StringVal(s); + client_name = new StringVal(s); } void Rsh_Analyzer::ServerUserName(const char* s) { if ( username ) { - zeek::reporter->AnalyzerError(this, - "multiple rsh initial client names"); + reporter->AnalyzerError(this, "multiple rsh initial client names"); return; } - username = new zeek::StringVal(s); + username = new StringVal(s); } } // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/RSH.h b/src/analyzer/protocol/login/RSH.h index 6792c72510..8eb2a1b5a8 100644 --- a/src/analyzer/protocol/login/RSH.h +++ b/src/analyzer/protocol/login/RSH.h @@ -22,9 +22,9 @@ enum rsh_state { RSH_UNKNOWN, // we don't know what state we're in }; -class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { +class Contents_Rsh_Analyzer final : public analyzer::tcp::ContentLine_Analyzer { public: - Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer); + Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer); ~Contents_Rsh_Analyzer() override; rsh_state RshSaveState() const { return save_state; } @@ -41,14 +41,14 @@ protected: class Rsh_Analyzer final : public Login_Analyzer { public: - explicit Rsh_Analyzer(zeek::Connection* conn); + explicit Rsh_Analyzer(Connection* conn); void DeliverStream(int len, const u_char* data, bool orig) override; void ClientUserName(const char* s); void ServerUserName(const char* s); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Rsh_Analyzer(conn); } Contents_Rsh_Analyzer* contents_orig; diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index d91d685a94..8f29c0709b 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -11,8 +11,8 @@ namespace zeek::analyzer::login { -Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) - : zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) +Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) + : analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer() void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) { - auto* tcp = static_cast(Parent())->TCP(); + auto* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RLOGIN_FIRST_NULL: - if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) + endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; case RLOGIN_SERVER_ACK: - if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) + endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -194,7 +194,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; default: - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "bad state in Contents_Rlogin_Analyzer::DoDeliver"); break; } @@ -208,7 +208,7 @@ void Contents_Rlogin_Analyzer::BadProlog() } -Rlogin_Analyzer::Rlogin_Analyzer(zeek::Connection* conn) +Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn) : Login_Analyzer("RLOGIN", conn) { Contents_Rlogin_Analyzer* orig = @@ -227,11 +227,11 @@ void Rlogin_Analyzer::ClientUserName(const char* s) { if ( client_name ) { - zeek::reporter->AnalyzerError(this, "multiple rlogin client names"); + reporter->AnalyzerError(this, "multiple rlogin client names"); return; } - client_name = new zeek::StringVal(s); + client_name = new StringVal(s); } void Rlogin_Analyzer::ServerUserName(const char* s) @@ -246,7 +246,7 @@ void Rlogin_Analyzer::TerminalType(const char* s) if ( login_terminal ) EnqueueConnEvent(login_terminal, ConnVal(), - zeek::make_intrusive(s) + make_intrusive(s) ); } diff --git a/src/analyzer/protocol/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h index d10739c75e..7e10dab87a 100644 --- a/src/analyzer/protocol/login/Rlogin.h +++ b/src/analyzer/protocol/login/Rlogin.h @@ -30,9 +30,9 @@ enum rlogin_state { RLOGIN_UNKNOWN, // we don't know what state we're in }; -class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { +class Contents_Rlogin_Analyzer final : public analyzer::tcp::ContentLine_Analyzer { public: - Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, + Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* analyzer); ~Contents_Rlogin_Analyzer() override; @@ -55,13 +55,13 @@ protected: class Rlogin_Analyzer final : public Login_Analyzer { public: - explicit Rlogin_Analyzer(zeek::Connection* conn); + explicit Rlogin_Analyzer(Connection* conn); void ClientUserName(const char* s); void ServerUserName(const char* s); void TerminalType(const char* s); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Rlogin_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/login/Telnet.cc b/src/analyzer/protocol/login/Telnet.cc index 6ca61a0766..c6ca1a00d7 100644 --- a/src/analyzer/protocol/login/Telnet.cc +++ b/src/analyzer/protocol/login/Telnet.cc @@ -9,7 +9,7 @@ namespace zeek::analyzer::login { -Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn) +Telnet_Analyzer::Telnet_Analyzer(Connection* conn) : Login_Analyzer("TELNET", conn) { NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true); diff --git a/src/analyzer/protocol/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h index 1c992c009a..0d6ebbe4df 100644 --- a/src/analyzer/protocol/login/Telnet.h +++ b/src/analyzer/protocol/login/Telnet.h @@ -8,10 +8,10 @@ namespace zeek::analyzer::login { class Telnet_Analyzer : public Login_Analyzer { public: - explicit Telnet_Analyzer(zeek::Connection* conn); + explicit Telnet_Analyzer(Connection* conn); ~Telnet_Analyzer() override {} - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Telnet_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index e415b061b9..573766b4de 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -21,7 +21,7 @@ namespace zeek::analyzer::mime { -static const zeek::data_chunk_t null_data_chunk = { 0, nullptr }; +static const data_chunk_t null_data_chunk = { 0, nullptr }; int mime_header_only = 0; int mime_decode_data = 1; @@ -98,7 +98,7 @@ static const char* MIMEContentEncodingName[] = { nullptr, }; -bool is_null_data_chunk(zeek::data_chunk_t b) +bool is_null_data_chunk(data_chunk_t b) { return b.data == nullptr; } @@ -108,39 +108,39 @@ bool is_lws(char ch) return ch == 9 || ch == 32; } -zeek::StringVal* new_string_val(int length, const char* data) +StringVal* new_string_val(int length, const char* data) { return to_string_val(length, data).release(); } -zeek::StringVal* new_string_val(const char* data, const char* end_of_data) +StringVal* new_string_val(const char* data, const char* end_of_data) { return to_string_val(data, end_of_data).release(); } -zeek::StringVal* new_string_val(const zeek::data_chunk_t buf) +StringVal* new_string_val(const data_chunk_t buf) { return to_string_val(buf).release(); } -zeek::StringValPtr to_string_val(int length, const char* data) +StringValPtr to_string_val(int length, const char* data) { - return zeek::make_intrusive(length, data); + return make_intrusive(length, data); } -zeek::StringValPtr to_string_val(const char* data, const char* end_of_data) +StringValPtr to_string_val(const char* data, const char* end_of_data) { - return zeek::make_intrusive(end_of_data - data, data); + return make_intrusive(end_of_data - data, data); } -zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf) +StringValPtr to_string_val(const data_chunk_t buf) { return to_string_val(buf.length, buf.data); } -static zeek::data_chunk_t get_data_chunk(zeek::String* s) +static data_chunk_t get_data_chunk(String* s) { - zeek::data_chunk_t b; + data_chunk_t b; b.length = s->Len(); b.data = (const char*) s->Bytes(); return b; } -int fputs(zeek::data_chunk_t b, FILE* fp) +int fputs(data_chunk_t b, FILE* fp) { for ( int i = 0; i < b.length; ++i ) if ( fputc(b.data[i], fp) == EOF ) @@ -150,12 +150,12 @@ int fputs(zeek::data_chunk_t b, FILE* fp) void MIME_Mail::Undelivered(int len) { - cur_entity_id = zeek::file_mgr->Gap(cur_entity_len, len, + cur_entity_id = file_mgr->Gap(cur_entity_len, len, analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig, cur_entity_id); } -bool istrequal(zeek::data_chunk_t s, const char* t) +bool istrequal(data_chunk_t s, const char* t) { int len = strlen(t); @@ -233,7 +233,7 @@ int MIME_skip_lws_comments(int len, const char* data) return len; } -int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name) +int MIME_get_field_name(int len, const char* data, data_chunk_t* name) { int i = MIME_skip_lws_comments(len, data); while ( i < len ) @@ -281,7 +281,7 @@ static bool MIME_is_token_char (char ch, bool is_boundary = false) // See RFC 2045, page 12. // A token is composed of characters that are not SPACE, CTLs or tspecials -int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token, +int MIME_get_token(int len, const char* data, data_chunk_t* token, bool is_boundary) { int i = 0; @@ -313,7 +313,7 @@ int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token, return -1; } -int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second) +int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) { int offset; const char* data_start = data; @@ -353,7 +353,7 @@ int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* fir } // See RFC 2822, page 13. -int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str) +int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) { int offset = MIME_skip_lws_comments(len, data); @@ -380,7 +380,7 @@ int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str) return -1; } -int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_boundary) +int MIME_get_value(int len, const char* data, String*& buf, bool is_boundary) { int offset = 0; @@ -392,7 +392,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda if ( len > 0 && *data == '"' ) { - zeek::data_chunk_t str; + data_chunk_t str; int end = MIME_get_quoted_string(len, data, &str); if ( end < 0 ) return -1; @@ -403,12 +403,12 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda else { - zeek::data_chunk_t str; + data_chunk_t str; int end = MIME_get_token(len, data, &str, is_boundary); if ( end < 0 ) return -1; - buf = new zeek::String((const u_char*)str.data, str.length, true); + buf = new String((const u_char*)str.data, str.length, true); return offset + end; } } @@ -416,7 +416,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda // Decode each quoted-pair: a '\' followed by a character by the // quoted character. The decoded string is returned. -zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf) +String* MIME_decode_quoted_pairs(data_chunk_t buf) { const char* data = buf.data; char* dest = new char[buf.length+1]; @@ -436,7 +436,7 @@ zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf) dest[j++] = data[i]; dest[j] = 0; - return new zeek::String(true, (zeek::byte_vec) dest, j); + return new String(true, (byte_vec) dest, j); } MIME_Multiline::MIME_Multiline() @@ -452,10 +452,10 @@ MIME_Multiline::~MIME_Multiline() void MIME_Multiline::append(int len, const char* data) { - buffer.push_back(new zeek::String((const u_char*) data, len, true)); + buffer.push_back(new String((const u_char*) data, len, true)); } -zeek::String* MIME_Multiline::get_concatenated_line() +String* MIME_Multiline::get_concatenated_line() { if ( buffer.empty() ) return nullptr; @@ -472,7 +472,7 @@ MIME_Header::MIME_Header(MIME_Multiline* hl) lines = hl; name = value = value_token = rest_value = null_data_chunk; - zeek::String* s = hl->get_concatenated_line(); + String* s = hl->get_concatenated_line(); int len = s->Len(); const char* data = (const char*) s->Bytes(); @@ -518,7 +518,7 @@ int MIME_Header::get_first_token() } } -zeek::data_chunk_t MIME_Header::get_value_token() +data_chunk_t MIME_Header::get_value_token() { if ( ! is_null_data_chunk(value_token) ) return value_token; @@ -526,7 +526,7 @@ zeek::data_chunk_t MIME_Header::get_value_token() return value_token; } -zeek::data_chunk_t MIME_Header::get_value_after_token() +data_chunk_t MIME_Header::get_value_after_token() { if ( ! is_null_data_chunk(rest_value) ) return rest_value; @@ -555,8 +555,8 @@ void MIME_Entity::init() need_to_parse_parameters = 0; - content_type_str = zeek::make_intrusive("TEXT"); - content_subtype_str = zeek::make_intrusive("PLAIN"); + content_type_str = make_intrusive("TEXT"); + content_subtype_str = make_intrusive("PLAIN"); content_encoding_str = nullptr; multipart_boundary = nullptr; @@ -581,7 +581,7 @@ void MIME_Entity::init() MIME_Entity::~MIME_Entity() { if ( ! end_of_data ) - zeek::reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr, + reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr, "missing MIME_Entity::EndOfData() before ~MIME_Entity"); delete current_header_line; @@ -759,7 +759,7 @@ void MIME_Entity::FinishHeader() delete h; } -int MIME_Entity::LookupMIMEHeaderName(zeek::data_chunk_t name) +int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name) { // A linear lookup should be fine for now. // header names are case-insensitive (RFC 822, 2822, 2045). @@ -790,11 +790,11 @@ void MIME_Entity::ParseMIMEHeader(MIME_Header* h) bool MIME_Entity::ParseContentTypeField(MIME_Header* h) { - zeek::data_chunk_t val = h->get_value(); + data_chunk_t val = h->get_value(); int len = val.length; const char* data = val.data; - zeek::data_chunk_t ty, subty; + data_chunk_t ty, subty; int offset; offset = MIME_get_slash_token_pair(len, data, &ty, &subty); @@ -806,9 +806,9 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h) data += offset; len -= offset; - content_type_str = zeek::make_intrusive(ty.length, ty.data); + content_type_str = make_intrusive(ty.length, ty.data); content_type_str->ToUpper(); - content_subtype_str = zeek::make_intrusive(subty.length, subty.data); + content_subtype_str = make_intrusive(subty.length, subty.data); content_subtype_str->ToUpper(); ParseContentType(ty, subty); @@ -829,7 +829,7 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h) bool MIME_Entity::ParseContentEncodingField(MIME_Header* h) { - zeek::data_chunk_t enc; + data_chunk_t enc; enc = h->get_value_token(); if ( is_null_data_chunk(enc) ) @@ -839,12 +839,12 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h) } delete content_encoding_str; - content_encoding_str = new zeek::String((const u_char*)enc.data, enc.length, true); + content_encoding_str = new String((const u_char*)enc.data, enc.length, true); ParseContentEncoding(enc); if ( need_to_parse_parameters ) { - zeek::data_chunk_t val = h->get_value_after_token(); + data_chunk_t val = h->get_value_after_token(); if ( ! is_null_data_chunk(val) ) ParseFieldParameters(val.length, val.data); } @@ -854,7 +854,7 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h) bool MIME_Entity::ParseFieldParameters(int len, const char* data) { - zeek::data_chunk_t attr; + data_chunk_t attr; while ( true ) { @@ -887,7 +887,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data) data += offset; len -= offset; - zeek::String* val = nullptr; + String* val = nullptr; if ( current_field_type == MIME_CONTENT_TYPE && content_type == CONTENT_TYPE_MULTIPART && @@ -903,9 +903,9 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data) continue; } - zeek::data_chunk_t vd = get_data_chunk(val); + data_chunk_t vd = get_data_chunk(val); delete multipart_boundary; - multipart_boundary = new zeek::String((const u_char*)vd.data, + multipart_boundary = new String((const u_char*)vd.data, vd.length, true); } else @@ -927,7 +927,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data) return true; } -void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type) +void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type) { int i; for ( i = 0; MIMEContentTypeName[i]; ++i ) @@ -954,7 +954,7 @@ void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t s } } -void MIME_Entity::ParseContentEncoding(zeek::data_chunk_t encoding_mechanism) +void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism) { int i; for ( i = 0; MIMEContentEncodingName[i]; ++i ) @@ -968,7 +968,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data) { if ( ! multipart_boundary ) { - zeek::reporter->Warning("boundary delimiter was not specified for a multipart message\n"); + reporter->Warning("boundary delimiter was not specified for a multipart message\n"); DEBUG_MSG("headers of the MIME entity for debug:\n"); DebugPrintHeaders(); return NOT_MULTIPART_BOUNDARY; @@ -978,7 +978,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data) { len -= 2; data += 2; - zeek::data_chunk_t delim = get_data_chunk(multipart_boundary); + data_chunk_t delim = get_data_chunk(multipart_boundary); int i; for ( i = 0; i < len && i < delim.length; ++i ) @@ -1083,8 +1083,8 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data) if ( i + 2 < len ) { int a, b; - a = zeek::util::decode_hex(data[i+1]); - b = zeek::util::decode_hex(data[i+2]); + a = util::decode_hex(data[i+1]); + b = util::decode_hex(data[i+2]); if ( a >= 0 && b >= 0 ) { @@ -1114,7 +1114,7 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data) else { - IllegalEncoding(zeek::util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i]))); + IllegalEncoding(util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i]))); DataOctet(data[i]); } } @@ -1145,15 +1145,15 @@ void MIME_Entity::StartDecodeBase64() { if ( base64_decoder ) { - zeek::reporter->InternalWarning("previous MIME Base64 decoder not released"); + reporter->InternalWarning("previous MIME Base64 decoder not released"); delete base64_decoder; } - zeek::analyzer::Analyzer* analyzer = message->GetAnalyzer(); + analyzer::Analyzer* analyzer = message->GetAnalyzer(); if ( ! analyzer ) { - zeek::reporter->InternalWarning("no analyzer associated with MIME message"); + reporter->InternalWarning("no analyzer associated with MIME message"); return; } @@ -1184,7 +1184,7 @@ bool MIME_Entity::GetDataBuffer() int ret = message->RequestBuffer(&data_buf_length, &data_buf_data); if ( ! ret || data_buf_length == 0 || data_buf_data == nullptr ) { - // zeek::reporter->InternalError("cannot get data buffer from MIME_Message", ""); + // reporter->InternalError("cannot get data buffer from MIME_Message", ""); return false; } @@ -1291,13 +1291,13 @@ void MIME_Entity::DebugPrintHeaders() #endif } -zeek::RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h) +RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h) { return ToHeaderVal(h).release(); } -zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h) +RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h) { - static auto mime_header_rec = zeek::id::find_type("mime_header_rec"); - auto header_record = zeek::make_intrusive(mime_header_rec); + static auto mime_header_rec = id::find_type("mime_header_rec"); + auto header_record = make_intrusive(mime_header_rec); header_record->Assign(0, to_string_val(h->get_name())); auto upper_hn = to_string_val(h->get_name()); upper_hn->ToUpper(); @@ -1306,17 +1306,17 @@ zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h) return header_record; } -zeek::TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) +TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) { return ToHeaderTable(hlist).release(); } -zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist) +TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist) { - static auto mime_header_list = zeek::id::find_type("mime_header_list"); - auto t = zeek::make_intrusive(mime_header_list); + static auto mime_header_list = id::find_type("mime_header_list"); + auto t = make_intrusive(mime_header_list); for ( size_t i = 0; i < hlist.size(); ++i ) { - auto index = zeek::val_mgr->Count(i + 1); // index starting from 1 + auto index = val_mgr->Count(i + 1); // index starting from 1 MIME_Header* h = hlist[i]; t->Assign(std::move(index), ToHeaderVal(h)); } @@ -1324,7 +1324,7 @@ zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist) return t; } -MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf_size) +MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, bool orig, int buf_size) : MIME_Message(mail_analyzer), md5_hash() { analyzer = mail_analyzer; @@ -1345,12 +1345,12 @@ MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf length = max_chunk_length; buffer_start = data_start = 0; - data_buffer = new zeek::String(true, new u_char[length+1], length); + data_buffer = new String(true, new u_char[length+1], length); if ( mime_content_hash ) { compute_content_hash = 1; - md5_hash = zeek::detail::hash_init(zeek::detail::Hash_MD5); + md5_hash = zeek::detail::hash_init(detail::Hash_MD5); } else compute_content_hash = 0; @@ -1375,14 +1375,14 @@ void MIME_Mail::Done() analyzer->EnqueueConnEvent(mime_content_hash, analyzer->ConnVal(), - zeek::val_mgr->Count(content_hash_length), - zeek::make_intrusive(new zeek::String(true, digest, 16)) + val_mgr->Count(content_hash_length), + make_intrusive(new String(true, digest, 16)) ); } MIME_Message::Done(); - zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); + file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); } MIME_Mail::~MIME_Mail() @@ -1411,12 +1411,12 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) { if ( mime_entity_data ) { - zeek::String* s = concatenate(entity_content); + String* s = concatenate(entity_content); analyzer->EnqueueConnEvent(mime_entity_data, analyzer->ConnVal(), - zeek::val_mgr->Count(s->Len()), - zeek::make_intrusive(s) + val_mgr->Count(s->Len()), + make_intrusive(s) ); if ( ! mime_all_data ) @@ -1428,7 +1428,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) if ( mime_end_entity ) analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal()); - zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); + file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); cur_entity_id.clear(); } @@ -1454,7 +1454,7 @@ void MIME_Mail::SubmitData(int len, const char* buf) { if ( buf != (char*) data_buffer->Bytes() + buffer_start ) { - zeek::reporter->AnalyzerError(GetAnalyzer(), + reporter->AnalyzerError(GetAnalyzer(), "MIME buffer misalignment"); return; } @@ -1467,7 +1467,7 @@ void MIME_Mail::SubmitData(int len, const char* buf) if ( mime_entity_data || mime_all_data ) { - zeek::String* s = new zeek::String((const u_char*) buf, len, false); + String* s = new String((const u_char*) buf, len, false); if ( mime_entity_data ) entity_content.push_back(s); @@ -1482,12 +1482,12 @@ void MIME_Mail::SubmitData(int len, const char* buf) analyzer->EnqueueConnEvent(mime_segment_data, analyzer->ConnVal(), - zeek::val_mgr->Count(data_len), - zeek::make_intrusive(data_len, data) + val_mgr->Count(data_len), + make_intrusive(data_len, data) ); } - cur_entity_id = zeek::file_mgr->DataIn( + cur_entity_id = file_mgr->DataIn( reinterpret_cast(buf), len, analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig, cur_entity_id); @@ -1525,13 +1525,13 @@ void MIME_Mail::SubmitAllData() { if ( mime_all_data ) { - zeek::String* s = concatenate(all_content); + String* s = concatenate(all_content); delete_strings(all_content); analyzer->EnqueueConnEvent(mime_all_data, analyzer->ConnVal(), - zeek::val_mgr->Count(s->Len()), - zeek::make_intrusive(s) + val_mgr->Count(s->Len()), + make_intrusive(s) ); } } @@ -1550,7 +1550,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) break; default: - zeek::reporter->AnalyzerError(GetAnalyzer(), + reporter->AnalyzerError(GetAnalyzer(), "unrecognized MIME_Mail event"); return; } @@ -1558,8 +1558,8 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) if ( mime_event ) analyzer->EnqueueConnEvent(mime_event, analyzer->ConnVal(), - zeek::make_intrusive(category), - zeek::make_intrusive(detail) + make_intrusive(category), + make_intrusive(detail) ); } diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h index 7498ada5ea..8d7335ffa2 100644 --- a/src/analyzer/protocol/mime/MIME.h +++ b/src/analyzer/protocol/mime/MIME.h @@ -15,8 +15,8 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Base64Converter, zeek::detail); namespace zeek { -using TableValPtr = zeek::IntrusivePtr; -using StringValPtr = zeek::IntrusivePtr; +using TableValPtr = IntrusivePtr; +using StringValPtr = IntrusivePtr; } namespace zeek::analyzer::mime { @@ -61,11 +61,11 @@ public: ~MIME_Multiline(); void append(int len, const char* data); - zeek::String* get_concatenated_line(); + String* get_concatenated_line(); protected: - std::vector buffer; - zeek::String* line; + std::vector buffer; + String* line; }; class MIME_Header { @@ -73,19 +73,19 @@ public: explicit MIME_Header(MIME_Multiline* hl); ~MIME_Header(); - zeek::data_chunk_t get_name() const { return name; } - zeek::data_chunk_t get_value() const { return value; } + data_chunk_t get_name() const { return name; } + data_chunk_t get_value() const { return value; } - zeek::data_chunk_t get_value_token(); - zeek::data_chunk_t get_value_after_token(); + data_chunk_t get_value_token(); + data_chunk_t get_value_after_token(); protected: int get_first_token(); MIME_Multiline* lines; - zeek::data_chunk_t name; - zeek::data_chunk_t value; - zeek::data_chunk_t value_token, rest_value; + data_chunk_t name; + data_chunk_t value; + data_chunk_t value_token, rest_value; }; @@ -102,11 +102,11 @@ public: MIME_Entity* Parent() const { return parent; } int MIMEContentType() const { return content_type; } [[deprecated("Remove in v4.1. Use GetContentType().")]] - zeek::StringVal* ContentType() const { return content_type_str.get(); } + StringVal* ContentType() const { return content_type_str.get(); } [[deprecated("Remove in v4.1. Use GetContentSubType().")]] - zeek::StringVal* ContentSubType() const { return content_subtype_str.get(); } - const zeek::StringValPtr& GetContentType() const { return content_type_str; } - const zeek::StringValPtr& GetContentSubType() const { return content_subtype_str; } + StringVal* ContentSubType() const { return content_subtype_str.get(); } + const StringValPtr& GetContentType() const { return content_type_str; } + const StringValPtr& GetContentSubType() const { return content_subtype_str; } int ContentTransferEncoding() const { return content_encoding; } protected: @@ -118,13 +118,13 @@ protected: void FinishHeader(); void ParseMIMEHeader(MIME_Header* h); - int LookupMIMEHeaderName(zeek::data_chunk_t name); + int LookupMIMEHeaderName(data_chunk_t name); bool ParseContentTypeField(MIME_Header* h); bool ParseContentEncodingField(MIME_Header* h); bool ParseFieldParameters(int len, const char* data); - void ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type); - void ParseContentEncoding(zeek::data_chunk_t encoding_mechanism); + void ParseContentType(data_chunk_t type, data_chunk_t sub_type); + void ParseContentEncoding(data_chunk_t encoding_mechanism); void BeginBody(); void NewDataLine(int len, const char* data, bool trailing_CRLF); @@ -162,10 +162,10 @@ protected: int current_field_type; int need_to_parse_parameters; - zeek::StringValPtr content_type_str; - zeek::StringValPtr content_subtype_str; - zeek::String* content_encoding_str; - zeek::String* multipart_boundary; + StringValPtr content_type_str; + StringValPtr content_subtype_str; + String* content_encoding_str; + String* multipart_boundary; int content_type, content_subtype, content_encoding; @@ -190,7 +190,7 @@ protected: class MIME_Message { public: - explicit MIME_Message(zeek::analyzer::Analyzer* arg_analyzer) + explicit MIME_Message(analyzer::Analyzer* arg_analyzer) { // Cannot initialize top_level entity because we do // not know its type yet (MIME_Entity / MIME_Mail / @@ -203,7 +203,7 @@ public: virtual ~MIME_Message() { if ( ! finished ) - zeek::reporter->AnalyzerError(analyzer, + reporter->AnalyzerError(analyzer, "missing MIME_Message::Done() call"); } @@ -216,7 +216,7 @@ public: top_level->Deliver(len, data, trailing_CRLF); } - zeek::analyzer::Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } // Events generated by MIME_Entity virtual void BeginEntity(MIME_Entity*) = 0; @@ -228,23 +228,23 @@ public: virtual void SubmitEvent(int event_type, const char* detail) = 0; protected: - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; MIME_Entity* top_level; bool finished; [[deprecated("Remove in v4.1. Use ToHeaderVal().")]] - zeek::RecordVal* BuildHeaderVal(MIME_Header* h); + RecordVal* BuildHeaderVal(MIME_Header* h); [[deprecated("Remove in v4.1. Use ToHeaderTable().")]] - zeek::TableVal* BuildHeaderTable(MIME_HeaderList& hlist); + TableVal* BuildHeaderTable(MIME_HeaderList& hlist); - zeek::RecordValPtr ToHeaderVal(MIME_Header* h); - zeek::TableValPtr ToHeaderTable(MIME_HeaderList& hlist); + RecordValPtr ToHeaderVal(MIME_Header* h); + TableValPtr ToHeaderTable(MIME_HeaderList& hlist); }; class MIME_Mail final : public MIME_Message { public: - MIME_Mail(zeek::analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0); + MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0); ~MIME_Mail() override; void Done() override; @@ -267,40 +267,40 @@ protected: int compute_content_hash; int content_hash_length; EVP_MD_CTX* md5_hash; - std::vector entity_content; - std::vector all_content; + std::vector entity_content; + std::vector all_content; - zeek::String* data_buffer; + String* data_buffer; uint64_t cur_entity_len; std::string cur_entity_id; }; -extern bool is_null_data_chunk(zeek::data_chunk_t b); -[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] -extern zeek::StringVal* new_string_val(int length, const char* data); -[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] -extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data); -[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] -extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf); -extern zeek::StringValPtr to_string_val(int length, const char* data); -extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data); -extern zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf); -extern int fputs(zeek::data_chunk_t b, FILE* fp); -extern bool istrequal(zeek::data_chunk_t s, const char* t); +extern bool is_null_data_chunk(data_chunk_t b); +[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +extern StringVal* new_string_val(int length, const char* data); +[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +extern StringVal* new_string_val(const char* data, const char* end_of_data); +[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +extern StringVal* new_string_val(const data_chunk_t buf); +extern StringValPtr to_string_val(int length, const char* data); +extern StringValPtr to_string_val(const char* data, const char* end_of_data); +extern StringValPtr to_string_val(const data_chunk_t buf); +extern int fputs(data_chunk_t b, FILE* fp); +extern bool istrequal(data_chunk_t s, const char* t); extern bool is_lws(char ch); extern bool MIME_is_field_name_char(char ch); extern int MIME_count_leading_lws(int len, const char* data); extern int MIME_count_trailing_lws(int len, const char* data); extern int MIME_skip_comments(int len, const char* data); extern int MIME_skip_lws_comments(int len, const char* data); -extern int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token, +extern int MIME_get_token(int len, const char* data, data_chunk_t* token, bool is_boundary = false); -extern int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second); -extern int MIME_get_value(int len, const char* data, zeek::String*& buf, +extern int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second); +extern int MIME_get_value(int len, const char* data, String*& buf, bool is_boundary = false); -extern int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name); -extern zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf); +extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name); +extern String* MIME_decode_quoted_pairs(data_chunk_t buf); } // namespace zeek::analyzer::mime diff --git a/src/analyzer/protocol/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc index 37b6fa74f3..374f7c2f22 100644 --- a/src/analyzer/protocol/modbus/Modbus.cc +++ b/src/analyzer/protocol/modbus/Modbus.cc @@ -6,7 +6,7 @@ namespace zeek::analyzer::modbus { -ModbusTCP_Analyzer::ModbusTCP_Analyzer(zeek::Connection* c) +ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) { interp = new binpac::ModbusTCP::ModbusTCP_Conn(this); diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h index ae1a466c61..e316e6d940 100644 --- a/src/analyzer/protocol/modbus/Modbus.h +++ b/src/analyzer/protocol/modbus/Modbus.h @@ -5,9 +5,9 @@ namespace zeek::analyzer::modbus { -class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class ModbusTCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit ModbusTCP_Analyzer(zeek::Connection* conn); + explicit ModbusTCP_Analyzer(Connection* conn); ~ModbusTCP_Analyzer() override; void Done() override; @@ -16,7 +16,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new ModbusTCP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/mqtt/MQTT.cc b/src/analyzer/protocol/mqtt/MQTT.cc index 82524ac112..5612d7456a 100644 --- a/src/analyzer/protocol/mqtt/MQTT.cc +++ b/src/analyzer/protocol/mqtt/MQTT.cc @@ -9,8 +9,8 @@ namespace zeek::analyzer::mqtt { -MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c) +MQTT_Analyzer::MQTT_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c) { interp = new binpac::MQTT::MQTT_Conn(this); } @@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer() void MQTT_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -30,13 +30,13 @@ void MQTT_Analyzer::Done() void MQTT_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -46,13 +46,13 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/mqtt/MQTT.h b/src/analyzer/protocol/mqtt/MQTT.h index a150fc2c05..9b1a49747b 100644 --- a/src/analyzer/protocol/mqtt/MQTT.h +++ b/src/analyzer/protocol/mqtt/MQTT.h @@ -9,10 +9,10 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } } namespace zeek::analyzer::mqtt { -class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class MQTT_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - MQTT_Analyzer(zeek::Connection* conn); + MQTT_Analyzer(Connection* conn); ~MQTT_Analyzer() override; void Done() override; @@ -20,7 +20,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new MQTT_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc index 789e71bce3..db97774d53 100644 --- a/src/analyzer/protocol/mysql/MySQL.cc +++ b/src/analyzer/protocol/mysql/MySQL.cc @@ -7,8 +7,8 @@ namespace zeek::analyzer::mysql { -MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c) +MySQL_Analyzer::MySQL_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c) { interp = new binpac::MySQL::MySQL_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer() void MySQL_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void MySQL_Analyzer::Done() void MySQL_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -53,13 +53,13 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/mysql/MySQL.h b/src/analyzer/protocol/mysql/MySQL.h index 3bb75da40c..8f987e8547 100644 --- a/src/analyzer/protocol/mysql/MySQL.h +++ b/src/analyzer/protocol/mysql/MySQL.h @@ -9,10 +9,10 @@ namespace zeek::analyzer::mysql { -class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class MySQL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit MySQL_Analyzer(zeek::Connection* conn); + explicit MySQL_Analyzer(Connection* conn); ~MySQL_Analyzer() override; // Overriden from Analyzer. @@ -21,10 +21,10 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new MySQL_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index a566e27827..afeed8c3eb 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -25,7 +25,7 @@ using namespace std; namespace zeek::analyzer::ncp { namespace detail { -NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a) +NCP_Session::NCP_Session(analyzer::Analyzer* a) : analyzer(a) { req_frame_type = 0; @@ -43,7 +43,7 @@ void NCP_Session::Deliver(bool is_orig, int len, const u_char* data) } catch ( const binpac::Exception& e ) { - analyzer->ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + analyzer->ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } @@ -60,24 +60,24 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) } } - zeek::EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply; + EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply; if ( f ) { if ( frame->is_orig() ) analyzer->EnqueueConnEvent(f, analyzer->ConnVal(), - zeek::val_mgr->Count(frame->frame_type()), - zeek::val_mgr->Count(frame->body_length()), - zeek::val_mgr->Count(req_func) + val_mgr->Count(frame->frame_type()), + val_mgr->Count(frame->body_length()), + val_mgr->Count(req_func) ); else analyzer->EnqueueConnEvent(f, analyzer->ConnVal(), - zeek::val_mgr->Count(frame->frame_type()), - zeek::val_mgr->Count(frame->body_length()), - zeek::val_mgr->Count(req_frame_type), - zeek::val_mgr->Count(req_func), - zeek::val_mgr->Count(frame->reply()->completion_code()) + val_mgr->Count(frame->frame_type()), + val_mgr->Count(frame->body_length()), + val_mgr->Count(req_frame_type), + val_mgr->Count(req_func), + val_mgr->Count(frame->reply()->completion_code()) ); } } @@ -131,7 +131,7 @@ int FrameBuffer::Deliver(int &len, const u_char* &data) if ( msg_len > buf_len ) { - if ( msg_len > zeek::BifConst::NCP::max_frame_size ) + if ( msg_len > BifConst::NCP::max_frame_size ) return 1; buf_len = msg_len; @@ -167,8 +167,8 @@ void NCP_FrameBuffer::compute_msg_length() } // namespace detail -Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* arg_session) -: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) +Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* arg_session) +: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; @@ -181,7 +181,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer() void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); auto tcp = static_cast(Parent())->TCP(); @@ -189,7 +189,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig { resync_set = true; resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED; + analyzer::tcp::TCP_ENDPOINT_ESTABLISHED; } if ( tcp && tcp->HadGap(orig) ) @@ -242,14 +242,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); buffer.Reset(); resync = true; } -NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn) +NCP_Analyzer::NCP_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn) { session = new detail::NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h index 1e2e90ee88..70032f28aa 100644 --- a/src/analyzer/protocol/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -31,7 +31,7 @@ namespace detail { class NCP_Session { public: - explicit NCP_Session(zeek::analyzer::Analyzer* analyzer); + explicit NCP_Session(analyzer::Analyzer* analyzer); void Deliver(bool is_orig, int len, const u_char* data); @@ -43,7 +43,7 @@ public: protected: void DeliverFrame(const binpac::NCP::ncp_frame* frame); - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; int req_frame_type; int req_func; }; @@ -85,9 +85,9 @@ protected: } // namespace detail -class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer { +class Contents_NCP_Analyzer : public analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* session); + Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* session); ~Contents_NCP_Analyzer() override; protected: @@ -102,12 +102,12 @@ protected: bool resync_set; }; -class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class NCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit NCP_Analyzer(zeek::Connection* conn); + explicit NCP_Analyzer(Connection* conn); ~NCP_Analyzer() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new NCP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index df422d76fe..c157aa506e 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -49,7 +49,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) MAKE_INT16(offset, data);; len -= 2; } -NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) +NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; //smb_session = arg_smb_session; @@ -61,9 +61,9 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, if ( netbios_session_message ) analyzer->EnqueueConnEvent(netbios_session_message, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_query), - zeek::val_mgr->Count(type), - zeek::val_mgr->Count(len) + val_mgr->Bool(is_query), + val_mgr->Count(type), + val_mgr->Count(len) ); switch ( type ) { @@ -105,7 +105,7 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, break; default: - analyzer->Weird("unknown_netbios_type", zeek::util::fmt("0x%x", type)); + analyzer->Weird("unknown_netbios_type", util::fmt("0x%x", type)); break; } } @@ -125,11 +125,11 @@ void NetbiosSSN_Interpreter::ParseBroadcast(const u_char* data, int len, // FIND THE NUL-TERMINATED NAME STRINGS HERE! // Not sure what's in them, so we don't keep them currently. - zeek::String* srcname = new zeek::String((char*) data); + String* srcname = new String((char*) data); data += srcname->Len()+1; len -= srcname->Len(); - zeek::String* dstname = new zeek::String((char*) data); + String* dstname = new String((char*) data); data += dstname->Len()+1; len -= dstname->Len(); @@ -146,7 +146,7 @@ void NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len, NetbiosSSN_RawMsgHdr hdr(data, len); if ( hdr.length > unsigned(len) ) - analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) @@ -164,12 +164,12 @@ void NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len, NetbiosDGM_RawMsgHdr hdr(data, len); if ( unsigned(hdr.length-14) > unsigned(len) ) - analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) { - analyzer->Weird("deficit_netbios_hdr_len", zeek::util::fmt("(%d < %d)", + analyzer->Weird("deficit_netbios_hdr_len", util::fmt("(%d < %d)", hdr.length, len)); len = hdr.length; } @@ -313,7 +313,7 @@ void NetbiosSSN_Interpreter::ParseKeepAlive(const u_char* data, int len, Event(netbios_session_keepalive, data, len); } -void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* data, +void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, int len, int is_orig) { if ( ! event ) @@ -322,19 +322,19 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da if ( is_orig >= 0 ) analyzer->EnqueueConnEvent(event, analyzer->ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::make_intrusive(new zeek::String(data, len, false))); + val_mgr->Bool(is_orig), + make_intrusive(new String(data, len, false))); else analyzer->EnqueueConnEvent(event, analyzer->ConnVal(), - zeek::make_intrusive(new zeek::String(data, len, false))); + make_intrusive(new String(data, len, false))); } } // namespace detail -Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig, +Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, detail::NetbiosSSN_Interpreter* arg_interp) -: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) +: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( state == detail::NETBIOS_SSN_TYPE ) { @@ -453,8 +453,8 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) state = detail::NETBIOS_SSN_TYPE; } -NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) +NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) { //smb_session = new SMB_Session(this); interp = new detail::NetbiosSSN_Interpreter(this); @@ -471,7 +471,7 @@ NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn) else { ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, - zeek::run_state::network_time + netbios_ssn_session_timeout, true, + run_state::network_time + netbios_ssn_session_timeout, true, zeek::detail::TIMER_NB_EXPIRE); } } @@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer() void NetbiosSSN_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) @@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::EndpointEOF(bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); (orig ? orig_netbios : resp_netbios)->Flush(); } -void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, - zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) +void NetbiosSSN_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, + analyzer::tcp::TCP_Endpoint* peer, bool gen_event) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); // Question: Why do we flush *both* endpoints upon connection close? // orig_netbios->Flush(); @@ -511,9 +511,9 @@ void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* en } void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) interp->ParseMessageUDP(data, len, true); @@ -526,12 +526,12 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t) // The - 1.0 in the following is to allow 1 second for the // common case of a single request followed by a single reply, // so we don't needlessly set the timer twice in that case. - if ( zeek::run_state::terminating || - zeek::run_state::network_time - Conn()->LastTime() >= + if ( run_state::terminating || + run_state::network_time - Conn()->LastTime() >= netbios_ssn_session_timeout - 1.0 ) { Event(connection_timeout); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } else ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h index 6668093b1a..444cf63e33 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -70,7 +70,7 @@ enum NetbiosSSN_State { class NetbiosSSN_Interpreter { public: - explicit NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* analyzer); + explicit NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer); void ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, bool is_query); @@ -95,7 +95,7 @@ protected: void ParseSambaMsg(const u_char* data, int len, bool is_query); - void Event(zeek::EventHandlerPtr event, const u_char* data, int len, + void Event(EventHandlerPtr event, const u_char* data, int len, int is_orig = -1); // Pass in name/length, returns in xname/xlen the converted @@ -105,16 +105,16 @@ protected: u_char*& xname, int& xlen); protected: - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; //SMB_Session* smb_session; }; } // namespace detail // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. -class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { +class Contents_NetbiosSSN final : public analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_NetbiosSSN(zeek::Connection* conn, bool orig, + Contents_NetbiosSSN(Connection* conn, bool orig, detail::NetbiosSSN_Interpreter* interp); ~Contents_NetbiosSSN() override; @@ -139,21 +139,21 @@ protected: detail::NetbiosSSN_State state; }; -class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class NetbiosSSN_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit NetbiosSSN_Analyzer(zeek::Connection* conn); + explicit NetbiosSSN_Analyzer(Connection* conn); ~NetbiosSSN_Analyzer() override; void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } protected: - void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, - zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; + void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, + analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; void EndpointEOF(bool is_orig) override; void ExpireTimer(double t); diff --git a/src/analyzer/protocol/ntlm/NTLM.cc b/src/analyzer/protocol/ntlm/NTLM.cc index 1bc4e69ea7..480e5bb212 100644 --- a/src/analyzer/protocol/ntlm/NTLM.cc +++ b/src/analyzer/protocol/ntlm/NTLM.cc @@ -7,8 +7,8 @@ namespace zeek::analyzer::ntlm { -NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c) +NTLM_Analyzer::NTLM_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c) { interp = new binpac::NTLM::NTLM_Conn(this); } @@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer() void NTLM_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void NTLM_Analyzer::Done() void NTLM_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -45,13 +45,13 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/ntlm/NTLM.h b/src/analyzer/protocol/ntlm/NTLM.h index c4de65a93a..25474ba342 100644 --- a/src/analyzer/protocol/ntlm/NTLM.h +++ b/src/analyzer/protocol/ntlm/NTLM.h @@ -9,10 +9,10 @@ namespace zeek::analyzer::ntlm { -class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class NTLM_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit NTLM_Analyzer(zeek::Connection* conn); + explicit NTLM_Analyzer(Connection* conn); ~NTLM_Analyzer() override; // Overriden from Analyzer. @@ -21,10 +21,10 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new NTLM_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc index 805c70c90a..0885fea3b0 100644 --- a/src/analyzer/protocol/ntp/NTP.cc +++ b/src/analyzer/protocol/ntp/NTP.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::ntp { -NTP_Analyzer::NTP_Analyzer(zeek::Connection* c) - : zeek::analyzer::Analyzer("NTP", c) +NTP_Analyzer::NTP_Analyzer(Connection* c) + : analyzer::Analyzer("NTP", c) { interp = new binpac::NTP::NTP_Conn(this); } @@ -24,7 +24,7 @@ NTP_Analyzer::~NTP_Analyzer() } void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -34,7 +34,7 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h index fb158a2637..91b3615723 100644 --- a/src/analyzer/protocol/ntp/NTP.h +++ b/src/analyzer/protocol/ntp/NTP.h @@ -9,17 +9,17 @@ namespace zeek::analyzer::ntp { -class NTP_Analyzer final : public zeek::analyzer::Analyzer { +class NTP_Analyzer final : public analyzer::Analyzer { public: - explicit NTP_Analyzer(zeek::Connection* conn); + explicit NTP_Analyzer(Connection* conn); ~NTP_Analyzer() override; // Overriden from Analyzer. void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new NTP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc index 2475dd2d05..2e1aa8b941 100644 --- a/src/analyzer/protocol/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -11,7 +11,7 @@ namespace zeek::analyzer::pia { -PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer) +PIA::PIA(analyzer::Analyzer* arg_as_analyzer) : state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet() { } @@ -37,7 +37,7 @@ void PIA::ClearBuffer(Buffer* buffer) } void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, - bool is_orig, const zeek::IP_Hdr* ip) + bool is_orig, const IP_Hdr* ip) { u_char* tmp = nullptr; @@ -67,14 +67,14 @@ void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, } void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig, - const zeek::IP_Hdr* ip) + const IP_Hdr* ip) { AddToBuffer(buffer, -1, len, data, is_orig, ip); } -void PIA::ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer) +void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(zeek::DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size); for ( DataBlock* b = pkt_buffer.head; b; b = b->next ) analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, b->ip, 0); @@ -86,7 +86,7 @@ void PIA::PIA_Done() } void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, - const zeek::IP_Hdr* ip, int caplen, bool clear_state) + const IP_Hdr* ip, int caplen, bool clear_state) { if ( pkt_buffer.state == SKIPPING ) return; @@ -131,7 +131,7 @@ void PIA::Match(zeek::detail::Rule::PatternType type, const u_char* data, int le } void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, - bool clear_state, const zeek::IP_Hdr* ip) + bool clear_state, const IP_Hdr* ip) { if ( ! zeek::detail::rule_matcher ) return; @@ -146,11 +146,11 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, bol, eol, clear_state); } -void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) +void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { - DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer // supports partial connections once we get such. @@ -161,7 +161,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule tag = GetAnalyzerTag(); const auto& tval = tag.AsVal(); - zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); + event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); } pkt_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY; @@ -171,7 +171,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule if ( Parent()->HasChildAnalyzer(tag) ) return; - zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); if ( ! a ) return; @@ -180,9 +180,9 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule ReplayPacketBuffer(a); } -void PIA_UDP::DeactivateAnalyzer(zeek::analyzer::Tag tag) +void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag) { - zeek::reporter->InternalError("PIA_UDP::Deact not implemented yet"); + reporter->InternalError("PIA_UDP::Deact not implemented yet"); } //// TCP PIA @@ -194,7 +194,7 @@ PIA_TCP::~PIA_TCP() void PIA_TCP::Init() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init(); + analyzer::tcp::TCP_ApplicationAnalyzer::Init(); if ( Parent()->IsAnalyzer("TCP") ) { @@ -204,14 +204,14 @@ void PIA_TCP::Init() } } -void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) +void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) { static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)]; static struct ip* ip4 = nullptr; static struct tcphdr* tcp4 = nullptr; - static zeek::IP_Hdr* ip4_hdr = nullptr; + static IP_Hdr* ip4_hdr = nullptr; - DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); + DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); if ( ! ip ) { @@ -227,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) ip4->ip_p = IPPROTO_TCP; // Cast to const so that it doesn't delete it. - ip4_hdr = new zeek::IP_Hdr(ip4, false); + ip4_hdr = new IP_Hdr(ip4, false); } if ( is_orig ) @@ -254,7 +254,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( stream_buffer.state == SKIPPING ) return; @@ -284,7 +284,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( stream_buffer.state == BUFFERING ) // We use data=nil to mark an undelivered. @@ -293,11 +293,11 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig) // No check for buffer overrun here. I think that's ok. } -void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) +void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { - DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer supports // partial connections once we get such. @@ -308,14 +308,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule tag = GetAnalyzerTag(); const auto& tval = tag.AsVal(); - zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); + event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); } stream_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY; return; } - zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); if ( ! a ) return; @@ -349,7 +349,7 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure @@ -386,10 +386,10 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule // worth the effort. if ( b->is_orig ) - reass_orig->DataSent(zeek::run_state::network_time, orig_seq = b->seq, + reass_orig->DataSent(run_state::network_time, orig_seq = b->seq, b->len, b->data, tcp::TCP_Flags(), true); else - reass_resp->DataSent(zeek::run_state::network_time, resp_seq = b->seq, + reass_resp->DataSent(run_state::network_time, resp_seq = b->seq, b->len, b->data, tcp::TCP_Flags(), true); } @@ -398,11 +398,11 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule if ( current->data ) { if ( current->is_orig ) - reass_orig->DataSent(zeek::run_state::network_time, + reass_orig->DataSent(run_state::network_time, orig_seq = current->seq, current->len, current->data, analyzer::tcp::TCP_Flags(), true); else - reass_resp->DataSent(zeek::run_state::network_time, + reass_resp->DataSent(run_state::network_time, resp_seq = current->seq, current->len, current->data, analyzer::tcp::TCP_Flags(), true); } @@ -419,14 +419,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule tcp->SetReassembler(reass_orig, reass_resp); } -void PIA_TCP::DeactivateAnalyzer(zeek::analyzer::Tag tag) +void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) { - zeek::reporter->InternalError("PIA_TCP::Deact not implemented yet"); + reporter->InternalError("PIA_TCP::Deact not implemented yet"); } -void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer) +void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); for ( DataBlock* b = stream_buffer.head; b; b = b->next ) { diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h index dc0a594ece..5d52c8b406 100644 --- a/src/analyzer/protocol/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -19,37 +19,37 @@ namespace zeek::analyzer::pia { // PIAs and then each needs its own matching-state. class PIA : public zeek::detail::RuleMatcherState { public: - explicit PIA(zeek::analyzer::Analyzer* as_analyzer); + explicit PIA(analyzer::Analyzer* as_analyzer); virtual ~PIA(); // Called when PIA wants to put an Analyzer in charge. rule is the // signature that triggered the activitation, if any. - virtual void ActivateAnalyzer(zeek::analyzer::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule = nullptr) = 0; // Called when PIA wants to remove an Analyzer. - virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0; + virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0; void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state); - void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer); + void ReplayPacketBuffer(analyzer::Analyzer* analyzer); // Children are also derived from Analyzer. Return this object // as pointer to an Analyzer. - zeek::analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } + analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } protected: void PIA_Done(); void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen, bool clear_state); + uint64_t seq, const IP_Hdr* ip, int caplen, bool clear_state); enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state; // Buffers one chunk of data. Used both for packet payload (incl. // sequence numbers for TCP) and chunks of a reassembled stream. struct DataBlock { - zeek::IP_Hdr* ip; + IP_Hdr* ip; const u_char* data; bool is_orig; int len; @@ -67,35 +67,35 @@ protected: }; void AddToBuffer(Buffer* buffer, uint64_t seq, int len, - const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr); + const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr); void AddToBuffer(Buffer* buffer, int len, - const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr); + const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr); void ClearBuffer(Buffer* buffer); DataBlock* CurrentPacket() { return ¤t_packet; } void DoMatch(const u_char* data, int len, bool is_orig, bool bol, - bool eol, bool clear_state, const zeek::IP_Hdr* ip = nullptr); + bool eol, bool clear_state, const IP_Hdr* ip = nullptr); - void SetConn(zeek::Connection* c) { conn = c; } + void SetConn(Connection* c) { conn = c; } Buffer pkt_buffer; private: - zeek::analyzer::Analyzer* as_analyzer; - zeek::Connection* conn; + analyzer::Analyzer* as_analyzer; + Connection* conn; DataBlock current_packet; }; // PIA for UDP. -class PIA_UDP : public PIA, public zeek::analyzer::Analyzer { +class PIA_UDP : public PIA, public analyzer::Analyzer { public: - explicit PIA_UDP(zeek::Connection* conn) + explicit PIA_UDP(Connection* conn) : PIA(this), Analyzer("PIA_UDP", conn) { SetConn(conn); } ~PIA_UDP() override { } - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new PIA_UDP(conn); } protected: @@ -106,22 +106,22 @@ protected: } void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override + uint64_t seq, const IP_Hdr* ip, int caplen) override { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true); } - void ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) override; - void DeactivateAnalyzer(zeek::analyzer::Tag tag) override; + void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) override; + void DeactivateAnalyzer(analyzer::Tag tag) override; }; // PIA for TCP. Accepts both packet and stream input (and reassembles // packets before passing payload on to children). -class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class PIA_TCP : public PIA, public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit PIA_TCP(zeek::Connection* conn) - : PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) + explicit PIA_TCP(Connection* conn) + : PIA(this), analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } ~PIA_TCP() override; @@ -136,11 +136,11 @@ public: // matcher in the case that we already get reassembled input, // and making it part of the general analyzer interface seems // to be unnecessary overhead.) - void FirstPacket(bool is_orig, const zeek::IP_Hdr* ip); + void FirstPacket(bool is_orig, const IP_Hdr* ip); - void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer); + void ReplayStreamBuffer(analyzer::Analyzer* analyzer); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new PIA_TCP(conn); } protected: @@ -151,7 +151,7 @@ protected: } void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override + uint64_t seq, const IP_Hdr* ip, int caplen) override { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false); @@ -160,9 +160,9 @@ protected: void DeliverStream(int len, const u_char* data, bool is_orig) override; void Undelivered(uint64_t seq, int len, bool is_orig) override; - void ActivateAnalyzer(zeek::analyzer::Tag tag, + void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule = nullptr) override; - void DeactivateAnalyzer(zeek::analyzer::Tag tag) override; + void DeactivateAnalyzer(analyzer::Tag tag) override; private: // FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer. diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 316ab8b355..b9dbea0f34 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -25,8 +25,8 @@ static const char* pop3_cmd_word[] = { #define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)") -POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn) +POP3_Analyzer::POP3_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn) { masterState = detail::POP3_START; subState = detail::POP3_WOK; @@ -44,10 +44,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) mail = nullptr; - cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); + cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(cl_orig); - cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); + cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false); AddSupportAnalyzer(cl_resp); } @@ -57,7 +57,7 @@ POP3_Analyzer::~POP3_Analyzer() void POP3_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -66,7 +66,7 @@ void POP3_Analyzer::Done() void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls ) { @@ -77,7 +77,7 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( (TCP() && TCP()->IsPartial()) ) return; - zeek::String terminated_string(data, len, true); + String terminated_string(data, len, true); if ( orig ) ProcessRequest(len, (char*) terminated_string.Bytes()); @@ -91,7 +91,7 @@ static std::string trim_whitespace(const char* in) char* out = new char[n + 1]; char* out_p = out; - in = zeek::util::skip_whitespace(in); + in = util::skip_whitespace(in); while ( *in ) { @@ -134,8 +134,8 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) { ++authLines; - zeek::String encoded(line); - zeek::String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn()); + String encoded(line); + String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn()); if ( ! decoded ) { @@ -212,7 +212,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) break; default: - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "unexpected POP3 authorization state"); delete decoded; return; @@ -245,7 +245,7 @@ static std::string commands[] = { void POP3_Analyzer::NotAllowed(const char* cmd, const char* state) { POP3Event(pop3_unexpected, true, cmd, - zeek::util::fmt("not allowed in other state than '%s'", state)); + util::fmt("not allowed in other state than '%s'", state)); } void POP3_Analyzer::ProcessClientCmd() @@ -320,7 +320,7 @@ void POP3_Analyzer::ProcessClientCmd() state = detail::APOP; subState = detail::POP3_WOK; - char* arg1 = zeek::util::copy_string(message); + char* arg1 = util::copy_string(message); char* e; for ( e = arg1; *e && *e != ' ' && *e != '\t'; ++e ) ; @@ -354,7 +354,7 @@ void POP3_Analyzer::ProcessClientCmd() { state = detail::AUTH; POP3Event(pop3_unexpected, true, cmd, - zeek::util::fmt("unknown AUTH method %s", message)); + util::fmt("unknown AUTH method %s", message)); } subState = detail::POP3_WOK; @@ -571,7 +571,7 @@ void POP3_Analyzer::ProcessClientCmd() break; default: - zeek::reporter->AnalyzerError(this, "unknown POP3 command"); + reporter->AnalyzerError(this, "unknown POP3 command"); return; } } @@ -634,7 +634,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) { if ( ! waitingForAuthentication ) { - ProtocolViolation(zeek::util::fmt("unknown server command (%s)", + ProtocolViolation(util::fmt("unknown server command (%s)", (tokens.size() > 0 ? tokens[0].c_str() : "???")), @@ -820,7 +820,7 @@ void POP3_Analyzer::StartTLS() RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_resp); - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) AddChildAnalyzer(ssl); @@ -838,13 +838,13 @@ void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::BeginData(bool orig) { delete mail; - mail = new zeek::analyzer::mime::MIME_Mail(this, orig); + mail = new analyzer::mime::MIME_Mail(this, orig); } void POP3_Analyzer::EndData() { if ( ! mail ) - zeek::reporter->Warning("unmatched end of data"); + reporter->Warning("unmatched end of data"); else { mail->Done(); @@ -909,22 +909,22 @@ std::vector POP3_Analyzer::TokenizeLine(const std::string& input, c return tokens; } -void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig, +void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig, const char* arg1, const char* arg2) { if ( ! event ) return; - zeek::Args vl; + Args vl; vl.reserve(2 + (bool)arg1 + (bool)arg2); vl.emplace_back(ConnVal()); - vl.emplace_back(zeek::val_mgr->Bool(is_orig)); + vl.emplace_back(val_mgr->Bool(is_orig)); if ( arg1 ) - vl.emplace_back(zeek::make_intrusive(arg1)); + vl.emplace_back(make_intrusive(arg1)); if ( arg2 ) - vl.emplace_back(zeek::make_intrusive(arg2)); + vl.emplace_back(make_intrusive(arg2)); EnqueueConnEvent(event, std::move(vl)); } diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index 9d5fbd4f70..dc94f9ce4c 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -64,15 +64,15 @@ enum POP3_SubState { } // namespace detail -class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class POP3_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit POP3_Analyzer(zeek::Connection* conn); + explicit POP3_Analyzer(Connection* conn); ~POP3_Analyzer() override; void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new POP3_Analyzer(conn); } @@ -105,16 +105,16 @@ protected: std::vector TokenizeLine(const std::string& input, char split); int ParseCmd(std::string cmd); void AuthSuccessfull(); - void POP3Event(zeek::EventHandlerPtr event, bool is_orig, + void POP3Event(EventHandlerPtr event, bool is_orig, const char* arg1 = nullptr, const char* arg2 = nullptr); - zeek::analyzer::mime::MIME_Mail* mail; + analyzer::mime::MIME_Mail* mail; std::list cmds; private: bool tls; - zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; - zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; + analyzer::tcp::ContentLine_Analyzer* cl_orig; + analyzer::tcp::ContentLine_Analyzer* cl_resp; }; } // namespace zeek::analyzer::pop3 diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc index 7dd3c3c0cd..109f4fff98 100644 --- a/src/analyzer/protocol/radius/RADIUS.cc +++ b/src/analyzer/protocol/radius/RADIUS.cc @@ -8,8 +8,8 @@ namespace zeek::analyzer::radius { -RADIUS_Analyzer::RADIUS_Analyzer(zeek::Connection* c) - : zeek::analyzer::Analyzer("RADIUS", c) +RADIUS_Analyzer::RADIUS_Analyzer(Connection* c) + : analyzer::Analyzer("RADIUS", c) { interp = new binpac::RADIUS::RADIUS_Conn(this); } @@ -25,7 +25,7 @@ void RADIUS_Analyzer::Done() } void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, - bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -35,7 +35,7 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h index bb2ae72f49..5fa9837514 100644 --- a/src/analyzer/protocol/radius/RADIUS.h +++ b/src/analyzer/protocol/radius/RADIUS.h @@ -10,17 +10,17 @@ namespace zeek::analyzer::radius { -class RADIUS_Analyzer final : public zeek::analyzer::Analyzer { +class RADIUS_Analyzer final : public analyzer::Analyzer { public: - explicit RADIUS_Analyzer(zeek::Connection* conn); + explicit RADIUS_Analyzer(Connection* conn); ~RADIUS_Analyzer() override; // Overriden from Analyzer. void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new RADIUS_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index 4656b43ca6..3b494ff7be 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::rdp { -RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c) +RDP_Analyzer::RDP_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c) { interp = new binpac::RDP::RDP_Conn(this); @@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer() void RDP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -30,13 +30,13 @@ void RDP_Analyzer::Done() void RDP_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -56,11 +56,11 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { if ( ! pia ) { - pia = new zeek::analyzer::pia::PIA_TCP(Conn()); + pia = new analyzer::pia::PIA_TCP(Conn()); if ( ! AddChildAnalyzer(pia) ) { - zeek::reporter->AnalyzerError(this, + reporter->AnalyzerError(this, "failed to add TCP child analyzer " "to RDP analyzer: already exists"); return; @@ -75,7 +75,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) else { if ( rdp_native_encrypted_data ) - zeek::BifEvent::enqueue_rdp_native_encrypted_data( + BifEvent::enqueue_rdp_native_encrypted_data( interp->bro_analyzer(), interp->bro_analyzer()->Conn(), orig, len); } @@ -88,14 +88,14 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } } void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/rdp/RDP.h b/src/analyzer/protocol/rdp/RDP.h index a6f3a0ba3c..3b9fdfe2d3 100644 --- a/src/analyzer/protocol/rdp/RDP.h +++ b/src/analyzer/protocol/rdp/RDP.h @@ -7,10 +7,10 @@ namespace zeek::analyzer::rdp { -class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class RDP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit RDP_Analyzer(zeek::Connection* conn); + explicit RDP_Analyzer(Connection* conn); ~RDP_Analyzer() override; // Overriden from Analyzer. @@ -19,14 +19,14 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new RDP_Analyzer(conn); } protected: binpac::RDP::RDP_Conn* interp; bool had_gap; - zeek::analyzer::pia::PIA_TCP *pia; + analyzer::pia::PIA_TCP *pia; }; } // namespace zeek::analyzer::rdp diff --git a/src/analyzer/protocol/rdp/RDPEUDP.cc b/src/analyzer/protocol/rdp/RDPEUDP.cc index 9224aef78e..970d1f7797 100644 --- a/src/analyzer/protocol/rdp/RDPEUDP.cc +++ b/src/analyzer/protocol/rdp/RDPEUDP.cc @@ -5,8 +5,8 @@ namespace zeek::analyzer::rdpeudp { -RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) - : zeek::analyzer::Analyzer("RDPEUDP", c) +RDP_Analyzer::RDP_Analyzer(Connection* c) + : analyzer::Analyzer("RDPEUDP", c) { interp = new binpac::RDPEUDP::RDPEUDP_Conn(this); } @@ -22,7 +22,7 @@ void RDP_Analyzer::Done() } void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -32,7 +32,7 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/rdp/RDPEUDP.h b/src/analyzer/protocol/rdp/RDPEUDP.h index 39ba432ac4..8197c20425 100644 --- a/src/analyzer/protocol/rdp/RDPEUDP.h +++ b/src/analyzer/protocol/rdp/RDPEUDP.h @@ -6,16 +6,16 @@ namespace zeek::analyzer::rdpeudp { -class RDP_Analyzer final : public zeek::analyzer::Analyzer { +class RDP_Analyzer final : public analyzer::Analyzer { public: - explicit RDP_Analyzer(zeek::Connection* conn); + explicit RDP_Analyzer(Connection* conn); ~RDP_Analyzer() override; void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + uint64_t seq, const IP_Hdr* ip, int caplen) override; + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new RDP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc index 8ffd6abf6f..17a8cc51df 100644 --- a/src/analyzer/protocol/rfb/RFB.cc +++ b/src/analyzer/protocol/rfb/RFB.cc @@ -8,8 +8,8 @@ namespace zeek::analyzer::rfb { -RFB_Analyzer::RFB_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) +RFB_Analyzer::RFB_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) { interp = new binpac::RFB::RFB_Conn(this); had_gap = false; @@ -23,7 +23,7 @@ RFB_Analyzer::~RFB_Analyzer() void RFB_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -32,13 +32,13 @@ void RFB_Analyzer::Done() void RFB_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) return; @@ -63,14 +63,14 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); invalid = true; } } void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h index 12585943cc..3ec7a96021 100644 --- a/src/analyzer/protocol/rfb/RFB.h +++ b/src/analyzer/protocol/rfb/RFB.h @@ -8,10 +8,10 @@ namespace zeek::analyzer::rfb { -class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class RFB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit RFB_Analyzer(zeek::Connection* conn); + explicit RFB_Analyzer(Connection* conn); ~RFB_Analyzer() override; // Overriden from Analyzer. @@ -20,10 +20,10 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new RFB_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index a6e71b86e6..2552388521 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -19,11 +19,11 @@ namespace detail { bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100005 ) - Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program())); + Weird("bad_RPC_program", util::fmt("%d", c->Program())); uint32_t proc = c->Proc(); // The call arguments, depends on the call type obviously ... - zeek::RecordValPtr callarg; + RecordValPtr callarg; switch ( proc ) { case BifEnum::MOUNT3::PROC_NULL: @@ -50,7 +50,7 @@ bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird("unknown_MOUNT_request", zeek::util::fmt("%u", proc)); + Weird("unknown_MOUNT_request", util::fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. @@ -69,8 +69,8 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu const u_char*& buf, int& n, double start_time, double last_time, int reply_len) { - zeek::EventHandlerPtr event = nullptr; - zeek::ValPtr reply; + EventHandlerPtr event = nullptr; + ValPtr reply; BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK; bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS ); @@ -128,7 +128,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu // Otherwise DeliverRPC would complain about // excess_RPC. n = 0; - reply = zeek::BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc()); + reply = BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc()); event = mount_proc_not_implemented; } else @@ -167,7 +167,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu return true; } -zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c, +Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, BifEnum::MOUNT3::status_t mount_status, double rep_start_time, @@ -175,43 +175,43 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c, { // Returns a new val_list that already has a conn_val, and mount3_info. // These are the first parameters for each mount_* event ... - zeek::Args vl; + Args vl; vl.reserve(2 + extra_elements); vl.emplace_back(analyzer->ConnVal()); - auto auxgids = zeek::make_intrusive(zeek::id::index_vec); + auto auxgids = make_intrusive(id::index_vec); for (size_t i = 0; i < c->AuxGIDs().size(); ++i) { - auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i])); + auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i])); } - auto info = zeek::make_intrusive(zeek::BifType::Record::MOUNT3::info_t); - info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status)); - info->Assign(1, zeek::BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status)); - info->Assign(2, zeek::make_intrusive(c->StartTime())); - info->Assign(3, zeek::make_intrusive(c->LastTime() - c->StartTime())); - info->Assign(4, zeek::val_mgr->Count(c->RPCLen())); - info->Assign(5, zeek::make_intrusive(rep_start_time)); - info->Assign(6, zeek::make_intrusive(rep_last_time - rep_start_time)); - info->Assign(7, zeek::val_mgr->Count(reply_len)); - info->Assign(8, zeek::val_mgr->Count(c->Uid())); - info->Assign(9, zeek::val_mgr->Count(c->Gid())); - info->Assign(10, zeek::val_mgr->Count(c->Stamp())); - info->Assign(11, zeek::make_intrusive(c->MachineName())); + auto info = make_intrusive(BifType::Record::MOUNT3::info_t); + info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status)); + info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status)); + info->Assign(2, make_intrusive(c->StartTime())); + info->Assign(3, make_intrusive(c->LastTime() - c->StartTime())); + info->Assign(4, val_mgr->Count(c->RPCLen())); + info->Assign(5, make_intrusive(rep_start_time)); + info->Assign(6, make_intrusive(rep_last_time - rep_start_time)); + info->Assign(7, val_mgr->Count(reply_len)); + info->Assign(8, val_mgr->Count(c->Uid())); + info->Assign(9, val_mgr->Count(c->Gid())); + info->Assign(10, val_mgr->Count(c->Stamp())); + info->Assign(11, make_intrusive(c->MachineName())); info->Assign(12, std::move(auxgids)); vl.emplace_back(std::move(info)); return vl; } -zeek::EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n) +EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n) { BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n); - auto rval = zeek::BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t); + auto rval = BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t); return rval; } -zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n) +StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n) { int fh_n; const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64); @@ -219,10 +219,10 @@ zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n) if ( ! fh ) return nullptr; - return zeek::make_intrusive(new zeek::String(fh, fh_n, false)); + return make_intrusive(new String(fh, fh_n, false)); } -zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n) +StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n) { int name_len; const u_char* name = extract_XDR_opaque(buf, n, name_len); @@ -230,20 +230,20 @@ zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n) if ( ! name ) return nullptr; - return zeek::make_intrusive(new zeek::String(name, name_len, false)); + return make_intrusive(new String(name, name_len, false)); } -zeek::RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n) +RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n) { - auto dirmntargs = zeek::make_intrusive(zeek::BifType::Record::MOUNT3::dirmntargs_t); + auto dirmntargs = make_intrusive(BifType::Record::MOUNT3::dirmntargs_t); dirmntargs->Assign(0, mount3_filename(buf, n)); return dirmntargs; } -zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, +RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::MOUNT3::mnt_reply_t); + auto rep = make_intrusive(BifType::Record::MOUNT3::mnt_reply_t); if ( status == BifEnum::MOUNT3::MNT3_OK ) { @@ -259,8 +259,8 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, auth_flavors_count = max_auth_flavors; } - auto enum_vector = zeek::make_intrusive(zeek::base_type(zeek::TYPE_ENUM)); - auto auth_flavors = zeek::make_intrusive(std::move(enum_vector)); + auto enum_vector = make_intrusive(base_type(TYPE_ENUM)); + auto auth_flavors = make_intrusive(std::move(enum_vector)); for ( auto i = 0u; i < auth_flavors_count; ++i ) auth_flavors->Assign(auth_flavors->Size(), @@ -283,7 +283,7 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, } // namespace detail -MOUNT_Analyzer::MOUNT_Analyzer(zeek::Connection* conn) +MOUNT_Analyzer::MOUNT_Analyzer(Connection* conn) : RPC_Analyzer("MOUNT", conn, new detail::MOUNT_Interp(this)) { orig_rpc = resp_rpc = nullptr; diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h index ad6a62e74e..c4c11c35bb 100644 --- a/src/analyzer/protocol/rpc/MOUNT.h +++ b/src/analyzer/protocol/rpc/MOUNT.h @@ -9,7 +9,7 @@ namespace detail { class MOUNT_Interp : public RPC_Interpreter { public: - explicit MOUNT_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + explicit MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; @@ -20,7 +20,7 @@ protected: // Returns a new arg list that already has a conn_val, rpc_status and // mount_status. These are the first parameters for each mount_* event // ... - zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, + Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, BifEnum::MOUNT3::status_t mount_status, double rep_start_time, double rep_last_time, int reply_len, int extra_elements); @@ -30,22 +30,22 @@ protected: // to 0. However, the methods might still return an allocated Val * ! // So, you might want to Unref() the Val if buf is 0. Method names // are based on the type names of RFC 1813. - zeek::EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n); - zeek::StringValPtr mount3_fh(const u_char*& buf, int& n); - zeek::RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n); - zeek::StringValPtr mount3_filename(const u_char*& buf, int& n); + EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n); + StringValPtr mount3_fh(const u_char*& buf, int& n); + RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n); + StringValPtr mount3_filename(const u_char*& buf, int& n); - zeek::RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status); + RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status); }; } // namespace detail class MOUNT_Analyzer : public RPC_Analyzer { public: - explicit MOUNT_Analyzer(zeek::Connection* conn); + explicit MOUNT_Analyzer(Connection* conn); void Init() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new MOUNT_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 366d778839..90a984be0e 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -19,11 +19,11 @@ namespace detail { bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) - Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program())); + Weird("bad_RPC_program", util::fmt("%d", c->Program())); uint32_t proc = c->Proc(); // The call arguments, depends on the call type obviously ... - zeek::ValPtr callarg; + ValPtr callarg; switch ( proc ) { case BifEnum::NFS3::PROC_NULL: @@ -104,7 +104,7 @@ bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird("unknown_NFS_request", zeek::util::fmt("%u", proc)); + Weird("unknown_NFS_request", util::fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. @@ -124,8 +124,8 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, const u_char*& buf, int& n, double start_time, double last_time, int reply_len) { - zeek::EventHandlerPtr event = nullptr; - zeek::ValPtr reply; + EventHandlerPtr event = nullptr; + ValPtr reply; BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK; bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS ); @@ -243,7 +243,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, // Otherwise DeliverRPC would complain about // excess_RPC. n = 0; - reply = zeek::BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc()); + reply = BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc()); event = nfs_proc_not_implemented; } else @@ -279,7 +279,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, return true; } -zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size) +StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size) { int data_n; @@ -287,57 +287,57 @@ zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64 const u_char *data = extract_XDR_opaque(buf, n, data_n, 1 << 30, true); // check whether we have to deliver data to the event - if ( ! zeek::BifConst::NFS3::return_data ) + if ( ! BifConst::NFS3::return_data ) return nullptr; - if ( zeek::BifConst::NFS3::return_data_first_only && offset != 0 ) + if ( BifConst::NFS3::return_data_first_only && offset != 0 ) return nullptr; // Ok, so we want to return some data data_n = std::min(data_n, size); - data_n = std::min(data_n, int(zeek::BifConst::NFS3::return_data_max)); + data_n = std::min(data_n, int(BifConst::NFS3::return_data_max)); if ( data && data_n > 0 ) - return zeek::make_intrusive(new zeek::String(data, data_n, false)); + return make_intrusive(new String(data, data_n, false)); return nullptr; } -zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, +Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, BifEnum::NFS3::status_t nfs_status, double rep_start_time, double rep_last_time, int reply_len, int extra_elements) { // Returns a new val_list that already has a conn_val, and nfs3_info. // These are the first parameters for each nfs_* event ... - zeek::Args vl; + Args vl; vl.reserve(2 + extra_elements); vl.emplace_back(analyzer->ConnVal()); - auto auxgids = zeek::make_intrusive(zeek::id::index_vec); + auto auxgids = make_intrusive(id::index_vec); for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) - auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i])); + auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i])); - auto info = zeek::make_intrusive(zeek::BifType::Record::NFS3::info_t); - info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status)); - info->Assign(1, zeek::BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status)); - info->Assign(2, zeek::make_intrusive(c->StartTime())); - info->Assign(3, zeek::make_intrusive(c->LastTime()-c->StartTime())); - info->Assign(4, zeek::val_mgr->Count(c->RPCLen())); - info->Assign(5, zeek::make_intrusive(rep_start_time)); - info->Assign(6, zeek::make_intrusive(rep_last_time-rep_start_time)); - info->Assign(7, zeek::val_mgr->Count(reply_len)); - info->Assign(8, zeek::val_mgr->Count(c->Uid())); - info->Assign(9, zeek::val_mgr->Count(c->Gid())); - info->Assign(10, zeek::val_mgr->Count(c->Stamp())); - info->Assign(11, zeek::make_intrusive(c->MachineName())); + auto info = make_intrusive(BifType::Record::NFS3::info_t); + info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status)); + info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status)); + info->Assign(2, make_intrusive(c->StartTime())); + info->Assign(3, make_intrusive(c->LastTime()-c->StartTime())); + info->Assign(4, val_mgr->Count(c->RPCLen())); + info->Assign(5, make_intrusive(rep_start_time)); + info->Assign(6, make_intrusive(rep_last_time-rep_start_time)); + info->Assign(7, val_mgr->Count(reply_len)); + info->Assign(8, val_mgr->Count(c->Uid())); + info->Assign(9, val_mgr->Count(c->Gid())); + info->Assign(10, val_mgr->Count(c->Stamp())); + info->Assign(11, make_intrusive(c->MachineName())); info->Assign(12, std::move(auxgids)); vl.emplace_back(std::move(info)); return vl; } -zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n) +StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n) { int fh_n; const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64); @@ -345,13 +345,13 @@ zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n) if ( ! fh ) return nullptr; - return zeek::make_intrusive(new zeek::String(fh, fh_n, false)); + return make_intrusive(new String(fh, fh_n, false)); } -zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n) { - auto attrs = zeek::make_intrusive(zeek::BifType::Record::NFS3::sattr_t); + auto attrs = make_intrusive(BifType::Record::NFS3::sattr_t); attrs->Assign(0, nullptr); // mode int mode_set_it = extract_XDR_uint32(buf, n); @@ -380,9 +380,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n) return attrs; } -zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::sattr_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::sattr_reply_t); if ( status == BifEnum::NFS3::NFS3ERR_OK ) { @@ -398,9 +398,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifE return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n) { - auto attrs = zeek::make_intrusive(zeek::BifType::Record::NFS3::fattr_t); + auto attrs = make_intrusive(BifType::Record::NFS3::fattr_t); attrs->Assign(0, nfs3_ftype(buf, n)); // file type attrs->Assign(1, ExtractUint32(buf, n)); // mode @@ -420,23 +420,23 @@ zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n) return attrs; } -zeek::EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n) +EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n) { BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n); - auto rval = zeek::BifType::Enum::NFS3::time_how_t->GetEnumVal(t); + auto rval = BifType::Enum::NFS3::time_how_t->GetEnumVal(t); return rval; } -zeek::EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n) +EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n) { BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n); - auto rval = zeek::BifType::Enum::NFS3::file_type_t->GetEnumVal(t); + auto rval = BifType::Enum::NFS3::file_type_t->GetEnumVal(t); return rval; } -zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n) { - auto attrs = zeek::make_intrusive(zeek::BifType::Record::NFS3::wcc_attr_t); + auto attrs = make_intrusive(BifType::Record::NFS3::wcc_attr_t); attrs->Assign(0, ExtractUint64(buf, n)); // size attrs->Assign(1, ExtractTime(buf, n)); // mtime @@ -445,7 +445,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n) return attrs; } -zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n) +StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n) { int name_len; const u_char* name = extract_XDR_opaque(buf, n, name_len); @@ -453,12 +453,12 @@ zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n) if ( ! name ) return nullptr; - return zeek::make_intrusive(new zeek::String(name, name_len, false)); + return make_intrusive(new String(name, name_len, false)); } -zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) { - auto diropargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::diropargs_t); + auto diropargs = make_intrusive(BifType::Record::NFS3::diropargs_t); diropargs->Assign(0, nfs3_fh(buf, n)); diropargs->Assign(1, nfs3_filename(buf, n)); @@ -466,9 +466,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) return diropargs; } -zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n) { - auto symlinkdata = zeek::make_intrusive(zeek::BifType::Record::NFS3::symlinkdata_t); + auto symlinkdata = make_intrusive(BifType::Record::NFS3::symlinkdata_t); symlinkdata->Assign(0, nfs3_sattr(buf, n)); symlinkdata->Assign(1, nfs3_nfspath(buf, n)); @@ -476,9 +476,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n) return symlinkdata; } -zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) { - auto renameopargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::renameopargs_t); + auto renameopargs = make_intrusive(BifType::Record::NFS3::renameopargs_t); renameopargs->Assign(0, nfs3_fh(buf, n)); renameopargs->Assign(1, nfs3_filename(buf, n)); @@ -488,7 +488,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) return renameopargs; } -zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) { int have_attrs = extract_XDR_uint32(buf, n); @@ -498,7 +498,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) return nullptr; } -zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n) +StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n) { int have_fh = extract_XDR_uint32(buf, n); @@ -508,7 +508,7 @@ zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n) return nullptr; } -zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n) { int have_attrs = extract_XDR_uint32(buf, n); @@ -517,16 +517,16 @@ zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n) return nullptr; } -zeek::EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n) +EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n) { BifEnum::NFS3::stable_how_t stable = (BifEnum::NFS3::stable_how_t)extract_XDR_uint32(buf, n); - auto rval = zeek::BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable); + auto rval = BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable); return rval; } -zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::lookup_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::lookup_reply_t); if ( status == BifEnum::NFS3::NFS3ERR_OK ) { @@ -543,9 +543,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, Bif return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n) { - auto readargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::readargs_t); + auto readargs = make_intrusive(BifType::Record::NFS3::readargs_t); readargs->Assign(0, nfs3_fh(buf, n)); readargs->Assign(1, ExtractUint64(buf, n)); // offset @@ -554,10 +554,10 @@ zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n) return readargs; } -zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, +RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::read_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::read_reply_t); if (status == BifEnum::NFS3::NFS3ERR_OK) { @@ -565,7 +565,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn rep->Assign(0, nfs3_post_op_attr(buf, n)); bytes_read = extract_XDR_uint32(buf, n); - rep->Assign(1, zeek::val_mgr->Count(bytes_read)); + rep->Assign(1, val_mgr->Count(bytes_read)); rep->Assign(2, ExtractBool(buf, n)); rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read)); } @@ -577,9 +577,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::readlink_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::readlink_reply_t); if (status == BifEnum::NFS3::NFS3ERR_OK) { @@ -594,9 +594,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, B return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::link_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::link_reply_t); if ( status == BifEnum::NFS3::NFS3ERR_OK ) { @@ -610,9 +610,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEn return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n) { - auto symlinkargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::symlinkargs_t); + auto symlinkargs = make_intrusive(BifType::Record::NFS3::symlinkargs_t); symlinkargs->Assign(0, nfs3_diropargs(buf, n)); symlinkargs->Assign(1, nfs3_symlinkdata(buf, n)); @@ -620,9 +620,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n) return symlinkargs; } -zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n) { - auto sattrargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::sattrargs_t); + auto sattrargs = make_intrusive(BifType::Record::NFS3::sattrargs_t); sattrargs->Assign(0, nfs3_fh(buf, n)); sattrargs->Assign(1, nfs3_sattr(buf, n)); @@ -630,9 +630,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n) return sattrargs; } -zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n) { - auto linkargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::linkargs_t); + auto linkargs = make_intrusive(BifType::Record::NFS3::linkargs_t); linkargs->Assign(0, nfs3_fh(buf, n)); linkargs->Assign(1, nfs3_diropargs(buf, n)); @@ -640,17 +640,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n) return linkargs; } -zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n) { uint32_t bytes; uint64_t offset; - auto writeargs = zeek::make_intrusive(zeek::BifType::Record::NFS3::writeargs_t); + auto writeargs = make_intrusive(BifType::Record::NFS3::writeargs_t); writeargs->Assign(0, nfs3_fh(buf, n)); offset = extract_XDR_uint64(buf, n); - writeargs->Assign(1, zeek::val_mgr->Count(offset)); // offset + writeargs->Assign(1, val_mgr->Count(offset)); // offset bytes = extract_XDR_uint32(buf, n); - writeargs->Assign(2, zeek::val_mgr->Count(bytes)); // size + writeargs->Assign(2, val_mgr->Count(bytes)); // size writeargs->Assign(3, nfs3_stable_how(buf, n)); writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes)); @@ -658,9 +658,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n) return writeargs; } -zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::write_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::write_reply_t); if ( status == BifEnum::NFS3::NFS3ERR_OK ) { @@ -683,9 +683,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifE return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) +RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::newobj_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::newobj_reply_t); if (status == BifEnum::NFS3::NFS3ERR_OK) { @@ -707,9 +707,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, Bif return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::delobj_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::delobj_reply_t); // wcc_data rep->Assign(0, nfs3_pre_op_attr(buf, n)); @@ -718,9 +718,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) +RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::renameobj_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::renameobj_reply_t); // wcc_data rep->Assign(0, nfs3_pre_op_attr(buf, n)); @@ -731,11 +731,11 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) return rep; } -zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n) +RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n) { - auto args = zeek::make_intrusive(zeek::BifType::Record::NFS3::readdirargs_t); + auto args = make_intrusive(BifType::Record::NFS3::readdirargs_t); - args->Assign(0, zeek::val_mgr->Bool(isplus)); + args->Assign(0, val_mgr->Bool(isplus)); args->Assign(1, nfs3_fh(buf, n)); args->Assign(2, ExtractUint64(buf,n)); // cookie args->Assign(3, ExtractUint64(buf,n)); // cookieverf @@ -747,17 +747,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, return args; } -zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf, +RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status) { - auto rep = zeek::make_intrusive(zeek::BifType::Record::NFS3::readdir_reply_t); + auto rep = make_intrusive(BifType::Record::NFS3::readdir_reply_t); - rep->Assign(0, zeek::val_mgr->Bool(isplus)); + rep->Assign(0, val_mgr->Bool(isplus)); if ( status == BifEnum::NFS3::NFS3ERR_OK ) { unsigned pos; - auto entries = zeek::make_intrusive(zeek::BifType::Vector::NFS3::direntry_vec_t); + auto entries = make_intrusive(BifType::Vector::NFS3::direntry_vec_t); rep->Assign(1, nfs3_post_op_attr(buf,n)); // dir_attr rep->Assign(2, ExtractUint64(buf,n)); // cookieverf @@ -766,7 +766,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu while ( extract_XDR_uint32(buf,n) ) { - auto entry = zeek::make_intrusive(zeek::BifType::Record::NFS3::direntry_t); + auto entry = make_intrusive(BifType::Record::NFS3::direntry_t); entry->Assign(0, ExtractUint64(buf,n)); // fileid entry->Assign(1, nfs3_filename(buf,n)); // fname entry->Assign(2, ExtractUint64(buf,n)); // cookie @@ -792,34 +792,34 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu return rep; } -zeek::ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n) +ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n) { - return zeek::val_mgr->Count(extract_XDR_uint32(buf, n)); + return val_mgr->Count(extract_XDR_uint32(buf, n)); } -zeek::ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n) +ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n) { - return zeek::val_mgr->Count(extract_XDR_uint64(buf, n)); + return val_mgr->Count(extract_XDR_uint64(buf, n)); } -zeek::ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n) +ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n) { - return zeek::make_intrusive(extract_XDR_time(buf, n)); + return make_intrusive(extract_XDR_time(buf, n)); } -zeek::ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n) +ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n) { - return zeek::make_intrusive(double(extract_XDR_uint32(buf, n)), 1.0); + return make_intrusive(double(extract_XDR_uint32(buf, n)), 1.0); } -zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) +ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) { - return zeek::val_mgr->Bool(extract_XDR_uint32(buf, n)); + return val_mgr->Bool(extract_XDR_uint32(buf, n)); } } // namespace detail -NFS_Analyzer::NFS_Analyzer(zeek::Connection* conn) +NFS_Analyzer::NFS_Analyzer(Connection* conn) : RPC_Analyzer("NFS", conn, new detail::NFS_Interp(this)) { orig_rpc = resp_rpc = nullptr; diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h index 92b6e9962d..4a73f10595 100644 --- a/src/analyzer/protocol/rpc/NFS.h +++ b/src/analyzer/protocol/rpc/NFS.h @@ -10,7 +10,7 @@ namespace detail { class NFS_Interp : public RPC_Interpreter { public: - explicit NFS_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + explicit NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; @@ -21,7 +21,7 @@ protected: // Returns a new val_list that already has a conn_val, rpc_status and // nfs_status. These are the first parameters for each nfs_* event // ... - zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, + Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, BifEnum::NFS3::status_t nfs_status, double rep_start_time, double rep_last_time, int reply_len, int extra_elements); @@ -31,63 +31,63 @@ protected: // to 0. However, the methods might still return an allocated Val * ! // So, you might want to Unref() the Val if buf is 0. Method names // are based on the type names of RFC 1813. - zeek::StringValPtr nfs3_fh(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_fattr(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_sattr(const u_char*& buf, int& n); - zeek::EnumValPtr nfs3_ftype(const u_char*& buf, int& n); - zeek::EnumValPtr nfs3_time_how(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_diropargs(const u_char*&buf, int &n); - zeek::RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n); - zeek::StringValPtr nfs3_filename(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_linkargs(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n); - zeek::StringValPtr nfs3_nfspath(const u_char*& buf, int& n) + StringValPtr nfs3_fh(const u_char*& buf, int& n); + RecordValPtr nfs3_fattr(const u_char*& buf, int& n); + RecordValPtr nfs3_sattr(const u_char*& buf, int& n); + EnumValPtr nfs3_ftype(const u_char*& buf, int& n); + EnumValPtr nfs3_time_how(const u_char*& buf, int& n); + RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n); + RecordValPtr nfs3_diropargs(const u_char*&buf, int &n); + RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n); + RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n); + StringValPtr nfs3_filename(const u_char*& buf, int& n); + RecordValPtr nfs3_linkargs(const u_char*& buf, int& n); + RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n); + RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n); + StringValPtr nfs3_nfspath(const u_char*& buf, int& n) { return nfs3_filename(buf,n); } - zeek::RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr - zeek::RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr - zeek::RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_readargs(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset); - zeek::RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_writeargs(const u_char*& buf, int& n); - zeek::EnumValPtr nfs3_stable_how(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status); - zeek::RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n); - zeek::StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n); - zeek::RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n); - zeek::RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr + RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr + RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_readargs(const u_char*& buf, int& n); + RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset); + RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_writeargs(const u_char*& buf, int& n); + EnumValPtr nfs3_stable_how(const u_char*& buf, int& n); + RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status); + RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n); + RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n); + StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n); + RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n); + RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status); // Consumes the file data in the RPC message. Depending on NFS::return_data* consts // in bro.init returns NULL or the data as string val: // * offset is the offset of the read/write call // * size is the amount of bytes read (or requested to be written), - zeek::StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size); + StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size); - zeek::ValPtr ExtractUint32(const u_char*& buf, int& n); - zeek::ValPtr ExtractUint64(const u_char*& buf, int& n); - zeek::ValPtr ExtractTime(const u_char*& buf, int& n); - zeek::ValPtr ExtractInterval(const u_char*& buf, int& n); - zeek::ValPtr ExtractBool(const u_char*& buf, int& n); + ValPtr ExtractUint32(const u_char*& buf, int& n); + ValPtr ExtractUint64(const u_char*& buf, int& n); + ValPtr ExtractTime(const u_char*& buf, int& n); + ValPtr ExtractInterval(const u_char*& buf, int& n); + ValPtr ExtractBool(const u_char*& buf, int& n); }; } // namespace detail class NFS_Analyzer : public RPC_Analyzer { public: - explicit NFS_Analyzer(zeek::Connection* conn); + explicit NFS_Analyzer(Connection* conn); void Init() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new NFS_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index 8f23aab824..58bb2590ca 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -79,8 +79,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu double start_time, double last_time, int reply_len) { - zeek::EventHandlerPtr event; - zeek::ValPtr reply; + EventHandlerPtr event; + ValPtr reply; int success = (status == BifEnum::RPC_SUCCESS); switch ( c->Proc() ) { @@ -95,7 +95,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu if ( ! buf ) return false; - reply = zeek::val_mgr->Bool(status); + reply = val_mgr->Bool(status); event = pm_request_set; } else @@ -110,7 +110,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu if ( ! buf ) return false; - reply = zeek::val_mgr->Bool(status); + reply = val_mgr->Bool(status); event = pm_request_unset; } else @@ -125,9 +125,9 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu if ( ! buf ) return false; - zeek::RecordVal* rv = c->RequestVal()->AsRecordVal(); + RecordVal* rv = c->RequestVal()->AsRecordVal(); const auto& is_tcp = rv->GetField(2); - reply = zeek::val_mgr->Port(CheckPort(port), is_tcp->IsOne() ? + reply = val_mgr->Port(CheckPort(port), is_tcp->IsOne() ? TRANSPORT_TCP : TRANSPORT_UDP); event = pm_request_getport; } @@ -139,8 +139,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu event = success ? pm_request_dump : pm_attempt_dump; if ( success ) { - static auto pm_mappings = zeek::id::find_type("pm_mappings"); - auto mappings = zeek::make_intrusive(pm_mappings); + static auto pm_mappings = id::find_type("pm_mappings"); + auto mappings = make_intrusive(pm_mappings); uint32_t nmap = 0; // Each call in the loop test pulls the next "opted" @@ -151,7 +151,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu if ( ! m ) break; - auto index = zeek::val_mgr->Count(++nmap); + auto index = val_mgr->Count(++nmap); mappings->Assign(std::move(index), std::move(m)); } @@ -175,7 +175,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu if ( ! opaque_reply ) return false; - reply = zeek::val_mgr->Port(CheckPort(port), TRANSPORT_UDP); + reply = val_mgr->Port(CheckPort(port), TRANSPORT_UDP); event = pm_request_callit; } else @@ -190,17 +190,17 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu return true; } -zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) +ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) { - static auto pm_mapping = zeek::id::find_type("pm_mapping"); - auto mapping = zeek::make_intrusive(pm_mapping); + static auto pm_mapping = id::find_type("pm_mapping"); + auto mapping = make_intrusive(pm_mapping); - mapping->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); - mapping->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); + mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); + mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; uint32_t port = extract_XDR_uint32(buf, len); - mapping->Assign(2, zeek::val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP)); + mapping->Assign(2, val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP)); if ( ! buf ) return nullptr; @@ -208,16 +208,16 @@ zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) return mapping; } -zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) +ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) { - static auto pm_port_request = zeek::id::find_type("pm_port_request"); - auto pr = zeek::make_intrusive(pm_port_request); + static auto pm_port_request = id::find_type("pm_port_request"); + auto pr = make_intrusive(pm_port_request); - pr->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); - pr->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); + pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); + pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; - pr->Assign(2, zeek::val_mgr->Bool(is_tcp)); + pr->Assign(2, val_mgr->Bool(is_tcp)); (void) extract_XDR_uint32(buf, len); // consume the bogus port if ( ! buf ) @@ -226,18 +226,18 @@ zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) return pr; } -zeek::ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len) +ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len) { - static auto pm_callit_request = zeek::id::find_type("pm_callit_request"); - auto c = zeek::make_intrusive(pm_callit_request); + static auto pm_callit_request = id::find_type("pm_callit_request"); + auto c = make_intrusive(pm_callit_request); - c->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); - c->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); - c->Assign(2, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); + c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); + c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); + c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len))); int arg_n; (void) extract_XDR_opaque(buf, len, arg_n); - c->Assign(3, zeek::val_mgr->Count(arg_n)); + c->Assign(3, val_mgr->Count(arg_n)); if ( ! buf ) return nullptr; @@ -253,7 +253,7 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port) { analyzer->EnqueueConnEvent(pm_bad_port, analyzer->ConnVal(), - zeek::val_mgr->Count(port) + val_mgr->Count(port) ); } @@ -263,12 +263,12 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port) return port; } -void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply) +void PortmapperInterp::Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply) { if ( ! f ) return; - zeek::Args vl; + Args vl; vl.emplace_back(analyzer->ConnVal()); @@ -281,7 +281,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE } else { - vl.emplace_back(zeek::BifType::Enum::rpc_status->GetEnumVal(status)); + vl.emplace_back(BifType::Enum::rpc_status->GetEnumVal(status)); if ( request ) vl.emplace_back(std::move(request)); @@ -292,7 +292,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE } // namespace detail -Portmapper_Analyzer::Portmapper_Analyzer(zeek::Connection* conn) +Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) : RPC_Analyzer("PORTMAPPER", conn, new detail::PortmapperInterp(this)) { orig_rpc = resp_rpc = nullptr; diff --git a/src/analyzer/protocol/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h index 6fae3b8e40..49b1ddcb39 100644 --- a/src/analyzer/protocol/rpc/Portmap.h +++ b/src/analyzer/protocol/rpc/Portmap.h @@ -9,7 +9,7 @@ namespace detail { class PortmapperInterp : public RPC_Interpreter { public: - explicit PortmapperInterp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + explicit PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; @@ -18,22 +18,22 @@ protected: double last_time, int reply_len) override; uint32_t CheckPort(uint32_t port); - void Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply); + void Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply); - zeek::ValPtr ExtractMapping(const u_char*& buf, int& len); - zeek::ValPtr ExtractPortRequest(const u_char*& buf, int& len); - zeek::ValPtr ExtractCallItRequest(const u_char*& buf, int& len); + ValPtr ExtractMapping(const u_char*& buf, int& len); + ValPtr ExtractPortRequest(const u_char*& buf, int& len); + ValPtr ExtractCallItRequest(const u_char*& buf, int& len); }; } // namespace detail class Portmapper_Analyzer : public RPC_Analyzer { public: - explicit Portmapper_Analyzer(zeek::Connection* conn); + explicit Portmapper_Analyzer(Connection* conn); ~Portmapper_Analyzer() override; void Init() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Portmapper_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index cbed5b3cb0..82ec9f6a75 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -108,7 +108,7 @@ bool RPC_CallInfo::CompareRexmit(const u_char* buf, int n) const } -RPC_Interpreter::RPC_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) +RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; } @@ -308,7 +308,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int rpclen, else if ( n < 0 ) { - zeek::reporter->AnalyzerError(analyzer, "RPC underflow"); + reporter->AnalyzerError(analyzer, "RPC underflow"); return 0; } @@ -327,7 +327,7 @@ void RPC_Interpreter::Timeout() const u_char* buf = nullptr; int n = 0; - if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, zeek::run_state::network_time, zeek::run_state::network_time, 0) ) + if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, run_state::network_time, run_state::network_time, 0) ) Weird("bad_RPC"); } } @@ -338,13 +338,13 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st if ( rpc_dialogue ) analyzer->EnqueueConnEvent(rpc_dialogue, analyzer->ConnVal(), - zeek::val_mgr->Count(c->Program()), - zeek::val_mgr->Count(c->Version()), - zeek::val_mgr->Count(c->Proc()), - zeek::BifType::Enum::rpc_status->GetEnumVal(status), - zeek::make_intrusive(c->StartTime()), - zeek::val_mgr->Count(c->CallLen()), - zeek::val_mgr->Count(reply_len) + val_mgr->Count(c->Program()), + val_mgr->Count(c->Version()), + val_mgr->Count(c->Proc()), + BifType::Enum::rpc_status->GetEnumVal(status), + make_intrusive(c->StartTime()), + val_mgr->Count(c->CallLen()), + val_mgr->Count(reply_len) ); } @@ -353,11 +353,11 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c) if ( rpc_call ) analyzer->EnqueueConnEvent(rpc_call, analyzer->ConnVal(), - zeek::val_mgr->Count(c->XID()), - zeek::val_mgr->Count(c->Program()), - zeek::val_mgr->Count(c->Version()), - zeek::val_mgr->Count(c->Proc()), - zeek::val_mgr->Count(c->CallLen()) + val_mgr->Count(c->XID()), + val_mgr->Count(c->Program()), + val_mgr->Count(c->Version()), + val_mgr->Count(c->Proc()), + val_mgr->Count(c->CallLen()) ); } @@ -366,9 +366,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, if ( rpc_reply ) analyzer->EnqueueConnEvent(rpc_reply, analyzer->ConnVal(), - zeek::val_mgr->Count(xid), - zeek::BifType::Enum::rpc_status->GetEnumVal(status), - zeek::val_mgr->Count(reply_len) + val_mgr->Count(xid), + BifType::Enum::rpc_status->GetEnumVal(status), + val_mgr->Count(reply_len) ); } @@ -414,9 +414,9 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) } // namespace detail -Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, +Contents_RPC::Contents_RPC(Connection* conn, bool orig, detail::RPC_Interpreter* arg_interp) - : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) + : analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -428,7 +428,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, void Contents_RPC::Init() { - zeek::analyzer::tcp::TCP_SupportAnalyzer::Init(); + analyzer::tcp::TCP_SupportAnalyzer::Init(); } Contents_RPC::~Contents_RPC() @@ -437,7 +437,7 @@ Contents_RPC::~Contents_RPC() void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); NeedResync(); } @@ -456,12 +456,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // is fully established we are in sync (since it's the first chunk // of data after the SYN if its not established we need to // resync. - zeek::analyzer::tcp::TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + analyzer::tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); assert(tcp); if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED ) + analyzer::tcp::TCP_ENDPOINT_ESTABLISHED ) { NeedResync(); } @@ -515,7 +515,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) if ( resync_toskip != 0 ) { // Should never happen. - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "RPC resync: skipping over data failed"); return false; } @@ -534,8 +534,8 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // TCP keep-alive retransmissions. DEBUG_MSG("%.6f RPC resync: " "discard small pieces: %d\n", - zeek::run_state::network_time, len); - Conn()->Weird("RPC_resync", zeek::util::fmt("discard %d bytes\n", len)); + run_state::network_time, len); + Conn()->Weird("RPC_resync", util::fmt("discard %d bytes\n", len)); } NeedResync(); @@ -623,7 +623,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); uint32_t marker; bool last_frag; @@ -634,7 +634,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) while (len > 0) { - last_time = zeek::run_state::network_time; + last_time = run_state::network_time; switch (state) { case WAIT_FOR_MESSAGE: @@ -649,7 +649,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) msg_buf.Init(MAX_RPC_LEN, 0); last_frag = false; state = WAIT_FOR_MARKER; - start_time = zeek::run_state::network_time; + start_time = run_state::network_time; // no break. fall through case WAIT_FOR_MARKER: @@ -667,7 +667,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) if ( ! dummy_p ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "inconsistent RPC record marker extraction"); return; } @@ -675,10 +675,10 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) last_frag = (marker & 0x80000000) != 0; marker &= 0x7fffffff; //printf("%.6f %d marker= %u <> last_frag= %d <> expected=%llu <> processed= %llu <> len = %d\n", - // zeek::run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len); + // run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len); if ( ! msg_buf.AddToExpected(marker) ) - Conn()->Weird("RPC_message_too_long", zeek::util::fmt("%" PRId64, msg_buf.GetExpected())); + Conn()->Weird("RPC_message_too_long", util::fmt("%" PRId64, msg_buf.GetExpected())); if ( last_frag ) state = WAIT_FOR_LAST_DATA; @@ -722,14 +722,14 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) } // end while } -RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn, +RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, detail::RPC_Interpreter* arg_interp) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), + : analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), interp(arg_interp), orig_rpc(), resp_rpc() { if ( Conn()->ConnTransport() == TRANSPORT_UDP ) ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer, - zeek::run_state::network_time + zeek::detail::rpc_timeout, true, + run_state::network_time + zeek::detail::rpc_timeout, true, zeek::detail::TIMER_RPC_EXPIRE); } @@ -739,26 +739,26 @@ RPC_Analyzer::~RPC_Analyzer() } void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = std::min(len, caplen); if ( orig ) { - if ( ! interp->DeliverRPC(data, len, len, true, zeek::run_state::network_time, zeek::run_state::network_time) ) + if ( ! interp->DeliverRPC(data, len, len, true, run_state::network_time, run_state::network_time) ) Weird("bad_RPC"); } else { - if ( ! interp->DeliverRPC(data, len, len, false, zeek::run_state::network_time, zeek::run_state::network_time) ) + if ( ! interp->DeliverRPC(data, len, len, false, run_state::network_time, run_state::network_time) ) Weird("bad_RPC"); } } void RPC_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); } @@ -766,7 +766,7 @@ void RPC_Analyzer::Done() void RPC_Analyzer::ExpireTimer(double /* t */) { Event(connection_timeout); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } } // namespace zeek::analyzer::rpc diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index 590be7a236..2c161bc24a 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -53,9 +53,9 @@ public: double last_time, int rpc_len); ~RPC_CallInfo(); - void AddVal(zeek::ValPtr arg_v) { v = std::move(arg_v); } - const zeek::ValPtr& RequestVal() const { return v; } - zeek::ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; } + void AddVal(ValPtr arg_v) { v = std::move(arg_v); } + const ValPtr& RequestVal() const { return v; } + ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; } bool CompareRexmit(const u_char* buf, int n) const; @@ -96,12 +96,12 @@ protected: int header_len; // size of data before the arguments bool valid_call; // whether call was well-formed - zeek::ValPtr v; // single (perhaps compound) value corresponding to call + ValPtr v; // single (perhaps compound) value corresponding to call }; class RPC_Interpreter { public: - explicit RPC_Interpreter(zeek::analyzer::Analyzer* analyzer); + explicit RPC_Interpreter(analyzer::Analyzer* analyzer); virtual ~RPC_Interpreter(); // Delivers the given RPC. Returns true if "len" bytes were @@ -124,7 +124,7 @@ protected: void Weird(const char* name, const char* addl = ""); std::map calls; - zeek::analyzer::Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -187,9 +187,9 @@ protected: } // namespace detail /* Support Analyzer for reassembling RPC-over-TCP messages */ -class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { +class Contents_RPC final : public analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_RPC(zeek::Connection* conn, bool orig, detail::RPC_Interpreter* interp); + Contents_RPC(Connection* conn, bool orig, detail::RPC_Interpreter* interp); ~Contents_RPC() override; protected: @@ -233,9 +233,9 @@ protected: int resync_toskip; }; -class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class RPC_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - RPC_Analyzer(const char* name, zeek::Connection* conn, + RPC_Analyzer(const char* name, Connection* conn, detail::RPC_Interpreter* arg_interp); ~RPC_Analyzer() override; @@ -243,7 +243,7 @@ public: protected: void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void ExpireTimer(double t); diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc index e3b4f37352..994ead9111 100644 --- a/src/analyzer/protocol/sip/SIP.cc +++ b/src/analyzer/protocol/sip/SIP.cc @@ -4,8 +4,8 @@ namespace zeek::analyzer::sip { -SIP_Analyzer::SIP_Analyzer(zeek::Connection* c) - : zeek::analyzer::Analyzer("SIP", c) +SIP_Analyzer::SIP_Analyzer(Connection* c) + : analyzer::Analyzer("SIP", c) { interp = new binpac::SIP::SIP_Conn(this); } @@ -21,7 +21,7 @@ void SIP_Analyzer::Done() } void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { bool real_orig = true; if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' ) @@ -39,7 +39,7 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/sip/SIP.h b/src/analyzer/protocol/sip/SIP.h index 8c83b246bd..8c981e60ae 100644 --- a/src/analyzer/protocol/sip/SIP.h +++ b/src/analyzer/protocol/sip/SIP.h @@ -7,18 +7,18 @@ namespace zeek::analyzer::sip{ -class SIP_Analyzer final : public zeek::analyzer::Analyzer { +class SIP_Analyzer final : public analyzer::Analyzer { public: - explicit SIP_Analyzer(zeek::Connection* conn); + explicit SIP_Analyzer(Connection* conn); ~SIP_Analyzer() override; // Overridden from Analyzer void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SIP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc index af564d112b..4d4462f2ba 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.cc +++ b/src/analyzer/protocol/sip/SIP_TCP.cc @@ -9,8 +9,8 @@ namespace zeek::analyzer::sip_tcp { -SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) +SIP_Analyzer::SIP_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) { interp = new binpac::SIP_TCP::SIP_Conn(this); had_gap = false; @@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer() void SIP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -31,13 +31,13 @@ void SIP_Analyzer::Done() void SIP_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -55,13 +55,13 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/sip/SIP_TCP.h b/src/analyzer/protocol/sip/SIP_TCP.h index f04afb93bf..7a6cd40d43 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.h +++ b/src/analyzer/protocol/sip/SIP_TCP.h @@ -11,19 +11,19 @@ namespace zeek::analyzer::sip_tcp { -class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SIP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SIP_Analyzer(zeek::Connection* conn); + explicit SIP_Analyzer(Connection* conn); ~SIP_Analyzer() override; void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SIP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index 92ef6ab4af..6a24009236 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::smb { // being seen. #define SMB_MAX_LEN (1<<18) -SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn) +SMB_Analyzer::SMB_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn) { chunks=0; interp = new binpac::SMB::SMB_Conn(this); @@ -81,7 +81,7 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); NeedResync(); } } diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h index 7b041de2f6..609cafe466 100644 --- a/src/analyzer/protocol/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -5,9 +5,9 @@ namespace zeek::analyzer::smb { -class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SMB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SMB_Analyzer(zeek::Connection* conn); + explicit SMB_Analyzer(Connection* conn); ~SMB_Analyzer() override; void Done() override; @@ -18,7 +18,7 @@ public: bool HasSMBHeader(int len, const u_char* data); void NeedResync(); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SMB_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index f288230368..c2f03d091b 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -26,8 +26,8 @@ static const char* unknown_cmd = "(UNKNOWN)"; namespace zeek::analyzer::smtp { -SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn) +SMTP_Analyzer::SMTP_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = false; expect_recver = true; @@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) line_after_gap = nullptr; mail = nullptr; UpdateState(first_cmd, 0, true); - cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); + cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true); cl_orig->SetIsNULSensitive(true); cl_orig->SetSkipPartial(true); AddSupportAnalyzer(cl_orig); - cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); + cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false); cl_resp->SetIsNULSensitive(true); cl_resp->SetSkipPartial(true); AddSupportAnalyzer(cl_resp); @@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) void SMTP_Analyzer::ConnectionFinished(bool half_finished) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); if ( ! half_finished && mail ) EndData(); @@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer() void SMTP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -80,12 +80,12 @@ void SMTP_Analyzer::Done() void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( len <= 0 ) return; - const char* buf = zeek::util::fmt("seq = %" PRIu64", len = %d", seq, len); + const char* buf = util::fmt("seq = %" PRIu64", len = %d", seq, len); int buf_len = strlen(buf); Unexpected(is_orig, "content gap", buf_len, buf); @@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // If an TLS transaction has been initiated, forward to child and abort. if ( state == detail::SMTP_IN_TLS ) @@ -183,7 +183,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) delete line_after_gap; line_after_gap = - new zeek::String((const u_char *) line, length, true); + new String((const u_char *) line, length, true); } else if ( state == detail::SMTP_IN_DATA && line[0] == '.' && length == 1 ) @@ -221,8 +221,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { EnqueueConnEvent(smtp_data, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::make_intrusive(data_len, line) + val_mgr->Bool(orig), + make_intrusive(data_len, line) ); } } @@ -240,8 +240,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) expect_sender = false; expect_recver = true; - zeek::util::get_word(length, line, cmd_len, cmd); - line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); + util::get_word(length, line, cmd_len, cmd); + line = util::skip_whitespace(line + cmd_len, end_of_line); cmd_code = ParseCmd(cmd_len, cmd); if ( cmd_code == -1 ) @@ -299,7 +299,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { reply_code = -1; Unexpected(is_sender, "reply code out of range", length, line); - ProtocolViolation(zeek::util::fmt("reply code %d out of range", + ProtocolViolation(util::fmt("reply code %d out of range", reply_code), line, length); } @@ -319,12 +319,12 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) if ( reply_code >= 0 && length > 3 && line[3] == '-' ) { // A continued reply. pending_reply = reply_code; - line = zeek::util::skip_whitespace(line+4, end_of_line); + line = util::skip_whitespace(line+4, end_of_line); } else { // This is the end of the reply. - line = zeek::util::skip_whitespace(line+3, end_of_line); + line = util::skip_whitespace(line+3, end_of_line); pending_reply = 0; expect_sender = true; @@ -351,11 +351,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) EnqueueConnEvent(smtp_reply, ConnVal(), - zeek::val_mgr->Bool(orig), - zeek::val_mgr->Count(reply_code), - zeek::make_intrusive(cmd), - zeek::make_intrusive(end_of_line - line, line), - zeek::val_mgr->Bool((pending_reply > 0)) + val_mgr->Bool(orig), + val_mgr->Count(reply_code), + make_intrusive(cmd), + make_intrusive(end_of_line - line, line), + val_mgr->Bool((pending_reply > 0)) ); } } @@ -366,7 +366,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) const char* ext; int ext_len; - zeek::util::get_word(end_of_line - line, line, ext_len, ext); + util::get_word(end_of_line - line, line, ext_len, ext); ProcessExtension(ext_len, ext); } } @@ -405,7 +405,7 @@ void SMTP_Analyzer::StartTLS() RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_resp); - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) AddChildAnalyzer(ssl); @@ -855,14 +855,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd, if ( smtp_request ) { - auto cmd_arg = zeek::make_intrusive(cmd_len, cmd); + auto cmd_arg = make_intrusive(cmd_len, cmd); cmd_arg->ToUpper(); EnqueueConnEvent(smtp_request, ConnVal(), - zeek::val_mgr->Bool(orig_is_sender), + val_mgr->Bool(orig_is_sender), std::move(cmd_arg), - zeek::make_intrusive(arg_len, arg) + make_intrusive(arg_len, arg) ); } } @@ -881,9 +881,9 @@ void SMTP_Analyzer::Unexpected(bool is_sender, const char* msg, EnqueueConnEvent(smtp_unexpected, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::make_intrusive(msg), - zeek::make_intrusive(detail_len, detail) + val_mgr->Bool(is_orig), + make_intrusive(msg), + make_intrusive(detail_len, detail) ); } } @@ -928,7 +928,7 @@ void SMTP_Analyzer::BeginData(bool orig) delete mail; } - mail = new zeek::analyzer::mime::MIME_Mail(this, orig); + mail = new analyzer::mime::MIME_Mail(this, orig); } void SMTP_Analyzer::EndData() diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h index 7dcb22a979..0e0b69b084 100644 --- a/src/analyzer/protocol/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -37,9 +37,9 @@ enum SMTP_State { } // namespace detail -class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SMTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SMTP_Analyzer(zeek::Connection* conn); + explicit SMTP_Analyzer(Connection* conn); ~SMTP_Analyzer() override; void Done() override; @@ -49,7 +49,7 @@ public: void SkipData() { skip_data = 1; } // skip delivery of data lines - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SMTP_Analyzer(conn); } @@ -86,14 +86,14 @@ protected: int pending_reply; // code assoc. w/ multi-line reply, or 0 std::list pending_cmd_q; // to support pipelining bool skip_data; // whether to skip message body - zeek::String* line_after_gap; // last line before the first reply + String* line_after_gap; // last line before the first reply // after a gap - zeek::analyzer::mime::MIME_Mail* mail; + analyzer::mime::MIME_Mail* mail; private: - zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; - zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; + analyzer::tcp::ContentLine_Analyzer* cl_orig; + analyzer::tcp::ContentLine_Analyzer* cl_resp; }; } // namespace zeek::analyzer::smtp diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc index 53d859f71c..e86a37987d 100644 --- a/src/analyzer/protocol/snmp/SNMP.cc +++ b/src/analyzer/protocol/snmp/SNMP.cc @@ -8,7 +8,7 @@ namespace zeek::analyzer::snmp { -SNMP_Analyzer::SNMP_Analyzer(zeek::Connection* conn) +SNMP_Analyzer::SNMP_Analyzer(Connection* conn) : Analyzer("SNMP", conn) { interp = new binpac::SNMP::SNMP_Conn(this); @@ -26,7 +26,7 @@ void SNMP_Analyzer::Done() } void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -36,7 +36,7 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h index 3a609db8ae..d7074d9b62 100644 --- a/src/analyzer/protocol/snmp/SNMP.h +++ b/src/analyzer/protocol/snmp/SNMP.h @@ -6,18 +6,18 @@ namespace zeek::analyzer::snmp { -class SNMP_Analyzer final : public zeek::analyzer::Analyzer { +class SNMP_Analyzer final : public analyzer::Analyzer { public: - explicit SNMP_Analyzer(zeek::Connection* conn); + explicit SNMP_Analyzer(Connection* conn); virtual ~SNMP_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen); + uint64_t seq, const IP_Hdr* ip, int caplen); - static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SNMP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc index 328463912b..400d02afe7 100644 --- a/src/analyzer/protocol/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::socks { -SOCKS_Analyzer::SOCKS_Analyzer(zeek::Connection* conn) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn) +SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) +: analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; @@ -29,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig) void SOCKS_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -37,13 +37,13 @@ void SOCKS_Analyzer::Done() void SOCKS_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -60,7 +60,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) // are done with their part of the SOCKS protocol. if ( ! pia ) { - pia = new zeek::analyzer::pia::PIA_TCP(Conn()); + pia = new analyzer::pia::PIA_TCP(Conn()); if ( AddChildAnalyzer(pia) ) { pia->FirstPacket(true, nullptr); @@ -80,14 +80,14 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } } void SOCKS_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h index 9e5346ff4c..f3314f38d5 100644 --- a/src/analyzer/protocol/socks/SOCKS.h +++ b/src/analyzer/protocol/socks/SOCKS.h @@ -13,9 +13,9 @@ namespace binpac { namespace zeek::analyzer::socks { -class SOCKS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SOCKS_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SOCKS_Analyzer(zeek::Connection* conn); + explicit SOCKS_Analyzer(Connection* conn); ~SOCKS_Analyzer() override; void EndpointDone(bool orig); @@ -25,7 +25,7 @@ public: void Undelivered(uint64_t seq, int len, bool orig) override; void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SOCKS_Analyzer(conn); } protected: @@ -33,7 +33,7 @@ protected: bool orig_done; bool resp_done; - zeek::analyzer::pia::PIA_TCP *pia; + analyzer::pia::PIA_TCP *pia; binpac::SOCKS::SOCKS_Conn* interp; }; diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index 518f175cbb..f30e36814f 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -11,8 +11,8 @@ namespace zeek::analyzer::ssh { -SSH_Analyzer::SSH_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c) +SSH_Analyzer::SSH_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c) { interp = new binpac::SSH::SSH_Conn(this); had_gap = false; @@ -30,7 +30,7 @@ SSH_Analyzer::~SSH_Analyzer() void SSH_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -38,13 +38,13 @@ void SSH_Analyzer::Done() void SSH_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -69,7 +69,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } auto encrypted_len = interp->get_encrypted_bytes_in_current_segment(); @@ -83,7 +83,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } @@ -91,7 +91,7 @@ void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void SSH_Analyzer::ProcessEncryptedSegment(int len, bool orig) { if ( ssh_encrypted_packet ) - zeek::BifEvent::enqueue_ssh_encrypted_packet(interp->bro_analyzer(), + BifEvent::enqueue_ssh_encrypted_packet(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), orig, len); @@ -132,9 +132,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) { auth_decision_made = true; if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); if ( ssh_auth_successful ) - zeek::BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); return; } @@ -159,7 +159,7 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) if ( len == userauth_failure_size ) { if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); + BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); return; } @@ -168,9 +168,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) { auth_decision_made = true; if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); if ( ssh_auth_successful ) - zeek::BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); + BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); return; } } diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h index 42647d2b06..a000010cde 100644 --- a/src/analyzer/protocol/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -9,10 +9,10 @@ namespace zeek::analyzer::ssh { -class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SSH_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SSH_Analyzer(zeek::Connection* conn); + explicit SSH_Analyzer(Connection* conn); ~SSH_Analyzer() override; // Overriden from Analyzer. @@ -20,10 +20,10 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SSH_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc index 787c5c46b8..4ede9c6bfb 100644 --- a/src/analyzer/protocol/ssl/DTLS.cc +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -10,8 +10,8 @@ namespace zeek::analyzer::dtls { -DTLS_Analyzer::DTLS_Analyzer(zeek::Connection* c) -: zeek::analyzer::Analyzer("DTLS", c) +DTLS_Analyzer::DTLS_Analyzer(Connection* c) +: analyzer::Analyzer("DTLS", c) { interp = new binpac::DTLS::SSL_Conn(this); handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); @@ -32,7 +32,7 @@ void DTLS_Analyzer::Done() handshake_interp->FlowEOF(false); } -void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -66,7 +66,7 @@ void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, ui } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h index 84e3402b5a..1ef9727bec 100644 --- a/src/analyzer/protocol/ssl/DTLS.h +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -9,21 +9,21 @@ namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace zeek::analyzer::dtls { -class DTLS_Analyzer final : public zeek::analyzer::Analyzer { +class DTLS_Analyzer final : public analyzer::Analyzer { public: - explicit DTLS_Analyzer(zeek::Connection* conn); + explicit DTLS_Analyzer(Connection* conn); ~DTLS_Analyzer() override; // Overriden from Analyzer. void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void EndOfData(bool is_orig) override; void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 2330fa4000..eae5039c1a 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -10,8 +10,8 @@ namespace zeek::analyzer::ssl { -SSL_Analyzer::SSL_Analyzer(zeek::Connection* c) -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c) +SSL_Analyzer::SSL_Analyzer(Connection* c) +: analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); @@ -26,7 +26,7 @@ SSL_Analyzer::~SSL_Analyzer() void SSL_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -36,7 +36,7 @@ void SSL_Analyzer::Done() void SSL_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); handshake_interp->FlowEOF(is_orig); } @@ -50,7 +50,7 @@ void SSL_Analyzer::StartEncryption() void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -67,7 +67,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } @@ -80,13 +80,13 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin, } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 820b741a21..fcc8349280 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -10,9 +10,9 @@ namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace zeek::analyzer::ssl { -class SSL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SSL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SSL_Analyzer(zeek::Connection* conn); + explicit SSL_Analyzer(Connection* conn); ~SSL_Analyzer() override; // Overriden from Analyzer. @@ -25,10 +25,10 @@ public: // Tell the analyzer that encryption has started. void StartEncryption(); - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SSL_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc index 208a99dd6b..53f1fb7786 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -15,7 +15,7 @@ namespace zeek::analyzer::stepping_stone { -SteppingStoneEndpoint::SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m) +SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; stp_max_top_seq = 0; @@ -61,7 +61,7 @@ void SteppingStoneEndpoint::Done() } bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen, - const u_char* data, const zeek::IP_Hdr* /* ip */, + const u_char* data, const IP_Hdr* /* ip */, const struct tcphdr* tp) { if ( caplen < len ) @@ -129,15 +129,15 @@ bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen return true; } -void SteppingStoneEndpoint::Event(zeek::EventHandlerPtr f, int id1, int id2) +void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2) { if ( ! f ) return; if ( id2 >= 0 ) - endp->TCP()->EnqueueConnEvent(f, zeek::val_mgr->Int(id1), zeek::val_mgr->Int(id2)); + endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1), val_mgr->Int(id2)); else - endp->TCP()->EnqueueConnEvent(f, zeek::val_mgr->Int(id1)); + endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1)); } void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) @@ -147,15 +147,15 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) endp->TCP()->EnqueueConnEvent(stp_create_endp, endp->TCP()->ConnVal(), - zeek::val_mgr->Int(stp_id), - zeek::val_mgr->Bool(is_orig) + val_mgr->Int(stp_id), + val_mgr->Bool(is_orig) ); } -SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) +SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) + : analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { - stp_manager = zeek::sessions->GetSTPManager(); + stp_manager = sessions->GetSTPManager(); orig_endp = resp_endp = nullptr; orig_stream_pos = resp_stream_pos = 1; @@ -163,7 +163,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c) void SteppingStone_Analyzer::Init() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init(); + analyzer::tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); @@ -172,32 +172,32 @@ void SteppingStone_Analyzer::Init() void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, - const zeek::IP_Hdr* ip, int caplen) + const IP_Hdr* ip, int caplen) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) - orig_endp->DataSent(zeek::run_state::network_time, seq, len, caplen, data, nullptr, nullptr); + orig_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr); else - resp_endp->DataSent(zeek::run_state::network_time, seq, len, caplen, data, nullptr, nullptr); + resp_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr); } void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { - orig_endp->DataSent(zeek::run_state::network_time, orig_stream_pos, len, len, + orig_endp->DataSent(run_state::network_time, orig_stream_pos, len, len, data, nullptr, nullptr); orig_stream_pos += len; } else { - resp_endp->DataSent(zeek::run_state::network_time, resp_stream_pos, len, len, + resp_endp->DataSent(run_state::network_time, resp_stream_pos, len, len, data, nullptr, nullptr); resp_stream_pos += len; } @@ -205,7 +205,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, void SteppingStone_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); orig_endp->Done(); resp_endp->Done(); diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h index cff86cda31..864173dcc3 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h @@ -12,20 +12,20 @@ namespace zeek::analyzer::stepping_stone { class SteppingStoneEndpoint; class SteppingStoneManager; -class SteppingStoneEndpoint : public zeek::Obj { +class SteppingStoneEndpoint : public Obj { public: - SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m); + SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m); ~SteppingStoneEndpoint() override; void Done(); bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const zeek::IP_Hdr* ip, const struct tcphdr* tp); + const IP_Hdr* ip, const struct tcphdr* tp); protected: - void Event(zeek::EventHandlerPtr f, int id1, int id2 = -1); + void Event(EventHandlerPtr f, int id1, int id2 = -1); void CreateEndpEvent(bool is_orig); - zeek::analyzer::tcp::TCP_Endpoint* endp; + analyzer::tcp::TCP_Endpoint* endp; uint64_t stp_max_top_seq; double stp_last_time; double stp_resume_time; @@ -40,22 +40,22 @@ protected: std::map stp_outbound_endps; }; -class SteppingStone_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class SteppingStone_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit SteppingStone_Analyzer(zeek::Connection* c); + explicit SteppingStone_Analyzer(Connection* c); ~SteppingStone_Analyzer() override {}; void Init() override; void Done() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new SteppingStone_Analyzer(conn); } protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassebmling. void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void DeliverStream(int len, const u_char* data, bool is_orig) override; int orig_stream_pos; @@ -70,14 +70,14 @@ protected: class SteppingStoneManager { public: - zeek::PQueue& OrderedEndpoints() + PQueue& OrderedEndpoints() { return ordered_endps; } // Use postfix ++, since the first ID needs to be even. int NextID() { return endp_cnt++; } protected: - zeek::PQueue ordered_endps; + PQueue ordered_endps; int endp_cnt = 0; }; diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc index 91edc9a77a..2fefdf5aec 100644 --- a/src/analyzer/protocol/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/Syslog.cc @@ -6,7 +6,7 @@ namespace zeek::analyzer::syslog { -Syslog_Analyzer::Syslog_Analyzer(zeek::Connection* conn) +Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) { interp = new binpac::Syslog::Syslog_Conn(this); @@ -28,7 +28,7 @@ void Syslog_Analyzer::Done() Event(udp_session_done); } -void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->NewData(orig, data, data + len); @@ -49,8 +49,8 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint // t + Syslog_session_timeout, true, TIMER_Syslog_EXPIRE); // } -//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(zeek::Connection* conn) -//: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(conn) +//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(Connection* conn) +//: analyzer::tcp::TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } @@ -62,7 +62,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::Done() // { -// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); +// analyzer::tcp::TCP_ApplicationAnalyzer::Done(); // // interp->FlowEOF(true); // interp->FlowEOF(false); @@ -70,14 +70,14 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp) // { -// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); +// analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } //void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { -// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); +// analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // // assert(TCP()); // @@ -90,7 +90,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) // { -// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); +// analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h index ec9ac6485d..46e81121c0 100644 --- a/src/analyzer/protocol/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/Syslog.h @@ -8,16 +8,16 @@ namespace zeek::analyzer::syslog { -class Syslog_Analyzer : public zeek::analyzer::Analyzer { +class Syslog_Analyzer : public analyzer::Analyzer { public: - explicit Syslog_Analyzer(zeek::Connection* conn); + explicit Syslog_Analyzer(Connection* conn); ~Syslog_Analyzer() override; void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Syslog_Analyzer(conn); } protected: @@ -28,9 +28,9 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_tcp::TCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +//class Syslog_tcp::TCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { //public: -// Syslog_tcp::TCP_Analyzer(zeek::Connection* conn); +// Syslog_tcp::TCP_Analyzer(Connection* conn); // virtual ~Syslog_tcp::TCP_Analyzer(); // // virtual void Done(); @@ -38,7 +38,7 @@ protected: // virtual void Undelivered(uint64_t seq, int len, bool orig); // virtual void EndpointEOF(tcp::TCP_Reassembler* endp); // -// static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) +// static analyzer::Analyzer* Instantiate(Connection* conn) // { return new Syslog_tcp::TCP_Analyzer(conn); } // //protected: diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index a8d88d4ded..20c62311e4 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -6,13 +6,13 @@ namespace zeek::analyzer::tcp { -ContentLine_Analyzer::ContentLine_Analyzer(zeek::Connection* conn, bool orig, int max_line_length) +ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length) { InitState(); } -ContentLine_Analyzer::ContentLine_Analyzer(const char* name, zeek::Connection* conn, bool orig, int max_line_length) +ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length) : TCP_SupportAnalyzer(name, conn, orig), max_line_length(max_line_length) { InitState(); @@ -111,7 +111,7 @@ void ContentLine_Analyzer::SetPlainDelivery(int64_t length) { if ( length < 0 ) { - zeek::reporter->AnalyzerError( + reporter->AnalyzerError( this, "negative length for plain delivery"); return; } @@ -261,7 +261,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) else { - if ( ! suppress_weirds && Conn()->FlagEvent(zeek::SINGULAR_LF) ) + if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) ) Conn()->Weird("line_terminated_with_single_LF"); buf[offset++] = c; } @@ -280,7 +280,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) } if ( last_char == '\r' ) - if ( ! suppress_weirds && Conn()->FlagEvent(zeek::SINGULAR_CR) ) + if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) ) Conn()->Weird("line_terminated_with_single_CR"); last_char = c; @@ -310,7 +310,7 @@ void ContentLine_Analyzer::CheckNUL() ; // Ignore it. else { - if ( ! suppress_weirds && Conn()->FlagEvent(zeek::NUL_IN_LINE) ) + if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) ) Conn()->Weird("NUL_in_line"); flag_NULs = false; } diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h index cf7dd0866c..77732f7226 100644 --- a/src/analyzer/protocol/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -14,7 +14,7 @@ constexpr auto DEFAULT_MAX_LINE_LENGTH = 16 * 1024 * 1024 - 100; class ContentLine_Analyzer : public TCP_SupportAnalyzer { public: - ContentLine_Analyzer(zeek::Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); + ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); ~ContentLine_Analyzer() override; void SupressWeirds(bool enable) @@ -62,7 +62,7 @@ public: { return seq + length <= seq_to_skip; } protected: - ContentLine_Analyzer(const char* name, zeek::Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); + ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); void DeliverStream(int len, const u_char* data, bool is_orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; diff --git a/src/analyzer/protocol/tcp/Stats.cc b/src/analyzer/protocol/tcp/Stats.cc index c4b7e6cd07..efe1ff2668 100644 --- a/src/analyzer/protocol/tcp/Stats.cc +++ b/src/analyzer/protocol/tcp/Stats.cc @@ -38,7 +38,7 @@ unsigned int TCPStateStats::NumStatePartial() const return sum; } -void TCPStateStats::PrintStats(zeek::File* file, const char* prefix) +void TCPStateStats::PrintStats(File* file, const char* prefix) { file->Write(prefix); file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); diff --git a/src/analyzer/protocol/tcp/Stats.h b/src/analyzer/protocol/tcp/Stats.h index 77c7fb8f58..66afaf7805 100644 --- a/src/analyzer/protocol/tcp/Stats.h +++ b/src/analyzer/protocol/tcp/Stats.h @@ -59,7 +59,7 @@ public: { return Cnt(TCP_ENDPOINT_INACTIVE); } unsigned int NumStatePartial() const; - void PrintStats(zeek::File* file, const char* prefix); + void PrintStats(File* file, const char* prefix); private: unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 99fde8955c..bd21930ddd 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -41,7 +41,7 @@ namespace zeek::analyzer::tcp { static const int ORIG = 1; static const int RESP = 2; -static zeek::RecordVal* build_syn_packet_val(bool is_orig, const zeek::IP_Hdr* ip, +static RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip, const struct tcphdr* tcp) { int winscale = -1; @@ -106,29 +106,29 @@ static zeek::RecordVal* build_syn_packet_val(bool is_orig, const zeek::IP_Hdr* i options += opt_len; } - static auto SYN_packet = zeek::id::find_type("SYN_packet"); - auto* v = new zeek::RecordVal(SYN_packet); + static auto SYN_packet = id::find_type("SYN_packet"); + auto* v = new RecordVal(SYN_packet); - v->Assign(0, zeek::val_mgr->Bool(is_orig)); - v->Assign(1, zeek::val_mgr->Bool(int(ip->DF()))); - v->Assign(2, zeek::val_mgr->Count((ip->TTL()))); - v->Assign(3, zeek::val_mgr->Count((ip->TotalLen()))); - v->Assign(4, zeek::val_mgr->Count(ntohs(tcp->th_win))); - v->Assign(5, zeek::val_mgr->Int(winscale)); - v->Assign(6, zeek::val_mgr->Count(MSS)); - v->Assign(7, zeek::val_mgr->Bool(SACK)); + v->Assign(0, val_mgr->Bool(is_orig)); + v->Assign(1, val_mgr->Bool(int(ip->DF()))); + v->Assign(2, val_mgr->Count((ip->TTL()))); + v->Assign(3, val_mgr->Count((ip->TotalLen()))); + v->Assign(4, val_mgr->Count(ntohs(tcp->th_win))); + v->Assign(5, val_mgr->Int(winscale)); + v->Assign(6, val_mgr->Count(MSS)); + v->Assign(7, val_mgr->Bool(SACK)); return v; } -TCP_Analyzer::TCP_Analyzer(zeek::Connection* conn) +TCP_Analyzer::TCP_Analyzer(Connection* conn) : TransportLayerAnalyzer("TCP", conn) { // Set a timer to eventually time out this connection. ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, - zeek::run_state::network_time + zeek::detail::tcp_SYN_timeout, false, - zeek::detail::TIMER_TCP_EXPIRE); + run_state::network_time + detail::tcp_SYN_timeout, false, + detail::TIMER_TCP_EXPIRE); deferred_gen_event = close_deferred = 0; @@ -166,7 +166,7 @@ void TCP_Analyzer::Done() { Analyzer::Done(); - if ( zeek::run_state::terminating && connection_pending && is_active && ! BothClosed() ) + if ( run_state::terminating && connection_pending && is_active && ! BothClosed() ) Event(connection_pending); LOOP_OVER_GIVEN_CHILDREN(i, packet_children) @@ -178,16 +178,16 @@ void TCP_Analyzer::Done() finished = 1; } -zeek::analyzer::Analyzer* TCP_Analyzer::FindChild(zeek::analyzer::ID arg_id) +analyzer::Analyzer* TCP_Analyzer::FindChild(analyzer::ID arg_id) { - zeek::analyzer::Analyzer* child = zeek::analyzer::TransportLayerAnalyzer::FindChild(arg_id); + analyzer::Analyzer* child = analyzer::TransportLayerAnalyzer::FindChild(arg_id); if ( child ) return child; LOOP_OVER_GIVEN_CHILDREN(i, packet_children) { - zeek::analyzer::Analyzer* child = (*i)->FindChild(arg_id); + analyzer::Analyzer* child = (*i)->FindChild(arg_id); if ( child ) return child; } @@ -195,16 +195,16 @@ zeek::analyzer::Analyzer* TCP_Analyzer::FindChild(zeek::analyzer::ID arg_id) return nullptr; } -zeek::analyzer::Analyzer* TCP_Analyzer::FindChild(zeek::analyzer::Tag arg_tag) +analyzer::Analyzer* TCP_Analyzer::FindChild(analyzer::Tag arg_tag) { - zeek::analyzer::Analyzer* child = zeek::analyzer::TransportLayerAnalyzer::FindChild(arg_tag); + analyzer::Analyzer* child = analyzer::TransportLayerAnalyzer::FindChild(arg_tag); if ( child ) return child; LOOP_OVER_GIVEN_CHILDREN(i, packet_children) { - zeek::analyzer::Analyzer* child = (*i)->FindChild(arg_tag); + analyzer::Analyzer* child = (*i)->FindChild(arg_tag); if ( child ) return child; } @@ -212,9 +212,9 @@ zeek::analyzer::Analyzer* TCP_Analyzer::FindChild(zeek::analyzer::Tag arg_tag) return nullptr; } -bool TCP_Analyzer::RemoveChildAnalyzer(zeek::analyzer::ID id) +bool TCP_Analyzer::RemoveChildAnalyzer(analyzer::ID id) { - auto rval = zeek::analyzer::TransportLayerAnalyzer::RemoveChildAnalyzer(id); + auto rval = analyzer::TransportLayerAnalyzer::RemoveChildAnalyzer(id); if ( rval ) return rval; @@ -275,7 +275,7 @@ const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp, TCP_Endpoint* endpoint, int len, int caplen) { - if ( ! zeek::run_state::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums && caplen >= len && + if ( ! run_state::current_pkt->l3_checksummed && ! detail::ignore_checksums && caplen >= len && ! endpoint->ValidChecksum(tp, len) ) { Weird("bad_TCP_checksum"); @@ -495,8 +495,8 @@ void TCP_Analyzer::UpdateInactiveState(double t, if ( zeek::detail::tcp_attempt_delay ) ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer, - t + zeek::detail::tcp_attempt_delay, true, - zeek::detail::TIMER_TCP_ATTEMPT); + t + detail::tcp_attempt_delay, true, + detail::TIMER_TCP_ATTEMPT); } else { @@ -787,19 +787,19 @@ void TCP_Analyzer::GeneratePacketEvent( { EnqueueConnEvent(tcp_packet, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::make_intrusive(flags.AsString()), - zeek::val_mgr->Count(rel_seq), - zeek::val_mgr->Count(flags.ACK() ? rel_ack : 0), - zeek::val_mgr->Count(len), + val_mgr->Bool(is_orig), + make_intrusive(flags.AsString()), + val_mgr->Count(rel_seq), + val_mgr->Count(flags.ACK() ? rel_ack : 0), + val_mgr->Count(len), // We need the min() here because Ethernet padding can lead to // caplen > len. - zeek::make_intrusive(std::min(caplen, len), (const char*) data) + make_intrusive(std::min(caplen, len), (const char*) data) ); } bool TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen, - const zeek::IP_Hdr* ip, const struct tcphdr* tp, + const IP_Hdr* ip, const struct tcphdr* tp, TCP_Endpoint* endpoint, uint64_t rel_data_seq, bool is_orig, TCP_Flags flags) { @@ -817,11 +817,11 @@ void TCP_Analyzer::CheckRecording(bool need_contents, TCP_Flags flags) Conn()->SetRecordCurrentPacket(record_current_packet); } -void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) +void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const IP_Hdr* ip) { if ( is_orig && ! (first_packet_seen & ORIG) ) { - auto* pia = static_cast(Conn()->GetPrimaryPIA()); + auto* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= ORIG; @@ -829,7 +829,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) if ( ! is_orig && ! (first_packet_seen & RESP) ) { - auto* pia = static_cast(Conn()->GetPrimaryPIA()); + auto* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= RESP; @@ -1044,7 +1044,7 @@ static int32_t update_last_seq(TCP_Endpoint* endpoint, uint32_t last_seq, } void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -1074,7 +1074,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint32_t seq_one_past_segment = base_seq + seg_len; init_endpoint(endpoint, flags, base_seq, seq_one_past_segment, - zeek::run_state::current_timestamp); + run_state::current_timestamp); bool seq_underflow = false; uint64_t rel_seq = get_relative_seq(endpoint, base_seq, endpoint->LastSeq(), @@ -1091,19 +1091,19 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, update_window(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags); if ( ! orig->did_close || ! resp->did_close ) - Conn()->SetLastTime(zeek::run_state::current_timestamp); + Conn()->SetLastTime(run_state::current_timestamp); if ( flags.SYN() ) { syn_weirds(flags, endpoint, len); - zeek::RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp); + RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp); init_window(endpoint, peer, flags, SYN_vals->GetField(5)->CoerceToInt(), base_seq, ack_seq); if ( connection_SYN_packet ) EnqueueConnEvent(connection_SYN_packet, ConnVal(), - zeek::IntrusivePtr{zeek::NewRef{}, SYN_vals} + IntrusivePtr{NewRef{}, SYN_vals} ); Unref(SYN_vals); @@ -1113,8 +1113,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, { ++endpoint->FIN_cnt; - if ( endpoint->FIN_cnt >= zeek::detail::tcp_storm_thresh && zeek::run_state::current_timestamp < - endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh ) + if ( endpoint->FIN_cnt >= detail::tcp_storm_thresh && run_state::current_timestamp < + endpoint->last_time + detail::tcp_storm_interarrival_thresh ) Weird("FIN_storm"); endpoint->FIN_seq = rel_seq + seg_len; @@ -1124,8 +1124,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, { ++endpoint->RST_cnt; - if ( endpoint->RST_cnt >= zeek::detail::tcp_storm_thresh && zeek::run_state::current_timestamp < - endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh ) + if ( endpoint->RST_cnt >= detail::tcp_storm_thresh && run_state::current_timestamp < + endpoint->last_time + detail::tcp_storm_interarrival_thresh ) Weird("RST_storm"); // This now happens often enough that it's @@ -1171,11 +1171,11 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, } int32_t delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); - endpoint->last_time = zeek::run_state::current_timestamp; + endpoint->last_time = run_state::current_timestamp; bool do_close; bool gen_event; - UpdateStateMachine(zeek::run_state::current_timestamp, endpoint, peer, base_seq, ack_seq, + UpdateStateMachine(run_state::current_timestamp, endpoint, peer, base_seq, ack_seq, len, delta_last, is_orig, flags, do_close, gen_event); if ( flags.ACK() ) @@ -1210,7 +1210,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( DEBUG_tcp_data_sent ) { DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n", - zeek::run_state::network_time, len, caplen, Skipping()); + run_state::network_time, len, caplen, Skipping()); } uint64_t rel_data_seq = flags.SYN() ? rel_seq + 1 : rel_seq; @@ -1218,7 +1218,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int need_contents = 0; if ( len > 0 && (caplen >= len || packet_children.size()) && ! flags.RST() && ! Skipping() && ! seq_underflow ) - need_contents = DeliverData(zeek::run_state::current_timestamp, data, len, caplen, ip, + need_contents = DeliverData(run_state::current_timestamp, data, len, caplen, ip, tp, endpoint, rel_data_seq, is_orig, flags); endpoint->CheckEOF(); @@ -1246,7 +1246,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( child->Removing() ) child->Done(); - DBG_LOG(zeek::DBG_ANALYZER, "%s deleted child %s", + DBG_LOG(DBG_ANALYZER, "%s deleted child %s", fmt_analyzer(this).c_str(), fmt_analyzer(child).c_str()); i = packet_children.erase(i); delete child; @@ -1276,7 +1276,7 @@ void TCP_Analyzer::FlipRoles() { Analyzer::FlipRoles(); - zeek::sessions->tcp_stats.FlipState(orig->state, resp->state); + sessions->tcp_stats.FlipState(orig->state, resp->state); TCP_Endpoint* tmp_ep = resp; resp = orig; orig = tmp_ep; @@ -1284,15 +1284,15 @@ void TCP_Analyzer::FlipRoles() resp->is_orig = !resp->is_orig; } -void TCP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) +void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val) { - zeek::RecordVal* orig_endp_val = conn_val->GetField("orig")->AsRecordVal(); - zeek::RecordVal* resp_endp_val = conn_val->GetField("resp")->AsRecordVal(); + RecordVal* orig_endp_val = conn_val->GetField("orig")->AsRecordVal(); + RecordVal* resp_endp_val = conn_val->GetField("resp")->AsRecordVal(); - orig_endp_val->Assign(0, zeek::val_mgr->Count(orig->Size())); - orig_endp_val->Assign(1, zeek::val_mgr->Count(int(orig->state))); - resp_endp_val->Assign(0, zeek::val_mgr->Count(resp->Size())); - resp_endp_val->Assign(1, zeek::val_mgr->Count(int(resp->state))); + orig_endp_val->Assign(0, val_mgr->Count(orig->Size())); + orig_endp_val->Assign(1, val_mgr->Count(int(orig->state))); + resp_endp_val->Assign(0, val_mgr->Count(resp->Size())); + resp_endp_val->Assign(1, val_mgr->Count(int(resp->state))); // Call children's UpdateConnVal Analyzer::UpdateConnVal(conn_val); @@ -1347,34 +1347,34 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) auto length = kind < 2 ? 1 : o[1]; EnqueueConnEvent(tcp_option, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::val_mgr->Count(kind), - zeek::val_mgr->Count(length) + val_mgr->Bool(is_orig), + val_mgr->Count(kind), + val_mgr->Count(length) ); } if ( tcp_options ) { - auto option_list = zeek::make_intrusive(zeek::BifType::Vector::TCP::OptionList); + auto option_list = make_intrusive(BifType::Vector::TCP::OptionList); - auto add_option_data = [](const zeek::RecordValPtr& rv, const u_char* odata, int olen) + auto add_option_data = [](const RecordValPtr& rv, const u_char* odata, int olen) { if ( olen <= 2 ) return; auto data_len = olen - 2; auto data = reinterpret_cast(odata + 2); - rv->Assign(2, zeek::make_intrusive(data_len, data)); + rv->Assign(2, make_intrusive(data_len, data)); }; for ( const auto& o : opts ) { auto kind = o[0]; auto length = kind < 2 ? 1 : o[1]; - auto option_record = zeek::make_intrusive(zeek::BifType::Record::TCP::Option); + auto option_record = make_intrusive(BifType::Record::TCP::Option); option_list->Assign(option_list->Size(), option_record); - option_record->Assign(0, zeek::val_mgr->Count(kind)); - option_record->Assign(1, zeek::val_mgr->Count(length)); + option_record->Assign(0, val_mgr->Count(kind)); + option_record->Assign(1, val_mgr->Count(length)); switch ( kind ) { case 2: @@ -1382,12 +1382,12 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( length == 4 ) { auto mss = ntohs(*reinterpret_cast(o + 2)); - option_record->Assign(3, zeek::val_mgr->Count(mss)); + option_record->Assign(3, val_mgr->Count(mss)); } else { add_option_data(option_record, o, length); - Weird("tcp_option_mss_invalid_len", zeek::util::fmt("%d", length)); + Weird("tcp_option_mss_invalid_len", util::fmt("%d", length)); } break; @@ -1396,12 +1396,12 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( length == 3 ) { auto scale = o[2]; - option_record->Assign(4, zeek::val_mgr->Count(scale)); + option_record->Assign(4, val_mgr->Count(scale)); } else { add_option_data(option_record, o, length); - Weird("tcp_option_window_scale_invalid_len", zeek::util::fmt("%d", length)); + Weird("tcp_option_window_scale_invalid_len", util::fmt("%d", length)); } break; @@ -1410,7 +1410,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( length != 2 ) { add_option_data(option_record, o, length); - Weird("tcp_option_sack_invalid_len", zeek::util::fmt("%d", length)); + Weird("tcp_option_sack_invalid_len", util::fmt("%d", length)); } break; @@ -1421,18 +1421,18 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) { auto p = reinterpret_cast(o + 2); auto num_pointers = (length - 2) / 4; - auto vt = zeek::id::index_vec; - auto sack = zeek::make_intrusive(std::move(vt)); + auto vt = id::index_vec; + auto sack = make_intrusive(std::move(vt)); for ( auto i = 0; i < num_pointers; ++i ) - sack->Assign(sack->Size(), zeek::val_mgr->Count(ntohl(p[i]))); + sack->Assign(sack->Size(), val_mgr->Count(ntohl(p[i]))); option_record->Assign(5, sack); } else { add_option_data(option_record, o, length); - Weird("tcp_option_sack_blocks_invalid_len", zeek::util::fmt("%d", length)); + Weird("tcp_option_sack_blocks_invalid_len", util::fmt("%d", length)); } break; @@ -1442,13 +1442,13 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) { auto send = ntohl(*reinterpret_cast(o + 2)); auto echo = ntohl(*reinterpret_cast(o + 6)); - option_record->Assign(6, zeek::val_mgr->Count(send)); - option_record->Assign(7, zeek::val_mgr->Count(echo)); + option_record->Assign(6, val_mgr->Count(send)); + option_record->Assign(7, val_mgr->Count(echo)); } else { add_option_data(option_record, o, length); - Weird("tcp_option_timestamps_invalid_len", zeek::util::fmt("%d", length)); + Weird("tcp_option_timestamps_invalid_len", util::fmt("%d", length)); } break; @@ -1460,7 +1460,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) EnqueueConnEvent(tcp_options, ConnVal(), - zeek::val_mgr->Bool(is_orig), + val_mgr->Bool(is_orig), std::move(option_list) ); } @@ -1484,7 +1484,7 @@ void TCP_Analyzer::AttemptTimer(double /* t */) is_active = 0; // All done with this connection. - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } } @@ -1504,7 +1504,7 @@ void TCP_Analyzer::PartialCloseTimer(double /* t */) return; Event(connection_partial_close); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } } @@ -1534,7 +1534,7 @@ void TCP_Analyzer::ExpireTimer(double t) // the session remove and Unref() us here. Event(connection_timeout); is_active = 0; - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); return; } } @@ -1549,7 +1549,7 @@ void TCP_Analyzer::ExpireTimer(double t) // before setting up an attempt timer, // so we need to clean it up here. Event(connection_timeout); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); return; } } @@ -1570,12 +1570,12 @@ void TCP_Analyzer::ResetTimer(double /* t */) if ( ! BothClosed() ) ConnectionReset(); - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } void TCP_Analyzer::DeleteTimer(double /* t */) { - zeek::sessions->Remove(Conn()); + sessions->Remove(Conn()); } void TCP_Analyzer::ConnDeleteTimer(double t) @@ -1583,7 +1583,7 @@ void TCP_Analyzer::ConnDeleteTimer(double t) Conn()->DeleteTimer(t); } -void TCP_Analyzer::SetContentsFile(unsigned int direction, zeek::FilePtr f) +void TCP_Analyzer::SetContentsFile(unsigned int direction, FilePtr f) { if ( direction == CONTENTS_NONE ) { @@ -1600,7 +1600,7 @@ void TCP_Analyzer::SetContentsFile(unsigned int direction, zeek::FilePtr f) } } -zeek::FilePtr TCP_Analyzer::GetContentsFile(unsigned int direction) const +FilePtr TCP_Analyzer::GetContentsFile(unsigned int direction) const { switch ( direction ) { case CONTENTS_NONE: @@ -1623,7 +1623,7 @@ zeek::FilePtr TCP_Analyzer::GetContentsFile(unsigned int direction) const break; } - zeek::reporter->Error("bad direction %u in TCP_Analyzer::GetContentsFile", + reporter->Error("bad direction %u in TCP_Analyzer::GetContentsFile", direction); return nullptr; } @@ -1664,8 +1664,7 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, if ( DEBUG_tcp_connection_close ) { DEBUG_MSG("%.6f close_complete=%d tcp_close_delay=%f\n", - zeek::run_state::network_time, close_complete, - zeek::detail::tcp_close_delay); + run_state::network_time, close_complete, detail::tcp_close_delay); } if ( close_complete ) @@ -1694,7 +1693,7 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, // Note, even if tcp_close_delay is zero, we can't // simply do: // - // zeek::sessions->Remove(this); + // sessions->Remove(this); // // here, because that would cause the object to be // deleted out from under us. @@ -1761,9 +1760,9 @@ bool TCP_Analyzer::HadGap(bool is_orig) const return endp && endp->HadGap(); } -void TCP_Analyzer::AddChildPacketAnalyzer(zeek::analyzer::Analyzer* a) +void TCP_Analyzer::AddChildPacketAnalyzer(analyzer::Analyzer* a) { - DBG_LOG(zeek::DBG_ANALYZER, "%s added packet child %s", + DBG_LOG(DBG_ANALYZER, "%s added packet child %s", this->GetAnalyzerName(), a->GetAnalyzerName()); packet_children.push_back(a); @@ -1783,7 +1782,7 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) if ( connection_EOF ) EnqueueConnEvent(connection_EOF, ConnVal(), - zeek::val_mgr->Bool(endp->IsOrig()) + val_mgr->Bool(endp->IsOrig()) ); const analyzer_list& children(GetChildren()); @@ -1902,12 +1901,12 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason, void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, - const zeek::IP_Hdr* ip, int caplen) + const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - DBG_LOG(zeek::DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", len, is_orig ? "T" : "F", seq, ip, caplen, - zeek::util::fmt_bytes((const char*) data, std::min(40, len)), len > 40 ? "..." : ""); + util::fmt_bytes((const char*) data, std::min(40, len)), len > 40 ? "..." : ""); } void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val) @@ -1918,7 +1917,7 @@ void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val) void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; + analyzer::SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) static_cast(sa)->EndpointEOF(is_orig); } @@ -1926,7 +1925,7 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, bool gen_event) { - zeek::analyzer::SupportAnalyzer* sa = + analyzer::SupportAnalyzer* sa = endpoint->IsOrig() ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) @@ -1936,30 +1935,30 @@ void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, void TCP_ApplicationAnalyzer::ConnectionFinished(bool half_finished) { - for ( zeek::analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); - for ( zeek::analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); } void TCP_ApplicationAnalyzer::ConnectionReset() { - for ( zeek::analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); - for ( zeek::analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); } void TCP_ApplicationAnalyzer::PacketWithRST() { - for ( zeek::analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); - for ( zeek::analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); } @@ -1984,7 +1983,7 @@ int endian_flip(int n) bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caplen, const u_char* /* data */, - const zeek::IP_Hdr* ip, const struct tcphdr* /* tp */) + const IP_Hdr* ip, const struct tcphdr* /* tp */) { if ( ++num_pkts == 1 ) { // First packet. @@ -2051,23 +2050,23 @@ bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int capl int64_t sequence_delta = top_seq - max_top_seq; if ( sequence_delta <= 0 ) { - if ( ! zeek::BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 ) + if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 ) { ++num_rxmit; num_rxmit_bytes += len; } DEBUG_MSG("%.6f rexmit %" PRIu64" + %d <= %" PRIu64" data_in_flight = %d\n", - zeek::run_state::network_time, seq, len, max_top_seq, data_in_flight); + run_state::network_time, seq, len, max_top_seq, data_in_flight); if ( tcp_rexmit ) endp->TCP()->EnqueueConnEvent(tcp_rexmit, endp->TCP()->ConnVal(), - zeek::val_mgr->Bool(endp->IsOrig()), - zeek::val_mgr->Count(seq), - zeek::val_mgr->Count(len), - zeek::val_mgr->Count(data_in_flight), - zeek::val_mgr->Count(endp->peer->window) + val_mgr->Bool(endp->IsOrig()), + val_mgr->Count(seq), + val_mgr->Count(len), + val_mgr->Count(data_in_flight), + val_mgr->Count(endp->peer->window) ); } else @@ -2076,23 +2075,23 @@ bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int capl return false; } -zeek::RecordVal* TCPStats_Endpoint::BuildStats() +RecordVal* TCPStats_Endpoint::BuildStats() { - static auto endpoint_stats = zeek::id::find_type("endpoint_stats"); - auto* stats = new zeek::RecordVal(endpoint_stats); + static auto endpoint_stats = id::find_type("endpoint_stats"); + auto* stats = new RecordVal(endpoint_stats); - stats->Assign(0, zeek::val_mgr->Count(num_pkts)); - stats->Assign(1, zeek::val_mgr->Count(num_rxmit)); - stats->Assign(2, zeek::val_mgr->Count(num_rxmit_bytes)); - stats->Assign(3, zeek::val_mgr->Count(num_in_order)); - stats->Assign(4, zeek::val_mgr->Count(num_OO)); - stats->Assign(5, zeek::val_mgr->Count(num_repl)); - stats->Assign(6, zeek::val_mgr->Count(endian_type)); + stats->Assign(0, val_mgr->Count(num_pkts)); + stats->Assign(1, val_mgr->Count(num_rxmit)); + stats->Assign(2, val_mgr->Count(num_rxmit_bytes)); + stats->Assign(3, val_mgr->Count(num_in_order)); + stats->Assign(4, val_mgr->Count(num_OO)); + stats->Assign(5, val_mgr->Count(num_repl)); + stats->Assign(6, val_mgr->Count(endian_type)); return stats; } -TCPStats_Analyzer::TCPStats_Analyzer(zeek::Connection* c) +TCPStats_Analyzer::TCPStats_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("TCPSTATS", c), orig_stats(), resp_stats() { @@ -2119,19 +2118,19 @@ void TCPStats_Analyzer::Done() if ( conn_stats ) EnqueueConnEvent(conn_stats, ConnVal(), - zeek::IntrusivePtr{zeek::AdoptRef{}, orig_stats->BuildStats()}, - zeek::IntrusivePtr{zeek::AdoptRef{}, resp_stats->BuildStats()} + IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()}, + IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()} ); } -void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) +void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) { TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) - orig_stats->DataSent(zeek::run_state::network_time, seq, len, caplen, data, ip, nullptr); + orig_stats->DataSent(run_state::network_time, seq, len, caplen, data, ip, nullptr); else - resp_stats->DataSent(zeek::run_state::network_time, seq, len, caplen, data, ip, nullptr); + resp_stats->DataSent(run_state::network_time, seq, len, caplen, data, ip, nullptr); } } // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 22d6c9fa31..60c8af9a79 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -21,20 +21,20 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp); namespace zeek::analyzer::tcp { -class TCP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { +class TCP_Analyzer final : public analyzer::TransportLayerAnalyzer { public: - explicit TCP_Analyzer(zeek::Connection* conn); + explicit TCP_Analyzer(Connection* conn); ~TCP_Analyzer() override; void EnableReassembly(); // Add a child analyzer that will always get the packets, // independently of whether we do any reassembly. - void AddChildPacketAnalyzer(zeek::analyzer::Analyzer* a); + void AddChildPacketAnalyzer(analyzer::Analyzer* a); - Analyzer* FindChild(zeek::analyzer::ID id) override; - Analyzer* FindChild(zeek::analyzer::Tag tag) override; - bool RemoveChildAnalyzer(zeek::analyzer::ID id) override; + Analyzer* FindChild(analyzer::ID id) override; + Analyzer* FindChild(analyzer::Tag tag) override; + bool RemoveChildAnalyzer(analyzer::ID id) override; // True if the connection has closed in some sense, false otherwise. bool IsClosed() const { return orig->did_close || resp->did_close; } @@ -60,27 +60,27 @@ public: // the test is whether it has any outstanding, un-acked data. bool DataPending(TCP_Endpoint* closing_endp); - void SetContentsFile(unsigned int direction, zeek::FilePtr f) override; - zeek::FilePtr GetContentsFile(unsigned int direction) const override; + void SetContentsFile(unsigned int direction, FilePtr f) override; + FilePtr GetContentsFile(unsigned int direction) const override; // From Analyzer.h - void UpdateConnVal(zeek::RecordVal *conn_val) override; + void UpdateConnVal(RecordVal *conn_val) override; int ParseTCPOptions(const struct tcphdr* tcp, bool is_orig); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new TCP_Analyzer(conn); } protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; - friend class zeek::analyzer::pia::PIA_TCP; + friend class analyzer::pia::PIA_TCP; // Analyzer interface. void Init() override; void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, - const zeek::IP_Hdr* ip, int caplen) override; + const IP_Hdr* ip, int caplen) override; void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; void FlipRoles() override; @@ -135,14 +135,14 @@ protected: bool is_orig, TCP_Flags flags); bool DeliverData(double t, const u_char* data, int len, int caplen, - const zeek::IP_Hdr* ip, const struct tcphdr* tp, + const IP_Hdr* ip, const struct tcphdr* tp, TCP_Endpoint* endpoint, uint64_t rel_data_seq, bool is_orig, TCP_Flags flags); void CheckRecording(bool need_contents, TCP_Flags flags); - void CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip); + void CheckPIA_FirstPacket(bool is_orig, const IP_Hdr* ip); - friend class zeek::detail::ConnectionTimer; + friend class detail::ConnectionTimer; void AttemptTimer(double t); void PartialCloseTimer(double t); void ExpireTimer(double t); @@ -170,7 +170,7 @@ private: TCP_Endpoint* orig; TCP_Endpoint* resp; - using analyzer_list = std::list; + using analyzer_list = std::list; analyzer_list packet_children; unsigned int first_packet_seen: 2; @@ -190,12 +190,12 @@ private: unsigned int seen_first_ACK: 1; }; -class TCP_ApplicationAnalyzer : public zeek::analyzer::Analyzer { +class TCP_ApplicationAnalyzer : public analyzer::Analyzer { public: - TCP_ApplicationAnalyzer(const char* name, zeek::Connection* conn) + TCP_ApplicationAnalyzer(const char* name, Connection* conn) : Analyzer(name, conn), tcp(nullptr) { } - explicit TCP_ApplicationAnalyzer(zeek::Connection* conn) + explicit TCP_ApplicationAnalyzer(Connection* conn) : Analyzer(conn), tcp(nullptr) { } ~TCP_ApplicationAnalyzer() override { } @@ -228,7 +228,7 @@ public: virtual void PacketWithRST(); void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; void Init() override; // This suppresses violations if the TCP connection wasn't @@ -244,10 +244,10 @@ private: TCP_Analyzer* tcp; }; -class TCP_SupportAnalyzer : public zeek::analyzer::SupportAnalyzer { +class TCP_SupportAnalyzer : public analyzer::SupportAnalyzer { public: - TCP_SupportAnalyzer(const char* name, zeek::Connection* conn, bool arg_orig) - : zeek::analyzer::SupportAnalyzer(name, conn, arg_orig) { } + TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : analyzer::SupportAnalyzer(name, conn, arg_orig) { } ~TCP_SupportAnalyzer() override {} @@ -266,9 +266,9 @@ public: explicit TCPStats_Endpoint(TCP_Endpoint* endp); bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const zeek::IP_Hdr* ip, const struct tcphdr* tp); + const IP_Hdr* ip, const struct tcphdr* tp); - zeek::RecordVal* BuildStats(); + RecordVal* BuildStats(); protected: TCP_Endpoint* endp; @@ -285,18 +285,18 @@ protected: class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: - explicit TCPStats_Analyzer(zeek::Connection* c); + explicit TCPStats_Analyzer(Connection* c); ~TCPStats_Analyzer() override; void Init() override; void Done() override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new TCPStats_Analyzer(conn); } protected: void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; TCPStats_Endpoint* orig_stats; TCPStats_Endpoint* resp_stats; diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index 185d3da518..d50dc632e1 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -56,7 +56,7 @@ TCP_Endpoint::~TCP_Endpoint() delete contents_processor; } -zeek::Connection* TCP_Endpoint::Conn() const +Connection* TCP_Endpoint::Conn() const { return tcp_analyzer->Conn(); } @@ -72,7 +72,7 @@ void TCP_Endpoint::SetPeer(TCP_Endpoint* p) peer = p; if ( IsOrig() ) // Only one Endpoint adds the initial state to the counter. - zeek::sessions->tcp_stats.StateEntered(state, peer->state); + sessions->tcp_stats.StateEntered(state, peer->state); } bool TCP_Endpoint::HadGap() const @@ -156,10 +156,10 @@ void TCP_Endpoint::SetState(EndpointState new_state) prev_state = state; state = new_state; if ( IsOrig() ) - zeek::sessions->tcp_stats.ChangeState(prev_state, state, + sessions->tcp_stats.ChangeState(prev_state, state, peer->state, peer->state); else - zeek::sessions->tcp_stats.ChangeState(peer->state, peer->state, + sessions->tcp_stats.ChangeState(peer->state, peer->state, prev_state, state); } } @@ -201,7 +201,7 @@ uint64_t TCP_Endpoint::Size() const bool TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const zeek::IP_Hdr* ip, const struct tcphdr* tp) + const IP_Hdr* ip, const struct tcphdr* tp) { bool status = false; @@ -233,14 +233,14 @@ bool TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen, if ( fwrite(data, 1, len, f) < unsigned(len) ) { char buf[256]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); - zeek::reporter->Error("TCP contents write failed: %s", buf); + util::zeek_strerror_r(errno, buf, sizeof(buf)); + reporter->Error("TCP contents write failed: %s", buf); if ( contents_file_write_failure ) tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, Conn()->ConnVal(), - zeek::val_mgr->Bool(IsOrig()), - zeek::make_intrusive(buf) + val_mgr->Bool(IsOrig()), + make_intrusive(buf) ); } } @@ -254,7 +254,7 @@ void TCP_Endpoint::AckReceived(uint64_t seq) contents_processor->AckReceived(seq); } -void TCP_Endpoint::SetContentsFile(zeek::FilePtr f) +void TCP_Endpoint::SetContentsFile(FilePtr f) { contents_file = std::move(f); contents_start_seq = ToRelativeSeqSpace(last_seq, seq_wraps); diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index f6fde3babb..911bb46642 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -138,7 +138,7 @@ public: return ack == start || ack == start + 1; } - zeek::Connection* Conn() const; + Connection* Conn() const; bool HasContents() const { return contents_processor != nullptr; } bool HadGap() const; @@ -182,12 +182,12 @@ public: // Returns true if the data was used (and hence should be recorded // in the save file), false otherwise. bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const zeek::IP_Hdr* ip, const struct tcphdr* tp); + const IP_Hdr* ip, const struct tcphdr* tp); void AckReceived(uint64_t seq); - void SetContentsFile(zeek::FilePtr f); - const zeek::FilePtr& GetContentsFile() const { return contents_file; } + void SetContentsFile(FilePtr f); + const FilePtr& GetContentsFile() const { return contents_file; } // Codes used for tracking history. For responders, we shift these // over by 16 bits in order to fit both originator and responder @@ -210,12 +210,12 @@ public: TCP_Endpoint* peer; TCP_Reassembler* contents_processor; TCP_Analyzer* tcp_analyzer; - zeek::FilePtr contents_file; + FilePtr contents_file; uint32_t checksum_base; double start_time, last_time; - zeek::IPAddr src_addr; // the other endpoint - zeek::IPAddr dst_addr; // this endpoint + IPAddr src_addr; // the other endpoint + IPAddr dst_addr; // this endpoint uint32_t window; // current advertised window (*scaled*, not pre-scaling) int window_scale; // from the TCP option uint32_t window_ack_seq; // at which ack_seq number did we record 'window' diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index f8fad22f32..41d532ebce 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -19,11 +19,11 @@ constexpr bool DEBUG_tcp_contents = false; constexpr bool DEBUG_tcp_connection_close = false; constexpr bool DEBUG_tcp_match_undelivered = false; -TCP_Reassembler::TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer, +TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, TCP_Endpoint* arg_endp) - : zeek::Reassembler(1, zeek::REASSEM_TCP) + : Reassembler(1, REASSEM_TCP) { dst_analyzer = arg_dst_analyzer; tcp_analyzer = arg_tcp_analyzer; @@ -41,9 +41,9 @@ TCP_Reassembler::TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer, if ( ::tcp_contents ) { - static auto tcp_content_delivery_ports_orig = zeek::id::find_val("tcp_content_delivery_ports_orig"); - static auto tcp_content_delivery_ports_resp = zeek::id::find_val("tcp_content_delivery_ports_resp"); - const auto& dst_port_val = zeek::val_mgr->Port(ntohs(tcp_analyzer->Conn()->RespPort()), + static auto tcp_content_delivery_ports_orig = id::find_val("tcp_content_delivery_ports_orig"); + static auto tcp_content_delivery_ports_resp = id::find_val("tcp_content_delivery_ports_resp"); + const auto& dst_port_val = val_mgr->Port(ntohs(tcp_analyzer->Conn()->RespPort()), TRANSPORT_TCP); const auto& ports = IsOrig() ? tcp_content_delivery_ports_orig : @@ -92,11 +92,11 @@ uint64_t TCP_Reassembler::NumUndeliveredBytes() const return last_block.upper - last_reassem_seq; } -void TCP_Reassembler::SetContentsFile(zeek::FilePtr f) +void TCP_Reassembler::SetContentsFile(FilePtr f) { if ( ! f->IsOpen() ) { - zeek::reporter->Error("no such file \"%s\"", f->Name()); + reporter->Error("no such file \"%s\"", f->Name()); return; } @@ -130,7 +130,7 @@ static inline bool established_or_cleanly_closing(const TCP_Endpoint* a, static inline bool report_gap(const TCP_Endpoint* a, const TCP_Endpoint* b) { return content_gap && - ( zeek::BifConst::report_gaps_for_partial || + ( BifConst::report_gaps_for_partial || established_or_cleanly_closing(a, b) ); } @@ -148,9 +148,9 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len) if ( report_gap(endp, endp->peer) ) dst_analyzer->EnqueueConnEvent(content_gap, dst_analyzer->ConnVal(), - zeek::val_mgr->Bool(IsOrig()), - zeek::val_mgr->Count(seq), - zeek::val_mgr->Count(len) + val_mgr->Bool(IsOrig()), + val_mgr->Count(seq), + val_mgr->Count(len) ); if ( type == Direct ) @@ -203,9 +203,9 @@ void TCP_Reassembler::Undelivered(uint64_t up_to_seq) if ( up_to_seq <= last_reassem_seq ) // This should never happen. (Reassembler::TrimToSeq has the only call // to this method and only if this condition is not true). - zeek::reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered"); + reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered"); - if ( zeek::BifConst::detect_filtered_trace && last_reassem_seq == 1 && + if ( BifConst::detect_filtered_trace && last_reassem_seq == 1 && (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 || peer->FIN_cnt > 0 || peer->RST_cnt > 0) ) { @@ -225,7 +225,7 @@ void TCP_Reassembler::Undelivered(uint64_t up_to_seq) { DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%" PRIu64", len=%" PRIu64", " "skip_deliveries=%d\n", - zeek::run_state::network_time, IsOrig(), last_reassem_seq, + run_state::network_time, IsOrig(), last_reassem_seq, up_to_seq - last_reassem_seq, skip_deliveries); } @@ -317,7 +317,7 @@ void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper) } } -void TCP_Reassembler::RecordToSeq(uint64_t start_seq, uint64_t stop_seq, const zeek::FilePtr& f) +void TCP_Reassembler::RecordToSeq(uint64_t start_seq, uint64_t stop_seq, const FilePtr& f) { auto it = block_list.Begin(); @@ -348,37 +348,37 @@ void TCP_Reassembler::RecordToSeq(uint64_t start_seq, uint64_t stop_seq, const z RecordGap(last_seq, stop_seq, f); } -void TCP_Reassembler::RecordBlock(const zeek::DataBlock& b, const zeek::FilePtr& f) +void TCP_Reassembler::RecordBlock(const DataBlock& b, const FilePtr& f) { if ( f->Write((const char*) b.block, b.Size()) ) return; - zeek::reporter->Error("TCP_Reassembler contents write failed"); + reporter->Error("TCP_Reassembler contents write failed"); if ( contents_file_write_failure ) tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, Endpoint()->Conn()->ConnVal(), - zeek::val_mgr->Bool(IsOrig()), - zeek::make_intrusive("TCP reassembler content write failure") + val_mgr->Bool(IsOrig()), + make_intrusive("TCP reassembler content write failure") ); } -void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, const zeek::FilePtr& f) +void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, const FilePtr& f) { - if ( f->Write(zeek::util::fmt("\n<>\n", upper_seq - start_seq)) ) + if ( f->Write(util::fmt("\n<>\n", upper_seq - start_seq)) ) return; - zeek::reporter->Error("TCP_Reassembler contents gap write failed"); + reporter->Error("TCP_Reassembler contents gap write failed"); if ( contents_file_write_failure ) tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, Endpoint()->Conn()->ConnVal(), - zeek::val_mgr->Bool(IsOrig()), - zeek::make_intrusive("TCP reassembler gap write failure") + val_mgr->Bool(IsOrig()), + make_intrusive("TCP reassembler gap write failure") ); } -void TCP_Reassembler::BlockInserted(zeek::DataBlockMap::const_iterator it) +void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it) { const auto& start_block = it->second; @@ -440,7 +440,7 @@ void TCP_Reassembler::BlockInserted(zeek::DataBlockMap::const_iterator it) void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n) { if ( DEBUG_tcp_contents ) - DEBUG_MSG("%.6f TCP contents overlap: %" PRIu64" IsOrig()=%d\n", zeek::run_state::network_time, n, IsOrig()); + DEBUG_MSG("%.6f TCP contents overlap: %" PRIu64" IsOrig()=%d\n", run_state::network_time, n, IsOrig()); if ( rexmit_inconsistency && memcmp((const void*) b1, (const void*) b2, n) && @@ -448,14 +448,14 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n) // we've ever seen for the connection. (n > 1 || endp->peer->HasDoneSomething()) ) { - zeek::String* b1_s = new zeek::String((const u_char*) b1, n, false); - zeek::String* b2_s = new zeek::String((const u_char*) b2, n, false); + String* b1_s = new String((const u_char*) b1, n, false); + String* b2_s = new String((const u_char*) b2, n, false); tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency, tcp_analyzer->ConnVal(), - zeek::make_intrusive(b1_s), - zeek::make_intrusive(b2_s), - zeek::make_intrusive(flags.AsString()) + make_intrusive(b1_s), + make_intrusive(b2_s), + make_intrusive(flags.AsString()) ); } } @@ -477,7 +477,7 @@ bool TCP_Reassembler::DataSent(double t, uint64_t seq, int len, if ( DEBUG_tcp_contents ) { DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%" PRIu64" upper=%" PRIu64" ack=%" PRIu64"\n", - zeek::run_state::network_time, IsOrig(), seq, upper_seq, ack); + run_state::network_time, IsOrig(), seq, upper_seq, ack); } if ( skip_deliveries ) @@ -534,7 +534,7 @@ void TCP_Reassembler::AckReceived(uint64_t seq) return; bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() && - ( zeek::BifConst::report_gaps_for_partial || + ( BifConst::report_gaps_for_partial || (endp->state == TCP_ENDPOINT_ESTABLISHED && endp->peer->state == TCP_ENDPOINT_ESTABLISHED ) ); @@ -581,7 +581,7 @@ void TCP_Reassembler::CheckEOF() if ( DEBUG_tcp_connection_close ) { DEBUG_MSG("%.6f EOF for %d\n", - zeek::run_state::network_time, endp->IsOrig()); + run_state::network_time, endp->IsOrig()); } did_EOF = true; @@ -609,9 +609,9 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data) if ( deliver_tcp_contents ) tcp_analyzer->EnqueueConnEvent(tcp_contents, tcp_analyzer->ConnVal(), - zeek::val_mgr->Bool(IsOrig()), - zeek::val_mgr->Count(seq), - zeek::make_intrusive(len, (const char*) data) + val_mgr->Bool(IsOrig()), + val_mgr->Count(seq), + make_intrusive(len, (const char*) data) ); // Q. Can we say this because it is already checked in DataSent()? diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h index 53200b8c20..a633caac78 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h @@ -11,20 +11,20 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Analyzer, zeek, analyzer::tcp); namespace zeek::analyzer::tcp { -class TCP_Reassembler final : public zeek::Reassembler { +class TCP_Reassembler final : public Reassembler { public: enum Type { Direct, // deliver to destination analyzer itself Forward, // forward to destination analyzer's children }; - TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer, + TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, TCP_Endpoint* arg_endp); void Done(); - void SetDstAnalyzer(zeek::analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -46,8 +46,8 @@ public: // from waiting_on_hole above; and is computed in a different fashion). uint64_t NumUndeliveredBytes() const; - void SetContentsFile(zeek::FilePtr f); - const zeek::FilePtr& GetContentsFile() const { return record_contents_file; } + void SetContentsFile(FilePtr f); + const FilePtr& GetContentsFile() const { return record_contents_file; } void MatchUndelivered(uint64_t up_to_seq, bool use_last_upper); @@ -85,11 +85,11 @@ private: void Undelivered(uint64_t up_to_seq) override; void Gap(uint64_t seq, uint64_t len); - void RecordToSeq(uint64_t start_seq, uint64_t stop_seq, const zeek::FilePtr& f); - void RecordBlock(const zeek::DataBlock& b, const zeek::FilePtr& f); - void RecordGap(uint64_t start_seq, uint64_t upper_seq, const zeek::FilePtr& f); + void RecordToSeq(uint64_t start_seq, uint64_t stop_seq, const FilePtr& f); + void RecordBlock(const DataBlock& b, const FilePtr& f); + void RecordGap(uint64_t start_seq, uint64_t upper_seq, const FilePtr& f); - void BlockInserted(zeek::DataBlockMap::const_iterator it) override; + void BlockInserted(DataBlockMap::const_iterator it) override; void Overlap(const u_char* b1, const u_char* b2, uint64_t n) override; TCP_Endpoint* endp; @@ -104,9 +104,9 @@ private: bool in_delivery; analyzer::tcp::TCP_Flags flags; - zeek::FilePtr record_contents_file; // file on which to reassemble contents + FilePtr record_contents_file; // file on which to reassemble contents - zeek::analyzer::Analyzer* dst_analyzer; + analyzer::Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc index d98455aa10..67ab721b1e 100644 --- a/src/analyzer/protocol/teredo/Teredo.cc +++ b/src/analyzer/protocol/teredo/Teredo.cc @@ -93,37 +93,37 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len, return false; } -zeek::RecordValPtr TeredoEncapsulation::BuildVal(const zeek::IP_Hdr* inner) const +RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const { - static auto teredo_hdr_type = zeek::id::find_type("teredo_hdr"); - static auto teredo_auth_type = zeek::id::find_type("teredo_auth"); - static auto teredo_origin_type = zeek::id::find_type("teredo_origin"); + static auto teredo_hdr_type = id::find_type("teredo_hdr"); + static auto teredo_auth_type = id::find_type("teredo_auth"); + static auto teredo_origin_type = id::find_type("teredo_origin"); - auto teredo_hdr = zeek::make_intrusive(teredo_hdr_type); + auto teredo_hdr = make_intrusive(teredo_hdr_type); if ( auth ) { - auto teredo_auth = zeek::make_intrusive(teredo_auth_type); + auto teredo_auth = make_intrusive(teredo_auth_type); uint8_t id_len = *((uint8_t*)(auth + 2)); uint8_t au_len = *((uint8_t*)(auth + 3)); uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len))); uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8)); - teredo_auth->Assign(0, zeek::make_intrusive( - new zeek::String(auth + 4, id_len, true))); - teredo_auth->Assign(1, zeek::make_intrusive( - new zeek::String(auth + 4 + id_len, au_len, true))); - teredo_auth->Assign(2, zeek::val_mgr->Count(nonce)); - teredo_auth->Assign(3, zeek::val_mgr->Count(conf)); + teredo_auth->Assign(0, make_intrusive( + new String(auth + 4, id_len, true))); + teredo_auth->Assign(1, make_intrusive( + new String(auth + 4 + id_len, au_len, true))); + teredo_auth->Assign(2, val_mgr->Count(nonce)); + teredo_auth->Assign(3, val_mgr->Count(conf)); teredo_hdr->Assign(0, std::move(teredo_auth)); } if ( origin_indication ) { - auto teredo_origin = zeek::make_intrusive(teredo_origin_type); + auto teredo_origin = make_intrusive(teredo_origin_type); uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF; uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF; - teredo_origin->Assign(0, zeek::val_mgr->Port(port, TRANSPORT_UDP)); - teredo_origin->Assign(1, zeek::make_intrusive(htonl(addr))); + teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP)); + teredo_origin->Assign(1, make_intrusive(htonl(addr))); teredo_hdr->Assign(1, std::move(teredo_origin)); } @@ -140,7 +140,7 @@ void Teredo_Analyzer::Done() } void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -157,16 +157,16 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, return; } - const zeek::EncapsulationStack* e = Conn()->GetEncapsulation(); + const EncapsulationStack* e = Conn()->GetEncapsulation(); - if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) { Weird("tunnel_depth", true); return; } - zeek::IP_Hdr* inner = nullptr; - int rslt = zeek::sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner); + IP_Hdr* inner = nullptr; + int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner); if ( rslt > 0 ) { @@ -199,7 +199,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, return; } - zeek::ValPtr teredo_hdr; + ValPtr teredo_hdr; if ( teredo_packet ) { @@ -231,9 +231,9 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, Conn()->EnqueueEvent(teredo_bubble, nullptr, ConnVal(), teredo_hdr); } - zeek::EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO); + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO); - zeek::sessions->DoNextInnerPacket(zeek::run_state::network_time, nullptr, inner, e, ec); + sessions->DoNextInnerPacket(run_state::network_time, nullptr, inner, e, ec); } } // namespace zeek::analyzer::teredo diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h index 96cabef2e4..66b06e2cea 100644 --- a/src/analyzer/protocol/teredo/Teredo.h +++ b/src/analyzer/protocol/teredo/Teredo.h @@ -6,9 +6,9 @@ namespace zeek::analyzer::teredo { -class Teredo_Analyzer final : public zeek::analyzer::Analyzer { +class Teredo_Analyzer final : public analyzer::Analyzer { public: - explicit Teredo_Analyzer(zeek::Connection* conn) + explicit Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), valid_orig(false), valid_resp(false) {} ~Teredo_Analyzer() override = default; @@ -16,9 +16,9 @@ public: void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new Teredo_Analyzer(conn); } /** @@ -31,7 +31,7 @@ public: void Weird(const char* name, bool force = false) const { if ( ProtocolConfirmed() || force ) - zeek::reporter->Weird(Conn(), name); + reporter->Weird(Conn(), name); } /** @@ -40,7 +40,7 @@ public: */ void Confirm() { - if ( ! zeek::BifConst::Tunnel::delay_teredo_confirmation || + if ( ! BifConst::Tunnel::delay_teredo_confirmation || ( valid_orig && valid_resp ) ) ProtocolConfirmation(); } @@ -74,7 +74,7 @@ public: const u_char* Authentication() const { return auth; } - zeek::RecordValPtr BuildVal(const zeek::IP_Hdr* inner) const; + RecordValPtr BuildVal(const IP_Hdr* inner) const; protected: bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au); diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index b71078425f..11a674aa9b 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -15,8 +15,8 @@ namespace zeek::analyzer::udp { -UDP_Analyzer::UDP_Analyzer(zeek::Connection* conn) - : zeek::analyzer::TransportLayerAnalyzer("UDP", conn) +UDP_Analyzer::UDP_Analyzer(Connection* conn) + : analyzer::TransportLayerAnalyzer("UDP", conn) { conn->EnableStatusUpdateTimer(); conn->SetInactivityTimeout(zeek::detail::udp_inactivity_timeout); @@ -42,7 +42,7 @@ void UDP_Analyzer::Done() } void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { assert(ip); @@ -62,7 +62,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int chksum = up->uh_sum; - auto validate_checksum = ! zeek::run_state::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums && caplen >=len; + auto validate_checksum = ! run_state::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums && caplen >=len; constexpr auto vxlan_len = 8; constexpr auto eth_len = 14; @@ -70,7 +70,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, len > ((int)sizeof(struct udphdr) + vxlan_len + eth_len) && (data[0] & 0x08) == 0x08 ) { - auto& vxlan_ports = zeek::analyzer_mgr->GetVxlanPorts(); + auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), ntohs(up->uh_dport)) != vxlan_ports.end() ) @@ -81,7 +81,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( chksum == 0 ) validate_checksum = false; else - validate_checksum = zeek::BifConst::Tunnel::validate_vxlan_checksums; + validate_checksum = BifConst::Tunnel::validate_vxlan_checksums; } } @@ -124,22 +124,22 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int ulen = ntohs(up->uh_ulen); if ( ulen != len ) - Weird("UDP_datagram_length_mismatch", zeek::util::fmt("%d != %d", ulen, len)); + Weird("UDP_datagram_length_mismatch", util::fmt("%d != %d", ulen, len)); len -= sizeof(struct udphdr); ulen -= sizeof(struct udphdr); caplen -= sizeof(struct udphdr); - Conn()->SetLastTime(zeek::run_state::current_timestamp); + Conn()->SetLastTime(run_state::current_timestamp); if ( udp_contents ) { - static auto udp_content_ports = zeek::id::find_val("udp_content_ports"); - static auto udp_content_delivery_ports_orig = zeek::id::find_val("udp_content_delivery_ports_orig"); - static auto udp_content_delivery_ports_resp = zeek::id::find_val("udp_content_delivery_ports_resp"); + static auto udp_content_ports = id::find_val("udp_content_ports"); + static auto udp_content_delivery_ports_orig = id::find_val("udp_content_delivery_ports_orig"); + static auto udp_content_delivery_ports_resp = id::find_val("udp_content_delivery_ports_resp"); bool do_udp_contents = false; - const auto& sport_val = zeek::val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP); - const auto& dport_val = zeek::val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP); + const auto& sport_val = val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP); + const auto& dport_val = val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP); if ( udp_content_ports->FindOrDefault(dport_val) || udp_content_ports->FindOrDefault(sport_val) ) @@ -169,8 +169,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( do_udp_contents ) EnqueueConnEvent(udp_contents, ConnVal(), - zeek::val_mgr->Bool(is_orig), - zeek::make_intrusive(len, (const char*) data)); + val_mgr->Bool(is_orig), + make_intrusive(len, (const char*) data)); } if ( is_orig ) @@ -184,7 +184,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, request_len += ulen; #ifdef DEBUG if ( request_len < 0 ) - zeek::reporter->Warning("wrapping around for UDP request length"); + reporter->Warning("wrapping around for UDP request length"); #endif } @@ -202,7 +202,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, reply_len += ulen; #ifdef DEBUG if ( reply_len < 0 ) - zeek::reporter->Warning("wrapping around for UDP reply length"); + reporter->Warning("wrapping around for UDP reply length"); #endif } @@ -213,10 +213,10 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, ForwardPacket(len, data, is_orig, seq, ip, caplen); } -void UDP_Analyzer::UpdateConnVal(zeek::RecordVal* conn_val) +void UDP_Analyzer::UpdateConnVal(RecordVal* conn_val) { - zeek::RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal(); - zeek::RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal(); + RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal(); + RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal(); UpdateEndpointVal(orig_endp, true); UpdateEndpointVal(resp_endp, false); @@ -225,19 +225,19 @@ void UDP_Analyzer::UpdateConnVal(zeek::RecordVal* conn_val) Analyzer::UpdateConnVal(conn_val); } -void UDP_Analyzer::UpdateEndpointVal(zeek::RecordVal* endp, bool is_orig) +void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig) { bro_int_t size = is_orig ? request_len : reply_len; if ( size < 0 ) { - endp->Assign(0, zeek::val_mgr->Count(0)); - endp->Assign(1, zeek::val_mgr->Count(int(UDP_INACTIVE))); + endp->Assign(0, val_mgr->Count(0)); + endp->Assign(1, val_mgr->Count(int(UDP_INACTIVE))); } else { - endp->Assign(0, zeek::val_mgr->Count(size)); - endp->Assign(1, zeek::val_mgr->Count(int(UDP_ACTIVE))); + endp->Assign(0, val_mgr->Count(size)); + endp->Assign(1, val_mgr->Count(int(UDP_ACTIVE))); } } @@ -258,7 +258,7 @@ void UDP_Analyzer::ChecksumEvent(bool is_orig, uint32_t threshold) is_orig, threshold); } -bool UDP_Analyzer::ValidateChecksum(const zeek::IP_Hdr* ip, const udphdr* up, int len) +bool UDP_Analyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) { uint32_t sum; @@ -268,14 +268,14 @@ bool UDP_Analyzer::ValidateChecksum(const zeek::IP_Hdr* ip, const udphdr* up, in else sum = 0; - sum = zeek::ones_complement_checksum(ip->SrcAddr(), sum); - sum = zeek::ones_complement_checksum(ip->DstAddr(), sum); + sum = ones_complement_checksum(ip->SrcAddr(), sum); + sum = ones_complement_checksum(ip->DstAddr(), sum); // Note, for IPv6, strictly speaking the protocol and length fields are // 32 bits rather than 16 bits. But because the upper bits are all zero, // we get the same checksum either way. sum += htons(IPPROTO_UDP); sum += htons((unsigned short) len); - sum = zeek::ones_complement_checksum((void*) up, len, sum); + sum = ones_complement_checksum((void*) up, len, sum); return sum == 0xffff; } diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h index 819ee0015c..31b6020317 100644 --- a/src/analyzer/protocol/udp/UDP.h +++ b/src/analyzer/protocol/udp/UDP.h @@ -12,34 +12,34 @@ enum UDP_EndpointState { UDP_ACTIVE, // packets seen }; -class UDP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { +class UDP_Analyzer final : public analyzer::TransportLayerAnalyzer { public: - explicit UDP_Analyzer(zeek::Connection* conn); + explicit UDP_Analyzer(Connection* conn); ~UDP_Analyzer() override; void Init() override; - void UpdateConnVal(zeek::RecordVal *conn_val) override; + void UpdateConnVal(RecordVal *conn_val) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new UDP_Analyzer(conn); } protected: void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; bool IsReuse(double t, const u_char* pkt) override; unsigned int MemoryAllocation() const override; void ChecksumEvent(bool is_orig, uint32_t threshold); // Returns true if the checksum is valid, false if not - static bool ValidateChecksum(const zeek::IP_Hdr* ip, const struct udphdr* up, + static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up, int len); bro_int_t request_len, reply_len; private: - void UpdateEndpointVal(zeek::RecordVal* endp, bool is_orig); + void UpdateEndpointVal(RecordVal* endp, bool is_orig); #define HIST_ORIG_DATA_PKT 0x1 #define HIST_RESP_DATA_PKT 0x2 diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 15f2bfc239..7fde0ce5ef 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -25,7 +25,7 @@ void VXLAN_Analyzer::Done() } void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -46,11 +46,11 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, return; } - const zeek::EncapsulationStack* estack = Conn()->GetEncapsulation(); + const EncapsulationStack* estack = Conn()->GetEncapsulation(); - if ( estack && estack->Depth() >= zeek::BifConst::Tunnel::max_depth ) + if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth ) { - zeek::reporter->Weird(Conn(), "tunnel_depth"); + reporter->Weird(Conn(), "tunnel_depth"); return; } @@ -61,9 +61,9 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, len -= vxlan_len; pkt_timeval ts; - ts.tv_sec = (time_t) zeek::run_state::current_timestamp; - ts.tv_usec = (suseconds_t) ((zeek::run_state::current_timestamp - (double)ts.tv_sec) * 1000000); - zeek::Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + ts.tv_sec = (time_t) run_state::current_timestamp; + ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); if ( ! pkt.Layer2Valid() ) { @@ -76,15 +76,15 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, len -= pkt.hdr_size; caplen -= pkt.hdr_size; - zeek::IP_Hdr* inner = nullptr; + IP_Hdr* inner = nullptr; int res = 0; switch ( pkt.l3_proto ) { - case zeek::L3_IPV4: - res = zeek::sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); + case L3_IPV4: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); break; - case zeek::L3_IPV6: - res = zeek::sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); + case L3_IPV6: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); break; default: return; @@ -102,10 +102,10 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, if ( vxlan_packet ) Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(), - inner->ToPktHdrVal(), zeek::val_mgr->Count(vni)); + inner->ToPktHdrVal(), val_mgr->Count(vni)); - zeek::EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); - zeek::sessions->DoNextInnerPacket(zeek::run_state::network_time, &pkt, inner, estack, ec); + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); + sessions->DoNextInnerPacket(run_state::network_time, &pkt, inner, estack, ec); } } // namespace zeek::analyzer::vxlan diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h index 7d86fa9193..d09bfa8c18 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.h +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -6,18 +6,18 @@ namespace zeek::analyzer::vxlan { -class VXLAN_Analyzer final : public zeek::analyzer::Analyzer { +class VXLAN_Analyzer final : public analyzer::Analyzer { public: - explicit VXLAN_Analyzer(zeek::Connection* conn) + explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn) {} void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const IP_Hdr* ip, int caplen) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new VXLAN_Analyzer(conn); } }; diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc index 8651c3f615..f25119cc99 100644 --- a/src/analyzer/protocol/xmpp/XMPP.cc +++ b/src/analyzer/protocol/xmpp/XMPP.cc @@ -6,8 +6,8 @@ namespace zeek::analyzer::xmpp { -XMPP_Analyzer::XMPP_Analyzer(zeek::Connection* conn) - : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("XMPP", conn) +XMPP_Analyzer::XMPP_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("XMPP", conn) { interp = unique_ptr(new binpac::XMPP::XMPP_Conn(this)); had_gap = false; @@ -20,7 +20,7 @@ XMPP_Analyzer::~XMPP_Analyzer() void XMPP_Analyzer::Done() { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void XMPP_Analyzer::Done() void XMPP_Analyzer::EndpointEOF(bool is_orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls_active ) { @@ -60,13 +60,13 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } catch ( const binpac::Exception& e ) { - ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg())); } } void XMPP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } @@ -79,7 +79,7 @@ void XMPP_Analyzer::StartTLS() tls_active = true; - Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); if ( ssl ) AddChildAnalyzer(ssl); } diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h index fc9ad7742b..d1f830f6b3 100644 --- a/src/analyzer/protocol/xmpp/XMPP.h +++ b/src/analyzer/protocol/xmpp/XMPP.h @@ -8,21 +8,21 @@ namespace zeek::analyzer::xmpp { -class XMPP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +class XMPP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { public: - explicit XMPP_Analyzer(zeek::Connection* conn); + explicit XMPP_Analyzer(Connection* conn); ~XMPP_Analyzer() override; void Done() override; void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; void StartTLS(); - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new XMPP_Analyzer(conn); } protected: diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc index 7fe335e80e..f281e6e20f 100644 --- a/src/analyzer/protocol/zip/ZIP.cc +++ b/src/analyzer/protocol/zip/ZIP.cc @@ -4,8 +4,8 @@ namespace zeek::analyzer::zip { -ZIP_Analyzer::ZIP_Analyzer(zeek::Connection* conn, bool orig, Method arg_method) -: zeek::analyzer::tcp::TCP_SupportAnalyzer("ZIP", conn, orig) +ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) +: analyzer::tcp::TCP_SupportAnalyzer("ZIP", conn, orig) { zip = nullptr; zip_status = Z_OK; @@ -45,7 +45,7 @@ void ZIP_Analyzer::Done() void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( ! len || zip_status != Z_OK ) return; diff --git a/src/analyzer/protocol/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h index 8ccf99a0cb..1722450666 100644 --- a/src/analyzer/protocol/zip/ZIP.h +++ b/src/analyzer/protocol/zip/ZIP.h @@ -9,11 +9,11 @@ namespace zeek::analyzer::zip { -class ZIP_Analyzer final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { +class ZIP_Analyzer final : public analyzer::tcp::TCP_SupportAnalyzer { public: enum Method { GZIP, DEFLATE }; - ZIP_Analyzer(zeek::Connection* conn, bool orig, Method method = GZIP); + ZIP_Analyzer(Connection* conn, bool orig, Method method = GZIP); ~ZIP_Analyzer() override; void Done() override; diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc index d7b599a6db..d28459ab7c 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.cc +++ b/src/file_analysis/analyzer/data_event/DataEvent.cc @@ -11,30 +11,30 @@ namespace zeek::file_analysis::detail { -DataEvent::DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file, - zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se) - : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("DATA_EVENT"), +DataEvent::DataEvent(RecordValPtr args, file_analysis::File* file, + EventHandlerPtr ce, EventHandlerPtr se) + : file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"), std::move(args), file), chunk_event(ce), stream_event(se) { } -zeek::file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* DataEvent::Instantiate(RecordValPtr args, + file_analysis::File* file) { const auto& chunk_val = args->GetField("chunk_event"); const auto& stream_val = args->GetField("stream_event"); if ( ! chunk_val && ! stream_val ) return nullptr; - zeek::EventHandlerPtr chunk; - zeek::EventHandlerPtr stream; + EventHandlerPtr chunk; + EventHandlerPtr stream; if ( chunk_val ) - chunk = zeek::event_registry->Lookup(chunk_val->AsFunc()->Name()); + chunk = event_registry->Lookup(chunk_val->AsFunc()->Name()); if ( stream_val ) - stream = zeek::event_registry->Lookup(stream_val->AsFunc()->Name()); + stream = event_registry->Lookup(stream_val->AsFunc()->Name()); return new DataEvent(std::move(args), file, chunk, stream); } @@ -43,10 +43,10 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset) { if ( ! chunk_event ) return true; - zeek::event_mgr.Enqueue(chunk_event, - GetFile()->ToVal(), - zeek::make_intrusive(new zeek::String(data, len, false)), - zeek::val_mgr->Count(offset) + event_mgr.Enqueue(chunk_event, + GetFile()->ToVal(), + make_intrusive(new String(data, len, false)), + val_mgr->Count(offset) ); return true; @@ -56,9 +56,9 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len) { if ( ! stream_event ) return true; - zeek::event_mgr.Enqueue(stream_event, - GetFile()->ToVal(), - zeek::make_intrusive(new zeek::String(data, len, false)) + event_mgr.Enqueue(stream_event, + GetFile()->ToVal(), + make_intrusive(new String(data, len, false)) ); return true; diff --git a/src/file_analysis/analyzer/data_event/DataEvent.h b/src/file_analysis/analyzer/data_event/DataEvent.h index 23f220e35d..98daa405c5 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.h +++ b/src/file_analysis/analyzer/data_event/DataEvent.h @@ -14,7 +14,7 @@ namespace zeek::file_analysis::detail { /** * An analyzer to send file data to script-layer via events. */ -class DataEvent : public zeek::file_analysis::Analyzer { +class DataEvent : public file_analysis::Analyzer { public: /** @@ -43,8 +43,8 @@ public: * @return the new DataEvent analyzer instance or a null pointer if * no "chunk_event" or "stream_event" field was specfied in \a args. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file); + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file); protected: @@ -57,12 +57,12 @@ protected: * @param se pointer to event handler which will be called to receive * sequential file data. */ - DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file, - zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se); + DataEvent(RecordValPtr args, file_analysis::File* file, + EventHandlerPtr ce, EventHandlerPtr se); private: - zeek::EventHandlerPtr chunk_event; - zeek::EventHandlerPtr stream_event; + EventHandlerPtr chunk_event; + EventHandlerPtr stream_event; }; } // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc index 56dd45c20b..868f0611c1 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.cc +++ b/src/file_analysis/analyzer/entropy/Entropy.cc @@ -9,11 +9,11 @@ namespace zeek::file_analysis::detail { -Entropy::Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("ENTROPY"), - std::move(args), file) +Entropy::Entropy(RecordValPtr args, file_analysis::File* file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"), + std::move(args), file) { - entropy = new zeek::EntropyVal; + entropy = new EntropyVal; fed = false; } @@ -22,8 +22,8 @@ Entropy::~Entropy() Unref(entropy); } -zeek::file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* Entropy::Instantiate(RecordValPtr args, + file_analysis::File* file) { return new Entropy(std::move(args), file); } @@ -60,17 +60,17 @@ void Entropy::Finalize() montepi = scc = ent = mean = chisq = 0.0; entropy->Get(&ent, &chisq, &mean, &montepi, &scc); - static auto entropy_test_result = zeek::id::find_type("entropy_test_result"); - auto ent_result = zeek::make_intrusive(entropy_test_result); - ent_result->Assign(0, ent); - ent_result->Assign(1, chisq); - ent_result->Assign(2, mean); - ent_result->Assign(3, montepi); - ent_result->Assign(4, scc); + static auto entropy_test_result = id::find_type("entropy_test_result"); + auto ent_result = make_intrusive(entropy_test_result); + ent_result->Assign(0, ent); + ent_result->Assign(1, chisq); + ent_result->Assign(2, mean); + ent_result->Assign(3, montepi); + ent_result->Assign(4, scc); - zeek::event_mgr.Enqueue(file_entropy, - GetFile()->ToVal(), - std::move(ent_result) + event_mgr.Enqueue(file_entropy, + GetFile()->ToVal(), + std::move(ent_result) ); } diff --git a/src/file_analysis/analyzer/entropy/Entropy.h b/src/file_analysis/analyzer/entropy/Entropy.h index 1f611cf0d0..8d18be544c 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.h +++ b/src/file_analysis/analyzer/entropy/Entropy.h @@ -16,7 +16,7 @@ namespace zeek::file_analysis::detail { /** * An analyzer to produce entropy of file contents. */ -class Entropy : public zeek::file_analysis::Analyzer { +class Entropy : public file_analysis::Analyzer { public: /** @@ -31,8 +31,8 @@ public: * @return the new Entropy analyzer instance or a null pointer if the * the "extraction_file" field of \a args wasn't set. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file); + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file); /** * Calculate entropy of next chunk of file contents. @@ -66,7 +66,7 @@ protected: * @param hv specific hash calculator object. * @param kind human readable name of the hash algorithm to use. */ - Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file); + Entropy(RecordValPtr args, file_analysis::File* file); /** * If some file contents have been seen, finalizes the entropy of them and @@ -75,7 +75,7 @@ protected: void Finalize(); private: - zeek::EntropyVal* entropy; + EntropyVal* entropy; bool fed; }; diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index 5df33a6141..63b3dcb0cd 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -10,9 +10,9 @@ namespace zeek::file_analysis::detail { -Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file, +Extract::Extract(RecordValPtr args, file_analysis::File* file, const std::string& arg_filename, uint64_t arg_limit) - : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("EXTRACT"), + : file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"), std::move(args), file), filename(arg_filename), limit(arg_limit), depth(0) { @@ -22,30 +22,30 @@ Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file, { fd = 0; char buf[128]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); - zeek::reporter->Error("cannot open %s: %s", filename.c_str(), buf); + util::zeek_strerror_r(errno, buf, sizeof(buf)); + reporter->Error("cannot open %s: %s", filename.c_str(), buf); } } Extract::~Extract() { if ( fd ) - zeek::util::safe_close(fd); + util::safe_close(fd); } -static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args, - const char* name) +static const ValPtr& get_extract_field_val(const RecordValPtr& args, + const char* name) { const auto& rval = args->GetField(name); if ( ! rval ) - zeek::reporter->Error("File extraction analyzer missing arg field: %s", name); + reporter->Error("File extraction analyzer missing arg field: %s", name); return rval; } -zeek::file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* Extract::Instantiate(RecordValPtr args, + file_analysis::File* file) { const auto& fname = get_extract_field_val(args, "extract_filename"); const auto& limit = get_extract_field_val(args, "extract_limit"); @@ -93,12 +93,12 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len) if ( limit_exceeded && file_extraction_limit ) { - zeek::file_analysis::File* f = GetFile(); + file_analysis::File* f = GetFile(); f->FileEvent(file_extraction_limit, { f->ToVal(), GetArgs(), - zeek::val_mgr->Count(limit), - zeek::val_mgr->Count(len) + val_mgr->Count(limit), + val_mgr->Count(len) }); // Limit may have been modified by a BIF, re-check it. @@ -107,7 +107,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len) if ( towrite > 0 ) { - zeek::util::safe_write(fd, reinterpret_cast(data), towrite); + util::safe_write(fd, reinterpret_cast(data), towrite); depth += towrite; } @@ -119,7 +119,7 @@ bool Extract::Undelivered(uint64_t offset, uint64_t len) if ( depth == offset ) { char* tmp = new char[len](); - zeek::util::safe_write(fd, tmp, len); + util::safe_write(fd, tmp, len); delete [] tmp; depth += len; } diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h index 3d3f5ded15..72b48f277b 100644 --- a/src/file_analysis/analyzer/extract/Extract.h +++ b/src/file_analysis/analyzer/extract/Extract.h @@ -15,7 +15,7 @@ namespace zeek::file_analysis::detail { /** * An analyzer to extract content of files to local disk. */ -class Extract : public zeek::file_analysis::Analyzer { +class Extract : public file_analysis::Analyzer { public: /** @@ -47,8 +47,8 @@ public: * @return the new Extract analyzer instance or a null pointer if the * the "extraction_file" field of \a args wasn't set. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file); + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file); /** * Sets the maximum allowed extracted file size. A value of zero means @@ -67,7 +67,7 @@ protected: * to which the contents of the file will be extracted/written. * @param arg_limit the maximum allowed file size. */ - Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file, + Extract(RecordValPtr args, file_analysis::File* file, const std::string& arg_filename, uint64_t arg_limit); private: diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc index 087d5554ce..ffc6e047b8 100644 --- a/src/file_analysis/analyzer/hash/Hash.cc +++ b/src/file_analysis/analyzer/hash/Hash.cc @@ -9,9 +9,9 @@ namespace zeek::file_analysis::detail { -Hash::Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, - zeek::HashVal* hv, const char* arg_kind) - : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag(zeek::util::to_upper(arg_kind).c_str()), +Hash::Hash(RecordValPtr args, file_analysis::File* file, + HashVal* hv, const char* arg_kind) + : file_analysis::Analyzer(file_mgr->GetComponentTag(util::to_upper(arg_kind).c_str()), std::move(args), file), hash(hv), fed(false), kind(arg_kind) { @@ -54,10 +54,10 @@ void Hash::Finalize() if ( ! file_hash ) return; - zeek::event_mgr.Enqueue(file_hash, - GetFile()->ToVal(), - zeek::make_intrusive(kind), - hash->Get() + event_mgr.Enqueue(file_hash, + GetFile()->ToVal(), + make_intrusive(kind), + hash->Get() ); } diff --git a/src/file_analysis/analyzer/hash/Hash.h b/src/file_analysis/analyzer/hash/Hash.h index 6b2d53945a..bce6c978e6 100644 --- a/src/file_analysis/analyzer/hash/Hash.h +++ b/src/file_analysis/analyzer/hash/Hash.h @@ -16,7 +16,7 @@ namespace zeek::file_analysis::detail { /** * An analyzer to produce a hash of file contents. */ -class Hash : public zeek::file_analysis::Analyzer { +class Hash : public file_analysis::Analyzer { public: /** @@ -56,7 +56,7 @@ protected: * @param hv specific hash calculator object. * @param kind human readable name of the hash algorithm to use. */ - Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::HashVal* hv, const char* kind); + Hash(RecordValPtr args, file_analysis::File* file, HashVal* hv, const char* kind); /** * If some file contents have been seen, finalizes the hash of them and @@ -65,7 +65,7 @@ protected: void Finalize(); private: - zeek::HashVal* hash; + HashVal* hash; bool fed; const char* kind; }; @@ -83,8 +83,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file) { return file_hash ? new MD5(std::move(args), file) : nullptr; } protected: @@ -94,8 +94,8 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - MD5(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : Hash(std::move(args), file, new zeek::MD5Val(), "md5") + MD5(RecordValPtr args, file_analysis::File* file) + : Hash(std::move(args), file, new MD5Val(), "md5") {} }; @@ -112,8 +112,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file) { return file_hash ? new SHA1(std::move(args), file) : nullptr; } protected: @@ -123,8 +123,8 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - SHA1(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : Hash(std::move(args), file, new zeek::SHA1Val(), "sha1") + SHA1(RecordValPtr args, file_analysis::File* file) + : Hash(std::move(args), file, new SHA1Val(), "sha1") {} }; @@ -141,8 +141,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file) { return file_hash ? new SHA256(std::move(args), file) : nullptr; } protected: @@ -152,8 +152,8 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - SHA256(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : Hash(std::move(args), file, new zeek::SHA256Val(), "sha256") + SHA256(RecordValPtr args, file_analysis::File* file) + : Hash(std::move(args), file, new SHA256Val(), "sha256") {} }; diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index e34b99c169..1a1dd8ead3 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -3,10 +3,10 @@ namespace zeek::file_analysis::detail { -PE::PE(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("PE"), - std::move(args), - file) +PE::PE(RecordValPtr args, file_analysis::File* file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), + std::move(args), + file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); diff --git a/src/file_analysis/analyzer/pe/PE.h b/src/file_analysis/analyzer/pe/PE.h index de101c2a6d..661eff5991 100644 --- a/src/file_analysis/analyzer/pe/PE.h +++ b/src/file_analysis/analyzer/pe/PE.h @@ -11,12 +11,12 @@ namespace zeek::file_analysis::detail { /** * Analyze Portable Executable files */ -class PE : public zeek::file_analysis::Analyzer { +class PE : public file_analysis::Analyzer { public: ~PE(); - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file) { return new PE(std::move(args), file); } virtual bool DeliverStream(const u_char* data, uint64_t len); @@ -24,7 +24,7 @@ public: virtual bool EndOfFile(); protected: - PE(zeek::RecordValPtr args, zeek::file_analysis::File* file); + PE(RecordValPtr args, file_analysis::File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; bool done; diff --git a/src/file_analysis/analyzer/unified2/Unified2.cc b/src/file_analysis/analyzer/unified2/Unified2.cc index ecf09aa708..c3a9fdbe39 100644 --- a/src/file_analysis/analyzer/unified2/Unified2.cc +++ b/src/file_analysis/analyzer/unified2/Unified2.cc @@ -5,8 +5,8 @@ namespace zeek::file_analysis::detail { -Unified2::Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("UNIFIED2"), +Unified2::Unified2(RecordValPtr args, file_analysis::File* file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file) { interp = new binpac::Unified2::Unified2_Analyzer(this); @@ -17,8 +17,8 @@ Unified2::~Unified2() delete interp; } -zeek::file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* Unified2::Instantiate(RecordValPtr args, + file_analysis::File* file) { return new Unified2(std::move(args), file); } diff --git a/src/file_analysis/analyzer/unified2/Unified2.h b/src/file_analysis/analyzer/unified2/Unified2.h index fcf975c91f..24e7b19851 100644 --- a/src/file_analysis/analyzer/unified2/Unified2.h +++ b/src/file_analysis/analyzer/unified2/Unified2.h @@ -14,17 +14,17 @@ namespace zeek::file_analysis::detail { /** * An analyzer to extract content of files from local disk. */ -class Unified2 : public zeek::file_analysis::Analyzer { +class Unified2 : public file_analysis::Analyzer { public: ~Unified2() override; bool DeliverStream(const u_char* data, uint64_t len) override; - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file); + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file); protected: - Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file); + Unified2(RecordValPtr args, file_analysis::File* file); private: binpac::Unified2::Unified2_Analyzer* interp; diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index b13081f77a..81e8017cdf 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -79,11 +79,11 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi if ( ! res ) { - zeek::reporter->Weird("OpenSSL failed to get OCSP_CERTID info"); - vl->emplace_back(zeek::val_mgr->EmptyString()); - vl->emplace_back(zeek::val_mgr->EmptyString()); - vl->emplace_back(zeek::val_mgr->EmptyString()); - vl->emplace_back(zeek::val_mgr->EmptyString()); + reporter->Weird("OpenSSL failed to get OCSP_CERTID info"); + vl->emplace_back(val_mgr->EmptyString()); + vl->emplace_back(val_mgr->EmptyString()); + vl->emplace_back(val_mgr->EmptyString()); + vl->emplace_back(val_mgr->EmptyString()); return false; } @@ -92,42 +92,42 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi i2a_ASN1_OBJECT(bio, hash_alg); int len = BIO_read(bio, buf, sizeof(buf)); - vl->emplace_back(zeek::make_intrusive(len, buf)); + vl->emplace_back(make_intrusive(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - vl->emplace_back(zeek::make_intrusive(len, buf)); + vl->emplace_back(make_intrusive(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - vl->emplace_back(zeek::make_intrusive(len, buf)); + vl->emplace_back(make_intrusive(len, buf)); BIO_reset(bio); i2a_ASN1_INTEGER(bio, serial_number); len = BIO_read(bio, buf, sizeof(buf)); - vl->emplace_back(zeek::make_intrusive(len, buf)); + vl->emplace_back(make_intrusive(len, buf)); BIO_reset(bio); return true; } -zeek::file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* OCSP::InstantiateRequest(RecordValPtr args, + file_analysis::File* file) { return new OCSP(std::move(args), file, true); } -zeek::file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, - zeek::file_analysis::File* file) +file_analysis::Analyzer* OCSP::InstantiateReply(RecordValPtr args, + file_analysis::File* file) { return new OCSP(std::move(args), file, false); } -OCSP::OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, - bool arg_request) - : X509Common::X509Common(zeek::file_mgr->GetComponentTag("OCSP"), +OCSP::OCSP(RecordValPtr args, file_analysis::File* file, + bool arg_request) + : X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), std::move(args), file), request(arg_request) { @@ -156,7 +156,7 @@ bool OCSP::EndOfFile() if (!req) { - zeek::reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error"); + reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error"); return false; } @@ -169,7 +169,7 @@ bool OCSP::EndOfFile() if (!resp) { - zeek::reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error"); + reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error"); return false; } @@ -211,7 +211,7 @@ typedef struct ocsp_basic_response_st { STACK_OF(X509) *certs; } OCSP_BASICRESP; */ -static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, +static StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, BIO* bio, char* buf, size_t buf_len) { @@ -221,7 +221,7 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat); if ( der_basic_resp_len <= 0 ) - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat; @@ -230,13 +230,13 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, if ( ! bseq ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } if ( sk_ASN1_TYPE_num(bseq) < 3 ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } auto constexpr sig_alg_idx = 1u; @@ -245,7 +245,7 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, if ( ASN1_TYPE_get(aseq_type) != V_ASN1_SEQUENCE ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } auto aseq_str = aseq_type->value.asn1_string; @@ -257,13 +257,13 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, if ( ! aseq ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } if ( sk_ASN1_TYPE_num(aseq) < 1 ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } auto constexpr alg_obj_idx = 0u; @@ -272,20 +272,20 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp, if ( ASN1_TYPE_get(alg_obj_type) != V_ASN1_OBJECT ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } auto alg_obj = alg_obj_type->value.object; i2a_ASN1_OBJECT(bio, alg_obj); auto alg_len = BIO_read(bio, buf, buf_len); - auto rval = zeek::make_intrusive(alg_len, buf); + auto rval = make_intrusive(alg_len, buf); BIO_reset(bio); OPENSSL_free(der_basic_resp_dat); return rval; } -static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) +static ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) { int der_basic_resp_len = 0; unsigned char* der_basic_resp_dat = nullptr; @@ -293,7 +293,7 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat); if ( der_basic_resp_len <= 0 ) - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat; @@ -302,13 +302,13 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) if ( ! bseq ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); } if ( sk_ASN1_TYPE_num(bseq) < 3 ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); } auto constexpr resp_data_idx = 0u; @@ -317,7 +317,7 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) if ( ASN1_TYPE_get(dseq_type) != V_ASN1_SEQUENCE ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); } auto dseq_str = dseq_type->value.asn1_string; @@ -329,13 +329,13 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) if ( ! dseq ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); } if ( sk_ASN1_TYPE_num(dseq) < 1 ) { OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(-1); + return val_mgr->Count(-1); } /*- ResponseData ::= SEQUENCE { @@ -353,12 +353,12 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp) { OPENSSL_free(der_basic_resp_dat); // Not present, use default value. - return zeek::val_mgr->Count(0); + return val_mgr->Count(0); } uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer); OPENSSL_free(der_basic_resp_dat); - return zeek::val_mgr->Count(asn1_int); + return val_mgr->Count(asn1_int); } static uint64_t parse_request_version(OCSP_REQUEST* req) @@ -417,9 +417,9 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) #endif if ( ocsp_request ) - zeek::event_mgr.Enqueue(ocsp_request, - GetFile()->ToVal(), - zeek::val_mgr->Count(version) + event_mgr.Enqueue(ocsp_request, + GetFile()->ToVal(), + val_mgr->Count(version) ); BIO *bio = BIO_new(BIO_s_mem()); @@ -437,7 +437,7 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) ocsp_add_cert_id(cert_id, &rvl, bio); if ( ocsp_request_certificate ) - zeek::event_mgr.Enqueue(ocsp_request_certificate, std::move(rvl)); + event_mgr.Enqueue(ocsp_request_certificate, std::move(rvl)); } BIO_free(bio); @@ -453,17 +453,17 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) const STACK_OF(X509)* certs = nullptr; int resp_count, num_ext = 0; - zeek::VectorVal *certs_vector = nullptr; + VectorVal *certs_vector = nullptr; int len = 0; char buf[OCSP_STRING_BUF_SIZE]; memset(buf, 0, sizeof(buf)); const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); - auto status_val = zeek::make_intrusive(strlen(status_str), status_str); + auto status_val = make_intrusive(strlen(status_str), status_str); if ( ocsp_response_status ) - zeek::event_mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val); + event_mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val); //if (!resp_bytes) // { @@ -494,7 +494,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) vl.emplace_back(std::move(status_val)); #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) - vl.emplace_back(zeek::val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version))); + vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version))); #else vl.emplace_back(parse_basic_resp_data_version(basic_resp)); #endif @@ -503,13 +503,13 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) if ( OCSP_RESPID_bio(basic_resp, bio) ) { len = BIO_read(bio, buf, sizeof(buf)); - vl.emplace_back(zeek::make_intrusive(len, buf)); + vl.emplace_back(make_intrusive(len, buf)); BIO_reset(bio); } else { - zeek::reporter->Weird("OpenSSL failed to get OCSP responder id"); - vl.emplace_back(zeek::val_mgr->EmptyString()); + reporter->Weird("OpenSSL failed to get OCSP responder id"); + vl.emplace_back(val_mgr->EmptyString()); } // producedAt @@ -519,7 +519,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) produced_at = OCSP_resp_get0_produced_at(basic_resp); #endif - vl.emplace_back(zeek::make_intrusive(GetTimeFromAsn1(produced_at, GetFile(), zeek::reporter))); + vl.emplace_back(make_intrusive(GetTimeFromAsn1(produced_at, GetFile(), reporter))); // responses @@ -559,42 +559,42 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) const_cast(cert_id), &status, &reason, &revoke_time, &this_update, &next_update) ) - zeek::reporter->Weird("OpenSSL failed to find status of OCSP response"); + reporter->Weird("OpenSSL failed to find status of OCSP response"); const char* cert_status_str = OCSP_cert_status_str(status); - rvl.emplace_back(zeek::make_intrusive(strlen(cert_status_str), cert_status_str)); + rvl.emplace_back(make_intrusive(strlen(cert_status_str), cert_status_str)); // revocation time and reason if revoked if ( status == V_OCSP_CERTSTATUS_REVOKED ) { - rvl.emplace_back(zeek::make_intrusive(GetTimeFromAsn1(revoke_time, GetFile(), zeek::reporter))); + rvl.emplace_back(make_intrusive(GetTimeFromAsn1(revoke_time, GetFile(), reporter))); if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) { const char* revoke_reason = OCSP_crl_reason_str(reason); - rvl.emplace_back(zeek::make_intrusive(strlen(revoke_reason), revoke_reason)); + rvl.emplace_back(make_intrusive(strlen(revoke_reason), revoke_reason)); } else - rvl.emplace_back(zeek::make_intrusive(0, "")); + rvl.emplace_back(make_intrusive(0, "")); } else { - rvl.emplace_back(zeek::make_intrusive(0.0)); - rvl.emplace_back(zeek::make_intrusive(0, "")); + rvl.emplace_back(make_intrusive(0.0)); + rvl.emplace_back(make_intrusive(0, "")); } if ( this_update ) - rvl.emplace_back(zeek::make_intrusive(GetTimeFromAsn1(this_update, GetFile(), zeek::reporter))); + rvl.emplace_back(make_intrusive(GetTimeFromAsn1(this_update, GetFile(), reporter))); else - rvl.emplace_back(zeek::make_intrusive(0.0)); + rvl.emplace_back(make_intrusive(0.0)); if ( next_update ) - rvl.emplace_back(zeek::make_intrusive(GetTimeFromAsn1(next_update, GetFile(), zeek::reporter))); + rvl.emplace_back(make_intrusive(GetTimeFromAsn1(next_update, GetFile(), reporter))); else - rvl.emplace_back(zeek::make_intrusive(0.0)); + rvl.emplace_back(make_intrusive(0.0)); if ( ocsp_response_certificate ) - zeek::event_mgr.Enqueue(ocsp_response_certificate, std::move(rvl)); + event_mgr.Enqueue(ocsp_response_certificate, std::move(rvl)); num_ext = OCSP_SINGLERESP_get_ext_count(single_resp); for ( int k = 0; k < num_ext; ++k ) @@ -610,7 +610,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); len = BIO_read(bio, buf, sizeof(buf)); - vl.emplace_back(zeek::make_intrusive(len, buf)); + vl.emplace_back(make_intrusive(len, buf)); BIO_reset(bio); #else vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); @@ -618,11 +618,11 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) //i2a_ASN1_OBJECT(bio, basic_resp->signature); //len = BIO_read(bio, buf, sizeof(buf)); - //ocsp_resp_record->Assign(7, zeek::make_intrusive(len, buf)); + //ocsp_resp_record->Assign(7, make_intrusive(len, buf)); //BIO_reset(bio); - certs_vector = new zeek::VectorVal(zeek::id::find_type("x509_opaque_vector")); - vl.emplace_back(zeek::AdoptRef{}, certs_vector); + certs_vector = new VectorVal(id::find_type("x509_opaque_vector")); + vl.emplace_back(AdoptRef{}, certs_vector); #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) certs = basic_resp->certs; @@ -638,14 +638,14 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp) ::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i)); //::X509 *this_cert = X509_dup(sk_X509_value(certs, i)); if (this_cert) - certs_vector->Assign(i, zeek::make_intrusive(this_cert)); + certs_vector->Assign(i, make_intrusive(this_cert)); else - zeek::reporter->Weird("OpenSSL returned null certificate"); + reporter->Weird("OpenSSL returned null certificate"); } } if ( ocsp_response_bytes ) - zeek::event_mgr.Enqueue(ocsp_response_bytes, std::move(vl)); + event_mgr.Enqueue(ocsp_response_bytes, std::move(vl)); // ok, now that we are done with the actual certificate - let's parse extensions :) num_ext = OCSP_BASICRESP_get_ext_count(basic_resp); diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 7319620a22..56da14c1a6 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -11,19 +11,19 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); namespace zeek::file_analysis::detail { -class OCSP : public zeek::file_analysis::detail::X509Common { +class OCSP : public file_analysis::detail::X509Common { public: bool DeliverStream(const u_char* data, uint64_t len) override; bool Undelivered(uint64_t offset, uint64_t len) override; bool EndOfFile() override; - static zeek::file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args, - zeek::file_analysis::File* file); - static zeek::file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args, - zeek::file_analysis::File* file); + static file_analysis::Analyzer* InstantiateRequest(RecordValPtr args, + file_analysis::File* file); + static file_analysis::Analyzer* InstantiateReply(RecordValPtr args, + file_analysis::File* file); protected: - OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool request); + OCSP(RecordValPtr args, file_analysis::File* file, bool request); private: void ParseResponse(OCSP_RESPONSE*); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 25e289f953..63a0c7055f 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -23,8 +23,8 @@ namespace zeek::file_analysis::detail { -X509::X509(zeek::RecordValPtr args, zeek::file_analysis::File* file) - : X509Common::X509Common(zeek::file_mgr->GetComponentTag("X509"), +X509::X509(RecordValPtr args, file_analysis::File* file) + : X509Common::X509Common(file_mgr->GetComponentTag("X509"), std::move(args), file) { cert_data.clear(); @@ -53,7 +53,7 @@ bool X509::EndOfFile() zeek::detail::hash_update(ctx, cert_char, cert_data.size()); zeek::detail::hash_final(ctx, buf); std::string cert_sha256 = zeek::detail::sha256_digest_print(buf); - auto index = zeek::make_intrusive(cert_sha256); + auto index = make_intrusive(cert_sha256); const auto& entry = certificate_cache->Find(index); if ( entry ) @@ -65,7 +65,7 @@ bool X509::EndOfFile() // yup, let's call the callback. cache_hit_callback->Invoke(GetFile()->ToVal(), entry, - zeek::make_intrusive(cert_sha256)); + make_intrusive(cert_sha256)); return false; } } @@ -75,7 +75,7 @@ bool X509::EndOfFile() ::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size()); if ( ! ssl_cert ) { - zeek::reporter->Weird(GetFile(), "x509_cert_parse_error"); + reporter->Weird(GetFile(), "x509_cert_parse_error"); return false; } @@ -86,10 +86,10 @@ bool X509::EndOfFile() // and send the record on to scriptland if ( x509_certificate ) - zeek::event_mgr.Enqueue(x509_certificate, - GetFile()->ToVal(), - zeek::IntrusivePtr{zeek::NewRef{}, cert_val}, - cert_record); + event_mgr.Enqueue(x509_certificate, + GetFile()->ToVal(), + IntrusivePtr{NewRef{}, cert_val}, + cert_record); // after parsing the certificate - parse the extensions... @@ -113,26 +113,26 @@ bool X509::EndOfFile() return false; } -zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, - zeek::file_analysis::File* f) +RecordValPtr X509::ParseCertificate(X509Val* cert_val, + file_analysis::File* f) { ::X509* ssl_cert = cert_val->GetCertificate(); char buf[2048]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); - auto pX509Cert = zeek::make_intrusive(zeek::BifType::Record::X509::Certificate); + auto pX509Cert = make_intrusive(BifType::Record::X509::Certificate); BIO *bio = BIO_new(BIO_s_mem()); - pX509Cert->Assign(0, zeek::val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1)); + pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1)); i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert)); int len = BIO_read(bio, buf, sizeof(buf)); - pX509Cert->Assign(1, zeek::make_intrusive(len, buf)); + pX509Cert->Assign(1, make_intrusive(len, buf)); BIO_reset(bio); X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253); len = BIO_gets(bio, buf, sizeof(buf)); - pX509Cert->Assign(2, zeek::make_intrusive(len, buf)); + pX509Cert->Assign(2, make_intrusive(len, buf)); BIO_reset(bio); X509_NAME *subject_name = X509_get_subject_name(ssl_cert); @@ -152,17 +152,17 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, // we found a common name ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos))); len = BIO_gets(bio, buf, sizeof(buf)); - pX509Cert->Assign(4, zeek::make_intrusive(len, buf)); + pX509Cert->Assign(4, make_intrusive(len, buf)); BIO_reset(bio); } X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253); len = BIO_gets(bio, buf, sizeof(buf)); - pX509Cert->Assign(3, zeek::make_intrusive(len, buf)); + pX509Cert->Assign(3, make_intrusive(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, zeek::make_intrusive(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, zeek::reporter))); - pX509Cert->Assign(6, zeek::make_intrusive(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, zeek::reporter))); + pX509Cert->Assign(5, make_intrusive(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter))); + pX509Cert->Assign(6, make_intrusive(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter))); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -172,7 +172,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) ) buf[0] = 0; - pX509Cert->Assign(7, zeek::make_intrusive(buf)); + pX509Cert->Assign(7, make_intrusive(buf)); // Special case for RDP server certificates. For some reason some (all?) RDP server // certificates like to specify their key algorithm as md5WithRSAEncryption, which @@ -194,25 +194,25 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) ) buf[0] = 0; - pX509Cert->Assign(8, zeek::make_intrusive(buf)); + pX509Cert->Assign(8, make_intrusive(buf)); // Things we can do when we have the key... EVP_PKEY *pkey = X509_extract_key(ssl_cert); if ( pkey != NULL ) { if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA ) - pX509Cert->Assign(9, zeek::make_intrusive("dsa")); + pX509Cert->Assign(9, make_intrusive("dsa")); else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA ) { - pX509Cert->Assign(9, zeek::make_intrusive("rsa")); + pX509Cert->Assign(9, make_intrusive("rsa")); const BIGNUM *e; RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL); char *exponent = BN_bn2dec(e); if ( exponent != NULL ) { - pX509Cert->Assign(11, zeek::make_intrusive(exponent)); + pX509Cert->Assign(11, make_intrusive(exponent)); OPENSSL_free(exponent); exponent = NULL; } @@ -220,7 +220,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, #ifndef OPENSSL_NO_EC else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC ) { - pX509Cert->Assign(9, zeek::make_intrusive("ecdsa")); + pX509Cert->Assign(9, make_intrusive("ecdsa")); pX509Cert->Assign(12, KeyCurve(pkey)); } #endif @@ -232,7 +232,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, unsigned int length = KeyLength(pkey); if ( length > 0 ) - pX509Cert->Assign(10, zeek::val_mgr->Count(length)); + pX509Cert->Assign(10, val_mgr->Count(length)); EVP_PKEY_free(pkey); } @@ -241,7 +241,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, return pX509Cert; } -X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs) +X509_STORE* X509::GetRootStore(TableVal* root_certs) { // If this certificate store was built previously, just reuse the old one. if ( x509_stores.count(root_certs) > 0 ) @@ -255,13 +255,13 @@ X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs) { const auto& key = idxs->Idx(i); auto val = root_certs->FindOrDefault(key); - zeek::StringVal* sv = val->AsStringVal(); + StringVal* sv = val->AsStringVal(); assert(sv); const uint8_t* data = sv->Bytes(); ::X509* x = d2i_X509(NULL, &data, sv->Len()); if ( ! x ) { - zeek::emit_builtin_error(zeek::util::fmt("Root CA error: %s", ERR_error_string(ERR_get_error(), NULL))); + emit_builtin_error(util::fmt("Root CA error: %s", ERR_error_string(ERR_get_error(), NULL))); return nullptr; } @@ -291,15 +291,15 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex) { if ( x509_ext_basic_constraints ) { - auto pBasicConstraint = zeek::make_intrusive(zeek::BifType::Record::X509::BasicConstraints); - pBasicConstraint->Assign(0, zeek::val_mgr->Bool(constr->ca)); + auto pBasicConstraint = make_intrusive(BifType::Record::X509::BasicConstraints); + pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca)); if ( constr->pathlen ) - pBasicConstraint->Assign(1, zeek::val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen))); + pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen))); - zeek::event_mgr.Enqueue(x509_ext_basic_constraints, - GetFile()->ToVal(), - std::move(pBasicConstraint) + event_mgr.Enqueue(x509_ext_basic_constraints, + GetFile()->ToVal(), + std::move(pBasicConstraint) ); } @@ -307,7 +307,7 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex) } else - zeek::reporter->Weird(GetFile(), "x509_invalid_basic_constraint"); + reporter->Weird(GetFile(), "x509_invalid_basic_constraint"); } void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) @@ -337,14 +337,14 @@ void X509::ParseSAN(X509_EXTENSION* ext) GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext); if ( ! altname ) { - zeek::reporter->Weird(GetFile(), "x509_san_parse_error"); + reporter->Weird(GetFile(), "x509_san_parse_error"); return; } - zeek::VectorValPtr names; - zeek::VectorValPtr emails; - zeek::VectorValPtr uris; - zeek::VectorValPtr ips; + VectorValPtr names; + VectorValPtr emails; + VectorValPtr uris; + VectorValPtr ips; bool otherfields = false; @@ -357,7 +357,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { if ( ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING ) { - zeek::reporter->Weird(GetFile(), "x509_san_non_string"); + reporter->Weird(GetFile(), "x509_san_non_string"); continue; } @@ -366,27 +366,27 @@ void X509::ParseSAN(X509_EXTENSION* ext) #else const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5); #endif - auto bs = zeek::make_intrusive(name); + auto bs = make_intrusive(name); switch ( gen->type ) { case GEN_DNS: if ( names == nullptr ) - names = zeek::make_intrusive(zeek::id::string_vec); + names = make_intrusive(id::string_vec); names->Assign(names->Size(), std::move(bs)); break; case GEN_URI: if ( uris == nullptr ) - uris = zeek::make_intrusive(zeek::id::string_vec); + uris = make_intrusive(id::string_vec); uris->Assign(uris->Size(), std::move(bs)); break; case GEN_EMAIL: if ( emails == nullptr ) - emails = zeek::make_intrusive(zeek::id::string_vec); + emails = make_intrusive(id::string_vec); emails->Assign(emails->Size(), std::move(bs)); break; @@ -396,33 +396,33 @@ void X509::ParseSAN(X509_EXTENSION* ext) else if ( gen->type == GEN_IPADD ) { if ( ips == nullptr ) - ips = zeek::make_intrusive(zeek::id::find_type("addr_vec")); + ips = make_intrusive(id::find_type("addr_vec")); uint32_t* addr = (uint32_t*) gen->d.ip->data; if( gen->d.ip->length == 4 ) - ips->Assign(ips->Size(), zeek::make_intrusive(*addr)); + ips->Assign(ips->Size(), make_intrusive(*addr)); else if ( gen->d.ip->length == 16 ) - ips->Assign(ips->Size(), zeek::make_intrusive(addr)); + ips->Assign(ips->Size(), make_intrusive(addr)); else { - zeek::reporter->Weird(GetFile(), "x509_san_ip_length", zeek::util::fmt("%d", gen->d.ip->length)); + reporter->Weird(GetFile(), "x509_san_ip_length", util::fmt("%d", gen->d.ip->length)); continue; } } else { - // zeek::reporter->Error("Subject alternative name contained unsupported fields. fuid %s", GetFile()->GetID().c_str()); + // reporter->Error("Subject alternative name contained unsupported fields. fuid %s", GetFile()->GetID().c_str()); // This happens quite often - just mark it otherfields = true; continue; } } - auto sanExt = zeek::make_intrusive(zeek::BifType::Record::X509::SubjectAlternativeName); + auto sanExt = make_intrusive(BifType::Record::X509::SubjectAlternativeName); if ( names != nullptr ) sanExt->Assign(0, names); @@ -436,15 +436,15 @@ void X509::ParseSAN(X509_EXTENSION* ext) if ( ips != nullptr ) sanExt->Assign(3, ips); - sanExt->Assign(4, zeek::val_mgr->Bool(otherfields)); + sanExt->Assign(4, val_mgr->Bool(otherfields)); - zeek::event_mgr.Enqueue(x509_ext_subject_alternative_name, + event_mgr.Enqueue(x509_ext_subject_alternative_name, GetFile()->ToVal(), std::move(sanExt)); GENERAL_NAMES_free(altname); } -zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key) +StringValPtr X509::KeyCurve(EVP_PKEY* key) { assert(key != nullptr); @@ -473,7 +473,7 @@ zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key) if ( curve_name == nullptr ) return nullptr; - return zeek::make_intrusive(curve_name); + return make_intrusive(curve_name); #endif } @@ -525,7 +525,7 @@ unsigned int X509::KeyLength(EVP_PKEY *key) return 0; // unknown public key type } - zeek::reporter->InternalError("cannot be reached"); + reporter->InternalError("cannot be reached"); } X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type) @@ -544,9 +544,9 @@ X509Val::~X509Val() X509_free(certificate); } -zeek::ValPtr X509Val::DoClone(CloneState* state) +ValPtr X509Val::DoClone(CloneState* state) { - auto copy = zeek::make_intrusive(); + auto copy = make_intrusive(); if ( certificate ) copy->certificate = X509_dup(certificate); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 1bfd43f92d..f1874f6534 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -67,7 +67,7 @@ namespace zeek::file_analysis::detail { class X509Val; -class X509 : public zeek::file_analysis::detail::X509Common { +class X509 : public file_analysis::detail::X509Common { public: bool DeliverStream(const u_char* data, uint64_t len) override; bool Undelivered(uint64_t offset, uint64_t len) override; @@ -86,10 +86,10 @@ public: * @param Returns the new record value and passes ownership to * caller. */ - static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, zeek::file_analysis::File* file = nullptr); + static RecordValPtr ParseCertificate(X509Val* cert_val, file_analysis::File* file = nullptr); - static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - zeek::file_analysis::File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, + file_analysis::File* file) { return new X509(std::move(args), file); } /** @@ -102,7 +102,7 @@ public: * * @return OpenSSL's X509 store associated with the table value. */ - static X509_STORE* GetRootStore(zeek::TableVal* root_certs); + static X509_STORE* GetRootStore(TableVal* root_certs); /** * Frees memory obtained from OpenSSL that is associated with the global @@ -117,17 +117,17 @@ public: /** * Sets the table[string] that used as the certificate cache inside of Zeek. */ - static void SetCertificateCache(zeek::TableValPtr cache) + static void SetCertificateCache(TableValPtr cache) { certificate_cache = std::move(cache); } /** * Sets the callback when a certificate cache hit is encountered */ - static void SetCertificateCacheHitCallback(zeek::FuncPtr func) + static void SetCertificateCacheHitCallback(FuncPtr func) { cache_hit_callback = std::move(func); } protected: - X509(zeek::RecordValPtr args, zeek::file_analysis::File* file); + X509(RecordValPtr args, file_analysis::File* file); private: void ParseBasicConstraints(X509_EXTENSION* ex); @@ -137,12 +137,12 @@ private: std::string cert_data; // Helpers for ParseCertificate. - static zeek::StringValPtr KeyCurve(EVP_PKEY* key); + static StringValPtr KeyCurve(EVP_PKEY* key); static unsigned int KeyLength(EVP_PKEY *key); /** X509 stores associated with global script-layer values */ - inline static std::map x509_stores = std::map(); - inline static zeek::TableValPtr certificate_cache = nullptr; - inline static zeek::FuncPtr cache_hit_callback = nullptr; + inline static std::map x509_stores = std::map(); + inline static TableValPtr certificate_cache = nullptr; + inline static FuncPtr cache_hit_callback = nullptr; }; /** @@ -152,7 +152,7 @@ private: * script-land. Otherwise, we cannot verify certificates from Bro * scriptland */ -class X509Val : public zeek::OpaqueVal { +class X509Val : public OpaqueVal { public: /** * Construct an X509Val. @@ -170,7 +170,7 @@ public: * * @return A cloned X509Val. */ - zeek::ValPtr DoClone(CloneState* state) override; + ValPtr DoClone(CloneState* state) override; /** * Destructor. diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index a35c6aa1ed..c5ff0badd5 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -16,22 +16,22 @@ namespace zeek::file_analysis::detail { -X509Common::X509Common(const zeek::file_analysis::Tag& arg_tag, - zeek::RecordValPtr arg_args, - zeek::file_analysis::File* arg_file) - : zeek::file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file) +X509Common::X509Common(const file_analysis::Tag& arg_tag, + RecordValPtr arg_args, + file_analysis::File* arg_file) + : file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file) { } -static void EmitWeird(const char* name, zeek::file_analysis::File* file, const char* addl = "") +static void EmitWeird(const char* name, file_analysis::File* file, const char* addl = "") { if ( file ) - zeek::reporter->Weird(file, name, addl); + reporter->Weird(file, name, addl); else - zeek::reporter->Weird(name); + reporter->Weird(name); } -double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, zeek::Reporter* reporter) +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File* f, Reporter* reporter) { time_t lResult = 0; @@ -206,7 +206,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); if ( !inner ) { - zeek::reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); return; } @@ -220,7 +220,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) catch( const binpac::Exception& e ) { // throw a warning or sth - zeek::reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); } ASN1_OCTET_STRING_free(inner); @@ -232,7 +232,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) delete conn; } -void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global) +void X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global) { char name[256]; char oid[256]; @@ -269,16 +269,16 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& } if ( ! ext_val ) - ext_val = zeek::make_intrusive(0, ""); + ext_val = make_intrusive(0, ""); - auto pX509Ext = zeek::make_intrusive(zeek::BifType::Record::X509::Extension); - pX509Ext->Assign(0, zeek::make_intrusive(name)); + auto pX509Ext = make_intrusive(BifType::Record::X509::Extension); + pX509Ext->Assign(0, make_intrusive(name)); if ( short_name and strlen(short_name) > 0 ) - pX509Ext->Assign(1, zeek::make_intrusive(short_name)); + pX509Ext->Assign(1, make_intrusive(short_name)); - pX509Ext->Assign(2, zeek::make_intrusive(oid)); - pX509Ext->Assign(3, zeek::val_mgr->Bool(critical)); + pX509Ext->Assign(2, make_intrusive(oid)); + pX509Ext->Assign(3, val_mgr->Bool(critical)); pX509Ext->Assign(4, ext_val); // send off generic extension event @@ -289,17 +289,17 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& // but I am not sure if there is a better way to do it... if ( h == ocsp_extension ) - zeek::event_mgr.Enqueue(h, GetFile()->ToVal(), - std::move(pX509Ext), - zeek::val_mgr->Bool(global)); + event_mgr.Enqueue(h, GetFile()->ToVal(), + std::move(pX509Ext), + val_mgr->Bool(global)); else - zeek::event_mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext)); + event_mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext)); // let individual analyzers parse more. ParseExtensionsSpecific(ex, global, ext_asn, oid); } -zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f) +StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, file_analysis::File* f) { BIO_flush(bio); ERR_clear_error(); @@ -317,7 +317,7 @@ zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis if ( length == 0 ) { BIO_free_all(bio); - return zeek::val_mgr->EmptyString(); + return val_mgr->EmptyString(); } char* buffer = (char*) malloc(length); @@ -326,13 +326,13 @@ zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis { // Just emit an error here and try to continue instead of aborting // because it's unclear the length value is very reliable. - zeek::reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); + reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); BIO_free_all(bio); return nullptr; } BIO_read(bio, (void*) buffer, length); - auto ext_val = zeek::make_intrusive(length, buffer); + auto ext_val = make_intrusive(length, buffer); free(buffer); BIO_free_all(bio); diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h index 58181f9670..fe51446094 100644 --- a/src/file_analysis/analyzer/x509/X509Common.h +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -18,12 +18,12 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis); namespace zeek { template class IntrusivePtr; -using StringValPtr = zeek::IntrusivePtr; +using StringValPtr = IntrusivePtr; } namespace zeek::file_analysis::detail { -class X509Common : public zeek::file_analysis::Analyzer { +class X509Common : public file_analysis::Analyzer { public: ~X509Common() override {}; @@ -38,22 +38,22 @@ public: * * @return The X509 extension value. */ - static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f = nullptr); + static StringValPtr GetExtensionFromBIO(BIO* bio, file_analysis::File* f = nullptr); - static double GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, - zeek::Reporter* reporter); + static double GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File* f, + Reporter* reporter); protected: - X509Common(const zeek::file_analysis::Tag& arg_tag, - zeek::RecordValPtr arg_args, - zeek::file_analysis::File* arg_file); + X509Common(const file_analysis::Tag& arg_tag, + RecordValPtr arg_args, + file_analysis::File* arg_file); - void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global); + void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global); void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0; }; -} // namespace zeek:file_analysis +} // namespace zeek::file_analysis namespace file_analysis { diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 5330ffb4a7..df7aedac83 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -18,16 +18,16 @@ using zeek::threading::Field; namespace zeek::input::reader::detail { -FieldMapping::FieldMapping(const string& arg_name, const zeek::TypeTag& arg_type, int arg_position) - : name(arg_name), type(arg_type), subtype(zeek::TYPE_ERROR) +FieldMapping::FieldMapping(const string& arg_name, const TypeTag& arg_type, int arg_position) + : name(arg_name), type(arg_type), subtype(TYPE_ERROR) { position = arg_position; secondary_position = -1; present = true; } -FieldMapping::FieldMapping(const string& arg_name, const zeek::TypeTag& arg_type, - const zeek::TypeTag& arg_subtype, int arg_position) +FieldMapping::FieldMapping(const string& arg_name, const TypeTag& arg_type, + const TypeTag& arg_subtype, int arg_position) : name(arg_name), type(arg_type), subtype(arg_subtype) { position = arg_position; @@ -47,7 +47,7 @@ FieldMapping FieldMapping::subType() return FieldMapping(name, subtype, position); } -Ascii::Ascii(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBackend(frontend) +Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend) { mtime = 0; ino = 0; @@ -67,23 +67,23 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f { StopWarningSuppression(); - separator.assign( (const char*) zeek::BifConst::InputAscii::separator->Bytes(), - zeek::BifConst::InputAscii::separator->Len()); + separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(), + BifConst::InputAscii::separator->Len()); - set_separator.assign( (const char*) zeek::BifConst::InputAscii::set_separator->Bytes(), - zeek::BifConst::InputAscii::set_separator->Len()); + set_separator.assign( (const char*) BifConst::InputAscii::set_separator->Bytes(), + BifConst::InputAscii::set_separator->Len()); - empty_field.assign( (const char*) zeek::BifConst::InputAscii::empty_field->Bytes(), - zeek::BifConst::InputAscii::empty_field->Len()); + empty_field.assign( (const char*) BifConst::InputAscii::empty_field->Bytes(), + BifConst::InputAscii::empty_field->Len()); - unset_field.assign( (const char*) zeek::BifConst::InputAscii::unset_field->Bytes(), - zeek::BifConst::InputAscii::unset_field->Len()); + unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(), + BifConst::InputAscii::unset_field->Len()); - fail_on_invalid_lines = zeek::BifConst::InputAscii::fail_on_invalid_lines; - fail_on_file_problem = zeek::BifConst::InputAscii::fail_on_file_problem; + fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines; + fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem; - path_prefix.assign((const char*) zeek::BifConst::InputAscii::path_prefix->Bytes(), - zeek::BifConst::InputAscii::path_prefix->Len()); + path_prefix.assign((const char*) BifConst::InputAscii::path_prefix->Bytes(), + BifConst::InputAscii::path_prefix->Len()); // Set per-filter configuration options. for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) @@ -113,8 +113,8 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f if ( set_separator.size() != 1 ) Error("set_separator length has to be 1. Separator will be truncated."); - zeek::threading::formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); - formatter = unique_ptr(new zeek::threading::formatter::Ascii(this, sep_info)); + threading::formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); + formatter = unique_ptr(new threading::formatter::Ascii(this, sep_info)); return DoUpdate(); } @@ -274,7 +274,7 @@ bool Ascii::DoUpdate() return ! fail_on_file_problem; switch ( Info().mode ) { - case zeek::input::MODE_REREAD: + case MODE_REREAD: { // check if the file has changed struct stat sb; @@ -301,14 +301,14 @@ bool Ascii::DoUpdate() // File changed. Fall through to re-read. } - case zeek::input::MODE_MANUAL: - case zeek::input::MODE_STREAM: + case MODE_MANUAL: + case MODE_STREAM: { // dirty, fix me. (well, apparently after trying seeking, etc // - this is not that bad) if ( file.is_open() ) { - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) { file.clear(); // remove end of file evil bits if ( ! ReadHeader(true) ) @@ -407,7 +407,7 @@ bool Ascii::DoUpdate() if ( (*fit).secondary_position != -1 ) { // we have a port definition :) - assert(val->type == zeek::TYPE_PORT ); + assert(val->type == TYPE_PORT ); // Error(Fmt("Got type %d != PORT with secondary position!", val->type)); val->val.port_val.proto = formatter->ParseProto(stringfields[(*fit).secondary_position]); @@ -434,13 +434,13 @@ bool Ascii::DoUpdate() //printf("fpos: %d, second.num_fields: %d\n", fpos, (*it).second.num_fields); assert ( fpos == NumFields() ); - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) Put(fields); else SendEntry(fields); } - if ( Info().mode != zeek::input::MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); return true; @@ -453,12 +453,12 @@ bool Ascii::DoHeartbeat(double network_time, double current_time) switch ( Info().mode ) { - case zeek::input::MODE_MANUAL: + case MODE_MANUAL: // yay, we do nothing :) break; - case zeek::input::MODE_REREAD: - case zeek::input::MODE_STREAM: + case MODE_REREAD: + case MODE_STREAM: Update(); // Call Update, not DoUpdate, because Update // checks the "disabled" flag. break; diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 88460b9080..7a225a469c 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -16,14 +16,14 @@ namespace zeek::input::reader::detail { // Description for input field mapping. struct FieldMapping { std::string name; - zeek::TypeTag type; - zeek::TypeTag subtype; // internal type for sets and vectors + TypeTag type; + TypeTag subtype; // internal type for sets and vectors int position; int secondary_position; // for ports: pos of the second field bool present; - FieldMapping(const std::string& arg_name, const zeek::TypeTag& arg_type, int arg_position); - FieldMapping(const std::string& arg_name, const zeek::TypeTag& arg_type, const zeek::TypeTag& arg_subtype, int arg_position); + FieldMapping(const std::string& arg_name, const TypeTag& arg_type, int arg_position); + FieldMapping(const std::string& arg_name, const TypeTag& arg_type, const TypeTag& arg_subtype, int arg_position); FieldMapping(const FieldMapping& arg); FieldMapping() { position = -1; secondary_position = -1; } @@ -34,9 +34,9 @@ struct FieldMapping { /** * Reader for structured ASCII files. */ -class Ascii : public zeek::input::ReaderBackend { +class Ascii : public ReaderBackend { public: - explicit Ascii(zeek::input::ReaderFrontend* frontend); + explicit Ascii(ReaderFrontend* frontend); ~Ascii() override; // prohibit copying and moving @@ -45,7 +45,7 @@ public: Ascii& operator=(const Ascii&) = delete; Ascii& operator=(Ascii&&) = delete; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) { return new Ascii(frontend); } + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Ascii(frontend); } protected: bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override; @@ -82,7 +82,7 @@ private: bool fail_on_file_problem; std::string path_prefix; - std::unique_ptr formatter; + std::unique_ptr formatter; }; } // namespace zeek::input::reader::detail diff --git a/src/input/readers/benchmark/Benchmark.cc b/src/input/readers/benchmark/Benchmark.cc index 6b25c9c350..5e0d8b2ecf 100644 --- a/src/input/readers/benchmark/Benchmark.cc +++ b/src/input/readers/benchmark/Benchmark.cc @@ -16,20 +16,20 @@ using threading::Field; namespace zeek::input::reader::detail { -Benchmark::Benchmark(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBackend(frontend) +Benchmark::Benchmark(ReaderFrontend *frontend) : ReaderBackend(frontend) { num_lines = 0; - multiplication_factor = double(zeek::BifConst::InputBenchmark::factor); - autospread = double(zeek::BifConst::InputBenchmark::autospread); - spread = int(zeek::BifConst::InputBenchmark::spread); - add = int(zeek::BifConst::InputBenchmark::addfactor); + multiplication_factor = double(BifConst::InputBenchmark::factor); + autospread = double(BifConst::InputBenchmark::autospread); + spread = int(BifConst::InputBenchmark::spread); + add = int(BifConst::InputBenchmark::addfactor); autospread_time = 0; - stopspreadat = int(zeek::BifConst::InputBenchmark::stopspreadat); - timedspread = double(zeek::BifConst::InputBenchmark::timedspread); + stopspreadat = int(BifConst::InputBenchmark::stopspreadat); + timedspread = double(BifConst::InputBenchmark::timedspread); heartbeatstarttime = 0; - heartbeat_interval = double(zeek::BifConst::Threading::heartbeat_interval); + heartbeat_interval = double(BifConst::Threading::heartbeat_interval); - ascii = new zeek::threading::formatter::Ascii(this, zeek::threading::formatter::Ascii::SeparatorInfo()); + ascii = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo()); } Benchmark::~Benchmark() @@ -43,7 +43,7 @@ void Benchmark::DoClose() { } -bool Benchmark::DoInit(const ReaderInfo& info, int num_fields, const zeek::threading::Field* const* fields) +bool Benchmark::DoInit(const ReaderInfo& info, int num_fields, const threading::Field* const* fields) { num_lines = atoi(info.source); @@ -88,11 +88,11 @@ bool Benchmark::DoUpdate() int linestosend = num_lines * heartbeat_interval; for ( int i = 0; i < linestosend; i++ ) { - zeek::threading::Value** field = new zeek::threading::Value*[NumFields()]; + threading::Value** field = new threading::Value*[NumFields()]; for (int j = 0; j < NumFields(); j++ ) field[j] = EntryToVal(Fields()[j]->type, Fields()[j]->subtype); - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) // do not do tracking, spread out elements over the second that we have... Put(field); else @@ -118,69 +118,69 @@ bool Benchmark::DoUpdate() } - if ( Info().mode != zeek::input::MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); return true; } -zeek::threading::Value* Benchmark::EntryToVal(zeek::TypeTag type, zeek::TypeTag subtype) +threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype) { - auto* val = new zeek::threading::Value(type, subtype, true); + auto* val = new threading::Value(type, subtype, true); // basically construct something random from the fields that we want. switch ( type ) { - case zeek::TYPE_ENUM: + case TYPE_ENUM: assert(false); // no enums, please. - case zeek::TYPE_STRING: + case TYPE_STRING: { std::string rnd = RandomString(10); - val->val.string_val.data = zeek::util::copy_string(rnd.c_str()); + val->val.string_val.data = util::copy_string(rnd.c_str()); val->val.string_val.length = rnd.size(); break; } - case zeek::TYPE_BOOL: + case TYPE_BOOL: val->val.int_val = 1; // we never lie. break; - case zeek::TYPE_INT: + case TYPE_INT: val->val.int_val = random(); break; - case zeek::TYPE_TIME: + case TYPE_TIME: val->val.double_val = CurrTime(); break; - case zeek::TYPE_DOUBLE: - case zeek::TYPE_INTERVAL: + case TYPE_DOUBLE: + case TYPE_INTERVAL: val->val.double_val = random(); break; - case zeek::TYPE_COUNT: + case TYPE_COUNT: val->val.uint_val = random(); break; - case zeek::TYPE_PORT: + case TYPE_PORT: val->val.port_val.port = random() / (RAND_MAX / 60000); val->val.port_val.proto = TRANSPORT_UNKNOWN; break; - case zeek::TYPE_SUBNET: + case TYPE_SUBNET: { val->val.subnet_val.prefix = ascii->ParseAddr("192.168.17.1"); val->val.subnet_val.length = 16; } break; - case zeek::TYPE_ADDR: + case TYPE_ADDR: val->val.addr_val = ascii->ParseAddr("192.168.17.1"); break; - case zeek::TYPE_TABLE: - case zeek::TYPE_VECTOR: + case TYPE_TABLE: + case TYPE_VECTOR: // First - common initialization // Then - initialization for table. // Then - initialization for vector. @@ -189,14 +189,14 @@ zeek::threading::Value* Benchmark::EntryToVal(zeek::TypeTag type, zeek::TypeTag // how many entries do we have... unsigned int length = random() / (RAND_MAX / 15); - zeek::threading::Value** lvals = new zeek::threading::Value* [length]; + threading::Value** lvals = new threading::Value* [length]; - if ( type == zeek::TYPE_TABLE ) + if ( type == TYPE_TABLE ) { val->val.set_val.vals = lvals; val->val.set_val.size = length; } - else if ( type == zeek::TYPE_VECTOR ) + else if ( type == TYPE_VECTOR ) { val->val.vector_val.vals = lvals; val->val.vector_val.size = length; @@ -209,7 +209,7 @@ zeek::threading::Value* Benchmark::EntryToVal(zeek::TypeTag type, zeek::TypeTag for ( unsigned int pos = 0; pos < length; pos++ ) { - zeek::threading::Value* newval = EntryToVal(subtype, zeek::TYPE_ENUM); + threading::Value* newval = EntryToVal(subtype, TYPE_ENUM); if ( newval == nullptr ) { Error("Error while reading set"); @@ -241,19 +241,19 @@ bool Benchmark::DoHeartbeat(double network_time, double current_time) heartbeatstarttime = CurrTime(); switch ( Info().mode ) { - case zeek::input::MODE_MANUAL: + case MODE_MANUAL: // yay, we do nothing :) break; - case zeek::input::MODE_REREAD: - case zeek::input::MODE_STREAM: + case MODE_REREAD: + case MODE_STREAM: if ( multiplication_factor != 1 || add != 0 ) { // we have to document at what time we changed the factor to what value. - zeek::threading::Value** v = new zeek::threading::Value*[2]; - v[0] = new zeek::threading::Value(zeek::TYPE_COUNT, true); + threading::Value** v = new threading::Value*[2]; + v[0] = new threading::Value(TYPE_COUNT, true); v[0]->val.uint_val = num_lines; - v[1] = new zeek::threading::Value(zeek::TYPE_TIME, true); + v[1] = new threading::Value(TYPE_TIME, true); v[1]->val.double_val = CurrTime(); SendEvent("lines_changed", 2, v); diff --git a/src/input/readers/benchmark/Benchmark.h b/src/input/readers/benchmark/Benchmark.h index cd0e2c2e30..996fa5a15e 100644 --- a/src/input/readers/benchmark/Benchmark.h +++ b/src/input/readers/benchmark/Benchmark.h @@ -10,12 +10,12 @@ namespace zeek::input::reader::detail { /** * A benchmark reader to measure performance of the input framework. */ -class Benchmark : public zeek::input::ReaderBackend { +class Benchmark : public ReaderBackend { public: - explicit Benchmark(zeek::input::ReaderFrontend* frontend); + explicit Benchmark(ReaderFrontend* frontend); ~Benchmark() override; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) { return new Benchmark(frontend); } + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Benchmark(frontend); } protected: bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override; @@ -26,7 +26,7 @@ protected: private: double CurrTime(); std::string RandomString(const int len); - threading::Value* EntryToVal(zeek::TypeTag Type, zeek::TypeTag subtype); + threading::Value* EntryToVal(TypeTag Type, TypeTag subtype); int num_lines; double multiplication_factor; @@ -39,7 +39,7 @@ private: double timedspread; double heartbeat_interval; - zeek::threading::formatter::Ascii* ascii; + threading::formatter::Ascii* ascii; }; } // namespace zeek::input::reader diff --git a/src/input/readers/binary/Binary.cc b/src/input/readers/binary/Binary.cc index fa1108c9c0..8fbab7b804 100644 --- a/src/input/readers/binary/Binary.cc +++ b/src/input/readers/binary/Binary.cc @@ -15,12 +15,12 @@ namespace zeek::input::reader::detail { streamsize Binary::chunk_size = 0; -Binary::Binary(zeek::input::ReaderFrontend *frontend) - : zeek::input::ReaderBackend(frontend), in(nullptr), mtime(0), ino(0), firstrun(true) +Binary::Binary(ReaderFrontend *frontend) + : ReaderBackend(frontend), in(nullptr), mtime(0), ino(0), firstrun(true) { if ( ! chunk_size ) { - chunk_size = zeek::BifConst::InputBinary::chunk_size; + chunk_size = BifConst::InputBinary::chunk_size; if ( ! chunk_size ) chunk_size = 1024; @@ -61,7 +61,7 @@ bool Binary::CloseInput() } #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Binary reader starting close"); + Debug(DBG_INPUT, "Binary reader starting close"); #endif in->close(); @@ -69,7 +69,7 @@ bool Binary::CloseInput() in = nullptr; #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Binary reader finished close"); + Debug(DBG_INPUT, "Binary reader finished close"); #endif return true; @@ -83,8 +83,8 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, ino = 0; firstrun = true; - path_prefix.assign((const char*) zeek::BifConst::InputBinary::path_prefix->Bytes(), - zeek::BifConst::InputBinary::path_prefix->Len()); + path_prefix.assign((const char*) BifConst::InputBinary::path_prefix->Bytes(), + BifConst::InputBinary::path_prefix->Len()); if ( ! info.source || strlen(info.source) == 0 ) { @@ -100,7 +100,7 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, return false; } - if ( fields[0]->type != zeek::TYPE_STRING ) + if ( fields[0]->type != TYPE_STRING ) { Error("Filter for binary reader contains a non-string field."); return false; @@ -130,14 +130,14 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, return false; #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Binary reader created, will perform first update"); + Debug(DBG_INPUT, "Binary reader created, will perform first update"); #endif // after initialization - do update DoUpdate(); #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Binary reader did first update"); + Debug(DBG_INPUT, "Binary reader did first update"); #endif return true; @@ -198,7 +198,7 @@ bool Binary::DoUpdate() else { switch ( Info().mode ) { - case zeek::input::MODE_REREAD: + case MODE_REREAD: { switch ( UpdateModificationTime() ) { case -1: @@ -213,9 +213,9 @@ bool Binary::DoUpdate() // fallthrough } - case zeek::input::MODE_MANUAL: - case zeek::input::MODE_STREAM: - if ( Info().mode == zeek::input::MODE_STREAM && in ) + case MODE_MANUAL: + case MODE_STREAM: + if ( Info().mode == MODE_STREAM && in ) { in->clear(); // remove end of file evil bits break; @@ -242,22 +242,22 @@ bool Binary::DoUpdate() Value** fields = new Value*[1]; // filter has exactly one text field. convert to it. - Value* val = new Value(zeek::TYPE_STRING, true); + Value* val = new Value(TYPE_STRING, true); val->val.string_val.data = chunk; val->val.string_val.length = size; fields[0] = val; - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) Put(fields); else SendEntry(fields); } - if ( Info().mode != zeek::input::MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); #ifdef DEBUG - Debug(zeek::DBG_INPUT, "DoUpdate finished successfully"); + Debug(DBG_INPUT, "DoUpdate finished successfully"); #endif return true; @@ -266,19 +266,19 @@ bool Binary::DoUpdate() bool Binary::DoHeartbeat(double network_time, double current_time) { switch ( Info().mode ) { - case zeek::input::MODE_MANUAL: + case MODE_MANUAL: // yay, we do nothing :) break; - case zeek::input::MODE_REREAD: - case zeek::input::MODE_STREAM: + case MODE_REREAD: + case MODE_STREAM: #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Starting Heartbeat update"); + Debug(DBG_INPUT, "Starting Heartbeat update"); #endif Update(); // call update and not DoUpdate, because update // checks disabled. #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Finished with heartbeat update"); + Debug(DBG_INPUT, "Finished with heartbeat update"); #endif break; default: diff --git a/src/input/readers/binary/Binary.h b/src/input/readers/binary/Binary.h index 2794c091ee..b7b0634bf8 100644 --- a/src/input/readers/binary/Binary.h +++ b/src/input/readers/binary/Binary.h @@ -12,12 +12,12 @@ namespace zeek::input::reader::detail { /** * Binary mode file reader. */ -class Binary : public zeek::input::ReaderBackend { +class Binary : public ReaderBackend { public: - explicit Binary(zeek::input::ReaderFrontend* frontend); + explicit Binary(ReaderFrontend* frontend); ~Binary() override; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Binary(frontend); } protected: diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc index de926a23c0..c8fc68fe52 100644 --- a/src/input/readers/config/Config.cc +++ b/src/input/readers/config/Config.cc @@ -20,7 +20,7 @@ using zeek::threading::Field; namespace zeek::input::reader::detail { -Config::Config(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBackend(frontend) +Config::Config(ReaderFrontend *frontend) : ReaderBackend(frontend) { mtime = 0; ino = 0; @@ -35,18 +35,18 @@ Config::Config(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBacke if ( ! id->IsOption() ) continue; - if ( id->GetType()->Tag() == zeek::TYPE_RECORD || - ! zeek::input::Manager::IsCompatibleType(id->GetType().get()) ) + if ( id->GetType()->Tag() == TYPE_RECORD || + ! Manager::IsCompatibleType(id->GetType().get()) ) { - option_types[id->Name()] = std::make_tuple(zeek::TYPE_ERROR, id->GetType()->Tag()); + option_types[id->Name()] = std::make_tuple(TYPE_ERROR, id->GetType()->Tag()); continue; } - zeek::TypeTag primary = id->GetType()->Tag(); - zeek::TypeTag secondary = zeek::TYPE_VOID; - if ( primary == zeek::TYPE_TABLE ) + TypeTag primary = id->GetType()->Tag(); + TypeTag secondary = TYPE_VOID; + if ( primary == TYPE_TABLE ) secondary = id->GetType()->AsSetType()->GetIndices()->GetPureType()->Tag(); - else if ( primary == zeek::TYPE_VECTOR ) + else if ( primary == TYPE_VECTOR ) secondary = id->GetType()->AsVectorType()->Yield()->Tag(); option_types[id->Name()] = std::make_tuple(primary, secondary); @@ -63,17 +63,17 @@ void Config::DoClose() bool Config::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { - fail_on_file_problem = zeek::BifConst::InputConfig::fail_on_file_problem; + fail_on_file_problem = BifConst::InputConfig::fail_on_file_problem; - set_separator.assign( (const char*) zeek::BifConst::InputConfig::set_separator->Bytes(), - zeek::BifConst::InputConfig::set_separator->Len()); + set_separator.assign( (const char*) BifConst::InputConfig::set_separator->Bytes(), + BifConst::InputConfig::set_separator->Len()); - empty_field.assign( (const char*) zeek::BifConst::InputConfig::empty_field->Bytes(), - zeek::BifConst::InputConfig::empty_field->Len()); + empty_field.assign( (const char*) BifConst::InputConfig::empty_field->Bytes(), + BifConst::InputConfig::empty_field->Len()); - zeek::threading::formatter::Ascii::SeparatorInfo sep_info("\t", set_separator, "", empty_field); - formatter = std::unique_ptr( - new zeek::threading::formatter::Ascii(this, sep_info)); + threading::formatter::Ascii::SeparatorInfo sep_info("\t", set_separator, "", empty_field); + formatter = std::unique_ptr( + new threading::formatter::Ascii(this, sep_info)); return DoUpdate(); } @@ -119,7 +119,7 @@ bool Config::DoUpdate() return ! fail_on_file_problem; switch ( Info().mode ) { - case zeek::input::MODE_REREAD: + case MODE_REREAD: { // check if the file has changed struct stat sb; @@ -146,14 +146,14 @@ bool Config::DoUpdate() // File changed. Fall through to re-read. } - case zeek::input::MODE_MANUAL: - case zeek::input::MODE_STREAM: + case MODE_MANUAL: + case MODE_STREAM: { // dirty, fix me. (well, apparently after trying seeking, etc // - this is not that bad) if ( file.is_open() ) { - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) { file.clear(); // remove end of file evil bits break; @@ -210,10 +210,10 @@ bool Config::DoUpdate() continue; } - if ( std::get<0>((*typeit).second) == zeek::TYPE_ERROR ) + if ( std::get<0>((*typeit).second) == TYPE_ERROR ) { Warning(Fmt("Option '%s' has type '%s', which is not supported for file input. Ignoring line.", - key.c_str(), zeek::type_name(std::get<1>((*typeit).second)))); + key.c_str(), type_name(std::get<1>((*typeit).second)))); continue; } @@ -246,16 +246,16 @@ bool Config::DoUpdate() { Value** fields = new Value*[2]; - Value* keyval = new threading::Value(zeek::TYPE_STRING, true); + Value* keyval = new threading::Value(TYPE_STRING, true); keyval->val.string_val.length = key.size(); - keyval->val.string_val.data = zeek::util::copy_string(key.c_str()); + keyval->val.string_val.data = util::copy_string(key.c_str()); fields[0] = keyval; - Value* val = new threading::Value(zeek::TYPE_STRING, true); + Value* val = new threading::Value(TYPE_STRING, true); val->val.string_val.length = value.size(); - val->val.string_val.data = zeek::util::copy_string(value.c_str()); + val->val.string_val.data = util::copy_string(value.c_str()); fields[1] = val; - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) Put(fields); else SendEntry(fields); @@ -263,14 +263,14 @@ bool Config::DoUpdate() { Value** vals = new Value*[4]; - vals[0] = new Value(zeek::TYPE_STRING, true); - vals[0]->val.string_val.data = zeek::util::copy_string(Info().name); + vals[0] = new Value(TYPE_STRING, true); + vals[0]->val.string_val.data = util::copy_string(Info().name); vals[0]->val.string_val.length = strlen(Info().name); - vals[1] = new Value(zeek::TYPE_STRING, true); - vals[1]->val.string_val.data = zeek::util::copy_string(Info().source); + vals[1] = new Value(TYPE_STRING, true); + vals[1]->val.string_val.data = util::copy_string(Info().source); vals[1]->val.string_val.length = strlen(Info().source); - vals[2] = new Value(zeek::TYPE_STRING, true); - vals[2]->val.string_val.data = zeek::util::copy_string(key.c_str()); + vals[2] = new Value(TYPE_STRING, true); + vals[2]->val.string_val.data = util::copy_string(key.c_str()); vals[2]->val.string_val.length = key.size(); vals[3] = eventval; @@ -280,7 +280,7 @@ bool Config::DoUpdate() regfree(&re); - if ( Info().mode != zeek::input::MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); // clean up all options we did not see @@ -294,12 +294,12 @@ bool Config::DoHeartbeat(double network_time, double current_time) { switch ( Info().mode ) { - case zeek::input::MODE_MANUAL: + case MODE_MANUAL: // yay, we do nothing :) break; - case zeek::input::MODE_REREAD: - case zeek::input::MODE_STREAM: + case MODE_REREAD: + case MODE_STREAM: Update(); // Call Update, not DoUpdate, because Update // checks the "disabled" flag. break; diff --git a/src/input/readers/config/Config.h b/src/input/readers/config/Config.h index 22ccb5a4f5..42d4a90bab 100644 --- a/src/input/readers/config/Config.h +++ b/src/input/readers/config/Config.h @@ -17,9 +17,9 @@ namespace zeek::input::reader::detail { /** * Reader for Configuration files. */ -class Config : public zeek::input::ReaderBackend { +class Config : public ReaderBackend { public: - explicit Config(zeek::input::ReaderFrontend* frontend); + explicit Config(ReaderFrontend* frontend); ~Config() override; // prohibit copying and moving @@ -28,7 +28,7 @@ public: Config& operator=(const Config&) = delete; Config& operator=(Config&&) = delete; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) { return new Config(frontend); } + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Config(frontend); } protected: bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override; @@ -49,8 +49,8 @@ private: std::string set_separator; std::string empty_field; - std::unique_ptr formatter; - std::unordered_map> option_types; + std::unique_ptr formatter; + std::unordered_map> option_types; std::unordered_map option_values; }; diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h index 43f937a8be..e35adb274f 100644 --- a/src/input/readers/raw/Plugin.h +++ b/src/input/readers/raw/Plugin.h @@ -10,11 +10,11 @@ namespace zeek::plugin::detail::Zeek_RawReader { -class Plugin : public zeek::plugin::Plugin { +class Plugin : public plugin::Plugin { public: Plugin(); - zeek::plugin::Configuration Configure() override; + plugin::Configuration Configure() override; void InitPreScript() override; void Done() override; diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc index 11177d8573..06616d28cb 100644 --- a/src/input/readers/raw/Raw.cc +++ b/src/input/readers/raw/Raw.cc @@ -27,7 +27,7 @@ namespace zeek::input::reader::detail { const int Raw::block_size = 4096; // how big do we expect our chunks of data to be. -Raw::Raw(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBackend(frontend), file(nullptr, fclose), stderrfile(nullptr, fclose) +Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend), file(nullptr, fclose), stderrfile(nullptr, fclose) { execute = false; firstrun = true; @@ -35,10 +35,10 @@ Raw::Raw(zeek::input::ReaderFrontend *frontend) : zeek::input::ReaderBackend(fro ino = 0; forcekill = false; offset = 0; - separator.assign( (const char*) zeek::BifConst::InputRaw::record_separator->Bytes(), - zeek::BifConst::InputRaw::record_separator->Len()); + separator.assign( (const char*) BifConst::InputRaw::record_separator->Bytes(), + BifConst::InputRaw::record_separator->Len()); - sep_length = zeek::BifConst::InputRaw::record_separator->Len(); + sep_length = BifConst::InputRaw::record_separator->Len(); bufpos = 0; @@ -82,7 +82,7 @@ void Raw::ClosePipeEnd(int i) if ( pipes[i] == -1 ) return; - zeek::util::safe_close(pipes[i]); + util::safe_close(pipes[i]); pipes[i] = -1; } @@ -92,7 +92,7 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags) return true; char buf[256]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); + util::zeek_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("failed to set fd flags: %s", buf)); return false; } @@ -109,7 +109,7 @@ std::unique_lock Raw::AcquireForkMutex() catch ( const std::system_error& e ) { - zeek::reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what()); + reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what()); } return lock; @@ -199,7 +199,7 @@ bool Raw::Execute() else { char buf[256]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); + util::zeek_strerror_r(errno, buf, sizeof(buf)); Warning(Fmt("Could not set child process group: %s", buf)); } } @@ -208,7 +208,7 @@ bool Raw::Execute() ClosePipeEnd(stdout_out); - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) { if ( ! SetFDFlags(pipes[stdout_in], F_SETFL, O_NONBLOCK) ) return false; @@ -295,7 +295,7 @@ bool Raw::OpenInput() if ( fseek(file.get(), pos, whence) < 0 ) { char buf[256]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); + util::zeek_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("Seek failed in init: %s", buf)); } } @@ -312,7 +312,7 @@ bool Raw::CloseInput() return false; } #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Raw reader starting close"); + Debug(DBG_INPUT, "Raw reader starting close"); #endif file.reset(nullptr); @@ -327,7 +327,7 @@ bool Raw::CloseInput() } #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Raw reader finished close"); + Debug(DBG_INPUT, "Raw reader finished close"); #endif return true; @@ -378,15 +378,15 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie } it = info.config.find("offset"); // we want to seek to a given offset inside the file - if ( it != info.config.end() && ! execute && (Info().mode == zeek::input::MODE_STREAM || - Info().mode == zeek::input::MODE_MANUAL) ) + if ( it != info.config.end() && ! execute && (Info().mode == MODE_STREAM || + Info().mode == MODE_MANUAL) ) { std::string offset_s = it->second; offset = strtoll(offset_s.c_str(), 0, 10); } else if ( it != info.config.end() ) { - Error("Offset only is supported for zeek::input::MODE_STREAM and zeek::input::MODE_MANUAL; it is also not supported when executing a command"); + Error("Offset only is supported for MODE_STREAM and MODE_MANUAL; it is also not supported when executing a command"); return false; } @@ -398,18 +398,18 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie return false; } - if ( fields[0]->type != zeek::TYPE_STRING ) + if ( fields[0]->type != TYPE_STRING ) { Error("First field for raw reader always has to be of type string."); return false; } - if ( use_stderr && fields[1]->type != zeek::TYPE_BOOL ) + if ( use_stderr && fields[1]->type != TYPE_BOOL ) { Error("Second field for raw reader always has to be of type bool."); return false; } - if ( execute && Info().mode == zeek::input::MODE_REREAD ) + if ( execute && Info().mode == MODE_REREAD ) { // for execs this makes no sense - would have to execute each heartbeat? Error("Rereading only supported for files, not for executables."); @@ -423,14 +423,14 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie return result; #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Raw reader created, will perform first update"); + Debug(DBG_INPUT, "Raw reader created, will perform first update"); #endif // after initialization - do update DoUpdate(); #ifdef DEBUG - Debug(zeek::DBG_INPUT, "First update went through"); + Debug(DBG_INPUT, "First update went through"); #endif return true; } @@ -459,8 +459,8 @@ int64_t Raw::GetLine(FILE* arg_file) // researching everything each time is a bit... cpu-intensive. But otherwhise we have // to deal with situations where the separator is multi-character and split over multiple // reads... - int found = zeek::util::strstr_n(pos, (unsigned char*) buf.get(), - separator.size(), (unsigned char*) separator.c_str()); + int found = util::strstr_n(pos, (unsigned char*) buf.get(), + separator.size(), (unsigned char*) separator.c_str()); if ( found == -1 ) { @@ -531,7 +531,7 @@ void Raw::WriteToStdin() if ( stdin_towrite == 0 ) // send EOF when we are done. ClosePipeEnd(stdin_out); - if ( Info().mode == zeek::input::MODE_MANUAL && stdin_towrite != 0 ) + if ( Info().mode == MODE_MANUAL && stdin_towrite != 0 ) { Error(Fmt("Could not write whole string to stdin of child process in one go. Please use STREAM mode to pass more data to child.")); } @@ -547,7 +547,7 @@ bool Raw::DoUpdate() else { switch ( Info().mode ) { - case zeek::input::MODE_REREAD: + case MODE_REREAD: { assert(childpid == -1); // mode may not be used to execute child programs // check if the file has changed @@ -569,9 +569,9 @@ bool Raw::DoUpdate() // fallthrough } - case zeek::input::MODE_MANUAL: - case zeek::input::MODE_STREAM: - if ( Info().mode == zeek::input::MODE_STREAM && file ) + case MODE_MANUAL: + case MODE_STREAM: + if ( Info().mode == MODE_STREAM && file ) { clearerr(file.get()); // remove end of file evil bits break; @@ -608,14 +608,14 @@ bool Raw::DoUpdate() Value** fields = new Value*[2]; // just always reserve 2. This means that our [] is too long by a count of 1 if not using stderr. But who cares... // filter has exactly one text field. convert to it. - Value* val = new Value(zeek::TYPE_STRING, true); + Value* val = new Value(TYPE_STRING, true); val->val.string_val.data = outbuf.release(); val->val.string_val.length = length; fields[0] = val; if ( use_stderr ) { - Value* bval = new Value(zeek::TYPE_BOOL, true); + Value* bval = new Value(TYPE_BOOL, true); bval->val.int_val = 0; fields[1] = bval; } @@ -636,11 +636,11 @@ bool Raw::DoUpdate() break; Value** fields = new Value*[2]; - Value* val = new Value(zeek::TYPE_STRING, true); + Value* val = new Value(TYPE_STRING, true); val->val.string_val.data = outbuf.release(); val->val.string_val.length = length; fields[0] = val; - Value* bval = new Value(zeek::TYPE_BOOL, true); + Value* bval = new Value(TYPE_BOOL, true); bval->val.int_val = 1; // yes, we are stderr fields[1] = bval; @@ -648,7 +648,7 @@ bool Raw::DoUpdate() } } - if ( ( Info().mode == zeek::input::MODE_MANUAL ) || ( Info().mode == zeek::input::MODE_REREAD ) ) + if ( ( Info().mode == MODE_MANUAL ) || ( Info().mode == MODE_REREAD ) ) // done with the current data source EndCurrentSend(); @@ -678,19 +678,19 @@ bool Raw::DoUpdate() assert(false); Value** vals = new Value*[4]; - vals[0] = new Value(zeek::TYPE_STRING, true); - vals[0]->val.string_val.data = zeek::util::copy_string(Info().name); + vals[0] = new Value(TYPE_STRING, true); + vals[0]->val.string_val.data = util::copy_string(Info().name); vals[0]->val.string_val.length = strlen(Info().name); - vals[1] = new Value(zeek::TYPE_STRING, true); - vals[1]->val.string_val.data = zeek::util::copy_string(Info().source); + vals[1] = new Value(TYPE_STRING, true); + vals[1]->val.string_val.data = util::copy_string(Info().source); vals[1]->val.string_val.length = strlen(Info().source); - vals[2] = new Value(zeek::TYPE_COUNT, true); + vals[2] = new Value(TYPE_COUNT, true); vals[2]->val.int_val = code; - vals[3] = new Value(zeek::TYPE_BOOL, true); + vals[3] = new Value(TYPE_BOOL, true); vals[3]->val.int_val = signal; // and in this case we can signal end_of_data even for the streaming reader - if ( Info().mode == zeek::input::MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) EndCurrentSend(); SendEvent("InputRaw::process_finished", 4, vals); @@ -700,7 +700,7 @@ bool Raw::DoUpdate() #ifdef DEBUG - Debug(zeek::DBG_INPUT, "DoUpdate finished successfully"); + Debug(DBG_INPUT, "DoUpdate finished successfully"); #endif return true; @@ -709,19 +709,19 @@ bool Raw::DoUpdate() bool Raw::DoHeartbeat(double network_time, double current_time) { switch ( Info().mode ) { - case zeek::input::MODE_MANUAL: + case MODE_MANUAL: // yay, we do nothing :) break; - case zeek::input::MODE_REREAD: - case zeek::input::MODE_STREAM: + case MODE_REREAD: + case MODE_STREAM: #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Starting Heartbeat update"); + Debug(DBG_INPUT, "Starting Heartbeat update"); #endif Update(); // call update and not DoUpdate, because update // checks disabled. #ifdef DEBUG - Debug(zeek::DBG_INPUT, "Finished with heartbeat update"); + Debug(DBG_INPUT, "Finished with heartbeat update"); #endif break; default: diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h index 844eeb4779..25b57571c0 100644 --- a/src/input/readers/raw/Raw.h +++ b/src/input/readers/raw/Raw.h @@ -15,9 +15,9 @@ namespace zeek::input::reader::detail { * A reader that returns a file (or the output of a command) as a single * blob. */ -class Raw : public zeek::input::ReaderBackend { +class Raw : public ReaderBackend { public: - explicit Raw(zeek::input::ReaderFrontend* frontend); + explicit Raw(ReaderFrontend* frontend); ~Raw() override; // prohibit copying and moving @@ -26,7 +26,7 @@ public: Raw& operator=(const Raw&) = delete; Raw& operator=(Raw&&) = delete; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) { return new Raw(frontend); } + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Raw(frontend); } protected: bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override; diff --git a/src/input/readers/sqlite/SQLite.cc b/src/input/readers/sqlite/SQLite.cc index 4491472ead..702b54ef7e 100644 --- a/src/input/readers/sqlite/SQLite.cc +++ b/src/input/readers/sqlite/SQLite.cc @@ -20,27 +20,27 @@ using zeek::threading::Field; namespace zeek::input::reader::detail { -SQLite::SQLite(zeek::input::ReaderFrontend *frontend) - : zeek::input::ReaderBackend(frontend), +SQLite::SQLite(ReaderFrontend *frontend) + : ReaderBackend(frontend), fields(), num_fields(), mode(), started(), query(), db(), st() { set_separator.assign( - (const char*) zeek::BifConst::LogSQLite::set_separator->Bytes(), - zeek::BifConst::InputSQLite::set_separator->Len() + (const char*) BifConst::LogSQLite::set_separator->Bytes(), + BifConst::InputSQLite::set_separator->Len() ); unset_field.assign( - (const char*) zeek::BifConst::LogSQLite::unset_field->Bytes(), - zeek::BifConst::InputSQLite::unset_field->Len() + (const char*) BifConst::LogSQLite::unset_field->Bytes(), + BifConst::InputSQLite::unset_field->Len() ); empty_field.assign( - (const char*) zeek::BifConst::LogAscii::empty_field->Bytes(), - zeek::BifConst::InputSQLite::empty_field->Len() + (const char*) BifConst::LogAscii::empty_field->Bytes(), + BifConst::InputSQLite::empty_field->Len() ); - io = new zeek::threading::formatter::Ascii(this, zeek::threading::formatter::Ascii::SeparatorInfo( - std::string(), set_separator, unset_field, empty_field)); + io = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo( + std::string(), set_separator, unset_field, empty_field)); } SQLite::~SQLite() @@ -84,7 +84,7 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading: // allows simultaneous writes to one file. sqlite3_enable_shared_cache(1); - if ( Info().mode != zeek::input::MODE_MANUAL ) + if ( Info().mode != MODE_MANUAL ) { Error("SQLite only supports manual reading mode."); return false; @@ -138,8 +138,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p Value* val = new Value(field->type, true); switch ( field->type ) { - case zeek::TYPE_ENUM: - case zeek::TYPE_STRING: + case TYPE_ENUM: + case TYPE_STRING: { const char *text = (const char*) sqlite3_column_text(st, pos); int length = sqlite3_column_bytes(st, pos); @@ -152,7 +152,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; } - case zeek::TYPE_BOOL: + case TYPE_BOOL: { if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) { @@ -174,21 +174,21 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; } - case zeek::TYPE_INT: + case TYPE_INT: val->val.int_val = sqlite3_column_int64(st, pos); break; - case zeek::TYPE_DOUBLE: - case zeek::TYPE_TIME: - case zeek::TYPE_INTERVAL: + case TYPE_DOUBLE: + case TYPE_TIME: + case TYPE_INTERVAL: val->val.double_val = sqlite3_column_double(st, pos); break; - case zeek::TYPE_COUNT: + case TYPE_COUNT: val->val.uint_val = sqlite3_column_int64(st, pos); break; - case zeek::TYPE_PORT: + case TYPE_PORT: { val->val.port_val.port = sqlite3_column_int(st, pos); val->val.port_val.proto = TRANSPORT_UNKNOWN; @@ -207,7 +207,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; } - case zeek::TYPE_SUBNET: + case TYPE_SUBNET: { const char *text = (const char*) sqlite3_column_text(st, pos); std::string s(text, sqlite3_column_bytes(st, pos)); @@ -220,7 +220,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; } - case zeek::TYPE_ADDR: + case TYPE_ADDR: { const char *text = (const char*) sqlite3_column_text(st, pos); std::string s(text, sqlite3_column_bytes(st, pos)); @@ -228,8 +228,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; } - case zeek::TYPE_TABLE: - case zeek::TYPE_VECTOR: + case TYPE_TABLE: + case TYPE_VECTOR: { const char *text = (const char*) sqlite3_column_text(st, pos); std::string s(text, sqlite3_column_bytes(st, pos)); @@ -282,7 +282,7 @@ bool SQLite::DoUpdate() if ( fields[j]->secondary_name != nullptr && strcmp(fields[j]->secondary_name, name) == 0 ) { - assert(fields[j]->type == zeek::TYPE_PORT); + assert(fields[j]->type == TYPE_PORT); if ( submapping[j] != -1 ) { Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); diff --git a/src/input/readers/sqlite/SQLite.h b/src/input/readers/sqlite/SQLite.h index 9c815a023a..810dc41ad9 100644 --- a/src/input/readers/sqlite/SQLite.h +++ b/src/input/readers/sqlite/SQLite.h @@ -13,15 +13,15 @@ namespace zeek::input::reader::detail { -class SQLite : public zeek::input::ReaderBackend { +class SQLite : public ReaderBackend { public: - explicit SQLite(zeek::input::ReaderFrontend* frontend); + explicit SQLite(ReaderFrontend* frontend); ~SQLite() override; - static zeek::input::ReaderBackend* Instantiate(zeek::input::ReaderFrontend* frontend) { return new SQLite(frontend); } + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new SQLite(frontend); } protected: - bool DoInit(const ReaderInfo& info, int arg_num_fields, const zeek::threading::Field* const* arg_fields) override; + bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) override; void DoClose() override; bool DoUpdate() override; bool DoHeartbeat(double network_time, double current_time) override { return true; } @@ -29,7 +29,7 @@ protected: private: bool checkError(int code); - zeek::threading::Value* EntryToVal(sqlite3_stmt *st, const zeek::threading::Field *field, int pos, int subpos); + threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos); const threading::Field* const * fields; // raw mapping unsigned int num_fields; @@ -38,7 +38,7 @@ private: std::string query; sqlite3 *db; sqlite3_stmt *st; - zeek::threading::formatter::Ascii* io; + threading::formatter::Ascii* io; std::string set_separator; std::string unset_field; diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index 4f37ede80e..6920ff3d8f 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -107,7 +107,7 @@ static std::optional parse_shadow_log(const std::string& fname) if ( ! sf_stream ) { - rval.error = zeek::util::fmt("Failed to open %s: %s", + rval.error = util::fmt("Failed to open %s: %s", rval.shadow_filename.data(), strerror(errno)); return rval; } @@ -116,7 +116,7 @@ static std::optional parse_shadow_log(const std::string& fname) if ( res == -1 ) { - rval.error = zeek::util::fmt("Failed to fseek(SEEK_END) on %s: %s", + rval.error = util::fmt("Failed to fseek(SEEK_END) on %s: %s", rval.shadow_filename.data(), strerror(errno)); fclose(sf_stream); return rval; @@ -126,7 +126,7 @@ static std::optional parse_shadow_log(const std::string& fname) if ( sf_len == -1 ) { - rval.error = zeek::util::fmt("Failed to ftell() on %s: %s", + rval.error = util::fmt("Failed to ftell() on %s: %s", rval.shadow_filename.data(), strerror(errno)); fclose(sf_stream); return rval; @@ -136,7 +136,7 @@ static std::optional parse_shadow_log(const std::string& fname) if ( res == -1 ) { - rval.error = zeek::util::fmt("Failed to fseek(SEEK_SET) on %s: %s", + rval.error = util::fmt("Failed to fseek(SEEK_SET) on %s: %s", rval.shadow_filename.data(), strerror(errno)); fclose(sf_stream); return rval; @@ -153,11 +153,11 @@ static std::optional parse_shadow_log(const std::string& fname) } std::string_view sf_view(sf_content.get(), sf_len); - auto sf_lines = zeek::util::tokenize_string(sf_view, '\n'); + auto sf_lines = util::tokenize_string(sf_view, '\n'); if ( sf_lines.size() < 2 ) { - rval.error = zeek::util::fmt("Found leftover log, '%s', but the associated shadow " + rval.error = util::fmt("Found leftover log, '%s', but the associated shadow " " file, '%s', required to process it is invalid", rval.filename.data(), rval.shadow_filename.data()); return rval; @@ -171,7 +171,7 @@ static std::optional parse_shadow_log(const std::string& fname) // Use shadow file's modification time as creation time. if ( stat(rval.shadow_filename.data(), &st) != 0 ) { - rval.error = zeek::util::fmt("Failed to stat %s: %s", + rval.error = util::fmt("Failed to stat %s: %s", rval.shadow_filename.data(), strerror(errno)); return rval; } @@ -181,7 +181,7 @@ static std::optional parse_shadow_log(const std::string& fname) // Use log file's modification time for closing time. if ( stat(rval.filename.data(), &st) != 0 ) { - rval.error = zeek::util::fmt("Failed to stat %s: %s", + rval.error = util::fmt("Failed to stat %s: %s", rval.filename.data(), strerror(errno)); return rval; } @@ -191,7 +191,7 @@ static std::optional parse_shadow_log(const std::string& fname) return rval; } -Ascii::Ascii(zeek::logging::WriterFrontend* frontend) : zeek::logging::WriterBackend(frontend) +Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend) { fd = 0; ascii_done = false; @@ -210,47 +210,47 @@ Ascii::Ascii(zeek::logging::WriterFrontend* frontend) : zeek::logging::WriterBac void Ascii::InitConfigOptions() { - output_to_stdout = zeek::BifConst::LogAscii::output_to_stdout; - include_meta = zeek::BifConst::LogAscii::include_meta; - use_json = zeek::BifConst::LogAscii::use_json; - enable_utf_8 = zeek::BifConst::LogAscii::enable_utf_8; - gzip_level = zeek::BifConst::LogAscii::gzip_level; + output_to_stdout = BifConst::LogAscii::output_to_stdout; + include_meta = BifConst::LogAscii::include_meta; + use_json = BifConst::LogAscii::use_json; + enable_utf_8 = BifConst::LogAscii::enable_utf_8; + gzip_level = BifConst::LogAscii::gzip_level; separator.assign( - (const char*) zeek::BifConst::LogAscii::separator->Bytes(), - zeek::BifConst::LogAscii::separator->Len() + (const char*) BifConst::LogAscii::separator->Bytes(), + BifConst::LogAscii::separator->Len() ); set_separator.assign( - (const char*) zeek::BifConst::LogAscii::set_separator->Bytes(), - zeek::BifConst::LogAscii::set_separator->Len() + (const char*) BifConst::LogAscii::set_separator->Bytes(), + BifConst::LogAscii::set_separator->Len() ); empty_field.assign( - (const char*) zeek::BifConst::LogAscii::empty_field->Bytes(), - zeek::BifConst::LogAscii::empty_field->Len() + (const char*) BifConst::LogAscii::empty_field->Bytes(), + BifConst::LogAscii::empty_field->Len() ); unset_field.assign( - (const char*) zeek::BifConst::LogAscii::unset_field->Bytes(), - zeek::BifConst::LogAscii::unset_field->Len() + (const char*) BifConst::LogAscii::unset_field->Bytes(), + BifConst::LogAscii::unset_field->Len() ); meta_prefix.assign( - (const char*) zeek::BifConst::LogAscii::meta_prefix->Bytes(), - zeek::BifConst::LogAscii::meta_prefix->Len() + (const char*) BifConst::LogAscii::meta_prefix->Bytes(), + BifConst::LogAscii::meta_prefix->Len() ); - zeek::ODesc tsfmt; - zeek::BifConst::LogAscii::json_timestamps->Describe(&tsfmt); + ODesc tsfmt; + BifConst::LogAscii::json_timestamps->Describe(&tsfmt); json_timestamps.assign( (const char*) tsfmt.Bytes(), tsfmt.Len() ); gzip_file_extension.assign( - (const char*) zeek::BifConst::LogAscii::gzip_file_extension->Bytes(), - zeek::BifConst::LogAscii::gzip_file_extension->Len() + (const char*) BifConst::LogAscii::gzip_file_extension->Bytes(), + BifConst::LogAscii::gzip_file_extension->Len() ); } @@ -359,22 +359,22 @@ bool Ascii::InitFormatter() if ( use_json ) { - zeek::threading::formatter::JSON::TimeFormat tf = zeek::threading::formatter::JSON::TS_EPOCH; + threading::formatter::JSON::TimeFormat tf = threading::formatter::JSON::TS_EPOCH; // Write out JSON formatted logs. if ( strcmp(json_timestamps.c_str(), "JSON::TS_EPOCH") == 0 ) - tf = zeek::threading::formatter::JSON::TS_EPOCH; + tf = threading::formatter::JSON::TS_EPOCH; else if ( strcmp(json_timestamps.c_str(), "JSON::TS_MILLIS") == 0 ) - tf = zeek::threading::formatter::JSON::TS_MILLIS; + tf = threading::formatter::JSON::TS_MILLIS; else if ( strcmp(json_timestamps.c_str(), "JSON::TS_ISO8601") == 0 ) - tf = zeek::threading::formatter::JSON::TS_ISO8601; + tf = threading::formatter::JSON::TS_ISO8601; else { Error(Fmt("Invalid JSON timestamp format: %s", json_timestamps.c_str())); return false; } - formatter = new zeek::threading::formatter::JSON(this, tf); + formatter = new threading::formatter::JSON(this, tf); // Using JSON implicitly turns off the header meta fields. include_meta = false; } @@ -387,8 +387,8 @@ bool Ascii::InitFormatter() // Use the default "Bro logs" format. desc.EnableEscaping(); desc.AddEscapeSequence(separator); - zeek::threading::formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); - formatter = new zeek::threading::formatter::Ascii(this, sep_info); + threading::formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field); + formatter = new threading::formatter::Ascii(this, sep_info); } return true; @@ -399,7 +399,7 @@ Ascii::~Ascii() if ( ! ascii_done ) // In case of errors aborting the logging altogether, // DoFinish() may not have been called. - CloseFile(zeek::run_state::network_time); + CloseFile(run_state::network_time); delete formatter; } @@ -424,7 +424,7 @@ void Ascii::CloseFile(double t) gzfile = nullptr; } -bool Ascii::DoInit(const WriterInfo& info, int num_fields, const zeek::threading::Field* const * fields) +bool Ascii::DoInit(const WriterInfo& info, int num_fields, const threading::Field* const * fields) { assert(! fd); @@ -450,7 +450,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const zeek::threading fname += ext; - bool use_shadow = zeek::Supervisor::ThisNode() && info.rotation_interval > 0; + bool use_shadow = Supervisor::ThisNode() && info.rotation_interval > 0; if ( use_shadow ) { @@ -463,17 +463,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const zeek::threading return false; } - zeek::util::safe_write(sfd, ext.data(), ext.size()); - zeek::util::safe_write(sfd, "\n", 1); + util::safe_write(sfd, ext.data(), ext.size()); + util::safe_write(sfd, "\n", 1); auto ppf = info.post_proc_func; if ( ppf ) - zeek::util::safe_write(sfd, ppf, strlen(ppf)); + util::safe_write(sfd, ppf, strlen(ppf)); - zeek::util::safe_write(sfd, "\n", 1); + util::safe_write(sfd, "\n", 1); - zeek::util::safe_close(sfd); + util::safe_close(sfd); } } @@ -553,16 +553,16 @@ bool Ascii::WriteHeader(const string& path) string str = meta_prefix + "separator " // Always use space as separator here. - + zeek::util::get_escaped_string(separator, false) + + util::get_escaped_string(separator, false) + "\n"; if ( ! InternalWrite(fd, str.c_str(), str.length()) ) return false; - if ( ! (WriteHeaderField("set_separator", zeek::util::get_escaped_string(set_separator, false)) && - WriteHeaderField("empty_field", zeek::util::get_escaped_string(empty_field, false)) && - WriteHeaderField("unset_field", zeek::util::get_escaped_string(unset_field, false)) && - WriteHeaderField("path", zeek::util::get_escaped_string(path, false)) && + if ( ! (WriteHeaderField("set_separator", util::get_escaped_string(set_separator, false)) && + WriteHeaderField("empty_field", util::get_escaped_string(empty_field, false)) && + WriteHeaderField("unset_field", util::get_escaped_string(unset_field, false)) && + WriteHeaderField("path", util::get_escaped_string(path, false)) && WriteHeaderField("open", Timestamp(0))) ) return false; @@ -596,8 +596,8 @@ bool Ascii::DoFinish(double network_time) return true; } -bool Ascii::DoWrite(int num_fields, const zeek::threading::Field* const * fields, - zeek::threading::Value** vals) +bool Ascii::DoWrite(int num_fields, const threading::Field* const * fields, + threading::Value** vals) { if ( ! fd ) DoInit(Info(), NumFields(), Fields()); @@ -616,7 +616,7 @@ bool Ascii::DoWrite(int num_fields, const zeek::threading::Field* const * fields { // It would so escape the first character. char hex[4] = {'\\', 'x', '0', '0'}; - zeek::util::bytetohex(bytes[0], hex + 2); + util::bytetohex(bytes[0], hex + 2); if ( ! InternalWrite(fd, hex, 4) ) goto write_error; @@ -660,14 +660,14 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t if ( rename(fname.c_str(), nname.c_str()) != 0 ) { char buf[256]; - zeek::util::zeek_strerror_r(errno, buf, sizeof(buf)); + util::zeek_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("failed to rename %s to %s: %s", fname.c_str(), nname.c_str(), buf)); FinishedRotation(); return false; } - bool use_shadow = zeek::Supervisor::ThisNode() && Info().rotation_interval > 0; + bool use_shadow = Supervisor::ThisNode() && Info().rotation_interval > 0; if ( use_shadow ) { @@ -718,15 +718,15 @@ static std::vector find_leftover_logs() std::string log_name = dp->d_name + prefix_len; - if ( zeek::util::is_file(log_name) ) + if ( util::is_file(log_name) ) { if ( auto ll = parse_shadow_log(log_name) ) { if ( ll->error.empty() ) rval.emplace_back(std::move(*ll)); else - zeek::reporter->Error("failed to process leftover log '%s': %s", - log_name.data(), ll->error.data()); + reporter->Error("failed to process leftover log '%s': %s", + log_name.data(), ll->error.data()); } } else @@ -736,7 +736,7 @@ static std::vector find_leftover_logs() for ( const auto& f : stale_shadow_files ) if ( unlink(f.data()) != 0 ) - zeek::reporter->Error("cannot unlink %s: %s", f.data(), strerror(errno)); + reporter->Error("cannot unlink %s: %s", f.data(), strerror(errno)); closedir(d); return rval; @@ -744,7 +744,7 @@ static std::vector find_leftover_logs() void Ascii::RotateLeftoverLogs() { - if ( ! zeek::Supervisor::ThisNode() ) + if ( ! Supervisor::ThisNode() ) return; // Log file crash recovery: if there's still leftover shadow files from the @@ -762,68 +762,68 @@ void Ascii::RotateLeftoverLogs() for ( const auto& ll : leftover_logs ) { - static auto rot_info_type = zeek::id::find_type("Log::RotationInfo"); - static auto writer_type = zeek::id::find_type("Log::Writer"); + static auto rot_info_type = id::find_type("Log::RotationInfo"); + static auto writer_type = id::find_type("Log::Writer"); static auto writer_idx = writer_type->Lookup("Log", "WRITER_ASCII"); static auto writer_val = writer_type->GetEnumVal(writer_idx); - static auto default_ppf = zeek::id::find_func("Log::__default_rotation_postprocessor"); + static auto default_ppf = id::find_func("Log::__default_rotation_postprocessor"); assert(default_ppf); auto ppf = default_ppf; if ( ! ll.post_proc_func.empty() ) { - auto func = zeek::id::find_func(ll.post_proc_func.data()); + auto func = id::find_func(ll.post_proc_func.data()); if ( func ) ppf = std::move(func); else - zeek::reporter->Warning("Could not postprocess log '%s' with intended " - "postprocessor function '%s', proceeding " - " with the default function", - ll.filename.data(), ll.post_proc_func.data()); + reporter->Warning("Could not postprocess log '%s' with intended " + "postprocessor function '%s', proceeding " + " with the default function", + ll.filename.data(), ll.post_proc_func.data()); } - auto rotation_path = zeek::log_mgr->FormatRotationPath( + auto rotation_path = log_mgr->FormatRotationPath( writer_val, ll.Path(), ll.open_time, ll.close_time, false, ppf); rotation_path += ll.extension; - auto rot_info = zeek::make_intrusive(rot_info_type); + auto rot_info = make_intrusive(rot_info_type); rot_info->Assign(0, writer_val); - rot_info->Assign(1, rotation_path); - rot_info->Assign(2, ll.Path()); - rot_info->Assign(3, ll.open_time); - rot_info->Assign(4, ll.close_time); - rot_info->Assign(5, zeek::val_mgr->False()); + rot_info->Assign(1, rotation_path); + rot_info->Assign(2, ll.Path()); + rot_info->Assign(3, ll.open_time); + rot_info->Assign(4, ll.close_time); + rot_info->Assign(5, val_mgr->False()); if ( rename(ll.filename.data(), rotation_path.data()) != 0 ) - zeek::reporter->FatalError("Found leftover/unprocessed log '%s', but " - "failed to rotate it: %s", - ll.filename.data(), strerror(errno)); + reporter->FatalError("Found leftover/unprocessed log '%s', but " + "failed to rotate it: %s", + ll.filename.data(), strerror(errno)); if ( ! ll.DeleteShadow() ) // Unusual failure to report, but not strictly fatal. - zeek::reporter->Warning("Failed to unlink %s: %s", - ll.shadow_filename.data(), strerror(errno)); + reporter->Warning("Failed to unlink %s: %s", + ll.shadow_filename.data(), strerror(errno)); try { ppf->Invoke(std::move(rot_info)); - zeek::reporter->Info("Rotated/postprocessed leftover log '%s' -> '%s' ", + reporter->Info("Rotated/postprocessed leftover log '%s' -> '%s' ", ll.filename.data(), rotation_path.data()); } - catch ( zeek::InterpreterException& e ) + catch ( InterpreterException& e ) { - zeek::reporter->Warning("Postprocess function '%s' failed for leftover log '%s'", - ppf->Name(), ll.filename.data()); + reporter->Warning("Postprocess function '%s' failed for leftover log '%s'", + ppf->Name(), ll.filename.data()); } } } string Ascii::LogExt() { - const char* ext = zeek::util::zeekenv("ZEEK_LOG_SUFFIX"); + const char* ext = util::zeekenv("ZEEK_LOG_SUFFIX"); if ( ! ext ) ext = "log"; @@ -858,7 +858,7 @@ string Ascii::Timestamp(double t) bool Ascii::InternalWrite(int fd, const char* data, int len) { if ( ! gzfile ) - return zeek::util::safe_write(fd, data, len); + return util::safe_write(fd, data, len); while ( len > 0 ) { @@ -882,7 +882,7 @@ bool Ascii::InternalClose(int fd) { if ( ! gzfile ) { - zeek::util::safe_close(fd); + util::safe_close(fd); return true; } diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h index 49b55bb1f5..6140f113b6 100644 --- a/src/logging/writers/ascii/Ascii.h +++ b/src/logging/writers/ascii/Ascii.h @@ -14,21 +14,21 @@ namespace zeek::plugin::detail::Zeek_AsciiWriter { class Plugin; } namespace zeek::logging::writer::detail { -class Ascii : public zeek::logging::WriterBackend { +class Ascii : public WriterBackend { public: - explicit Ascii(zeek::logging::WriterFrontend* frontend); + explicit Ascii(WriterFrontend* frontend); ~Ascii() override; static std::string LogExt(); - static zeek::logging::WriterBackend* Instantiate(zeek::logging::WriterFrontend* frontend) + static WriterBackend* Instantiate(WriterFrontend* frontend) { return new Ascii(frontend); } protected: bool DoInit(const WriterInfo& info, int num_fields, - const zeek::threading::Field* const* fields) override; - bool DoWrite(int num_fields, const zeek::threading::Field* const* fields, - zeek::threading::Value** vals) override; + const threading::Field* const* fields) override; + bool DoWrite(int num_fields, const threading::Field* const* fields, + threading::Value** vals) override; bool DoSetBuf(bool enabled) override; bool DoRotate(const char* rotated_path, double open, double close, bool terminating) override; @@ -37,7 +37,7 @@ protected: bool DoHeartbeat(double network_time, double current_time) override; private: - friend class zeek::plugin::detail::Zeek_AsciiWriter::Plugin; + friend class plugin::detail::Zeek_AsciiWriter::Plugin; static void RotateLeftoverLogs(); @@ -55,7 +55,7 @@ private: int fd; gzFile gzfile; std::string fname; - zeek::ODesc desc; + ODesc desc; bool ascii_done; // Options set from the script-level. @@ -75,7 +75,7 @@ private: bool enable_utf_8; std::string json_timestamps; - zeek::threading::Formatter* formatter; + threading::Formatter* formatter; bool init_options; }; diff --git a/src/logging/writers/none/None.cc b/src/logging/writers/none/None.cc index 21e81472a8..cc178a2e19 100644 --- a/src/logging/writers/none/None.cc +++ b/src/logging/writers/none/None.cc @@ -8,9 +8,9 @@ namespace zeek::logging::writer::detail { bool None::DoInit(const WriterInfo& info, int num_fields, - const threading::Field* const * fields) + const threading::Field* const * fields) { - if ( zeek::BifConst::LogNone::debug ) + if ( BifConst::LogNone::debug ) { std::cout << "[logging::writer::None]" << std::endl; std::cout << " path=" << info.path << std::endl; @@ -33,7 +33,7 @@ bool None::DoInit(const WriterInfo& info, int num_fields, { const threading::Field* field = fields[i]; std::cout << " field " << field->name << ": " - << zeek::type_name(field->type) << std::endl; + << type_name(field->type) << std::endl; } std::cout << std::endl; diff --git a/src/logging/writers/none/None.h b/src/logging/writers/none/None.h index 6b45587770..c99171667c 100644 --- a/src/logging/writers/none/None.h +++ b/src/logging/writers/none/None.h @@ -8,12 +8,12 @@ namespace zeek::logging::writer::detail { -class None : public zeek::logging::WriterBackend { +class None : public WriterBackend { public: - explicit None(zeek::logging::WriterFrontend* frontend) : zeek::logging::WriterBackend(frontend) {} + explicit None(WriterFrontend* frontend) : WriterBackend(frontend) {} ~None() override {}; - static zeek::logging::WriterBackend* Instantiate(zeek::logging::WriterFrontend* frontend) + static WriterBackend* Instantiate(WriterFrontend* frontend) { return new None(frontend); } protected: diff --git a/src/logging/writers/sqlite/SQLite.cc b/src/logging/writers/sqlite/SQLite.cc index 6ced41bf6b..dad1c4dc43 100644 --- a/src/logging/writers/sqlite/SQLite.cc +++ b/src/logging/writers/sqlite/SQLite.cc @@ -17,27 +17,27 @@ using zeek::threading::Field; namespace zeek::logging::writer::detail { -SQLite::SQLite(zeek::logging::WriterFrontend* frontend) - : zeek::logging::WriterBackend(frontend), +SQLite::SQLite(WriterFrontend* frontend) + : WriterBackend(frontend), fields(), num_fields(), db(), st() { set_separator.assign( - (const char*) zeek::BifConst::LogSQLite::set_separator->Bytes(), - zeek::BifConst::LogSQLite::set_separator->Len() + (const char*) BifConst::LogSQLite::set_separator->Bytes(), + BifConst::LogSQLite::set_separator->Len() ); unset_field.assign( - (const char*) zeek::BifConst::LogSQLite::unset_field->Bytes(), - zeek::BifConst::LogSQLite::unset_field->Len() + (const char*) BifConst::LogSQLite::unset_field->Bytes(), + BifConst::LogSQLite::unset_field->Len() ); empty_field.assign( - (const char*) zeek::BifConst::LogSQLite::empty_field->Bytes(), - zeek::BifConst::LogSQLite::empty_field->Len() + (const char*) BifConst::LogSQLite::empty_field->Bytes(), + BifConst::LogSQLite::empty_field->Len() ); - zeek::threading::formatter::Ascii::SeparatorInfo sep_info(string(), set_separator, unset_field, empty_field); - io = new zeek::threading::formatter::Ascii(this, sep_info); + threading::formatter::Ascii::SeparatorInfo sep_info(string(), set_separator, unset_field, empty_field); + io = new threading::formatter::Ascii(this, sep_info); } SQLite::~SQLite() @@ -58,36 +58,36 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { string type; switch ( arg_type ) { - case zeek::TYPE_BOOL: + case TYPE_BOOL: type = "boolean"; break; - case zeek::TYPE_INT: - case zeek::TYPE_COUNT: - case zeek::TYPE_PORT: // note that we do not save the protocol at the moment. Just like in the case of the ascii-writer + case TYPE_INT: + case TYPE_COUNT: + case TYPE_PORT: // note that we do not save the protocol at the moment. Just like in the case of the ascii-writer type = "integer"; break; - case zeek::TYPE_SUBNET: - case zeek::TYPE_ADDR: + case TYPE_SUBNET: + case TYPE_ADDR: type = "text"; // sqlite3 does not have a type for internet addresses break; - case zeek::TYPE_TIME: - case zeek::TYPE_INTERVAL: - case zeek::TYPE_DOUBLE: + case TYPE_TIME: + case TYPE_INTERVAL: + case TYPE_DOUBLE: type = "double precision"; break; - case zeek::TYPE_ENUM: - case zeek::TYPE_STRING: - case zeek::TYPE_FILE: - case zeek::TYPE_FUNC: + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: type = "text"; break; - case zeek::TYPE_TABLE: - case zeek::TYPE_VECTOR: + case TYPE_TABLE: + case TYPE_VECTOR: type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string. break; @@ -242,39 +242,39 @@ int SQLite::AddParams(Value* val, int pos) return sqlite3_bind_null(st, pos); switch ( val->type ) { - case zeek::TYPE_BOOL: + case TYPE_BOOL: return sqlite3_bind_int(st, pos, val->val.int_val != 0 ? 1 : 0 ); - case zeek::TYPE_INT: + case TYPE_INT: return sqlite3_bind_int(st, pos, val->val.int_val); - case zeek::TYPE_COUNT: + case TYPE_COUNT: return sqlite3_bind_int(st, pos, val->val.uint_val); - case zeek::TYPE_PORT: + case TYPE_PORT: return sqlite3_bind_int(st, pos, val->val.port_val.port); - case zeek::TYPE_SUBNET: + case TYPE_SUBNET: { string out = io->Render(val->val.subnet_val); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } - case zeek::TYPE_ADDR: + case TYPE_ADDR: { string out = io->Render(val->val.addr_val); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } - case zeek::TYPE_TIME: - case zeek::TYPE_INTERVAL: - case zeek::TYPE_DOUBLE: + case TYPE_TIME: + case TYPE_INTERVAL: + case TYPE_DOUBLE: return sqlite3_bind_double(st, pos, val->val.double_val); - case zeek::TYPE_ENUM: - case zeek::TYPE_STRING: - case zeek::TYPE_FILE: - case zeek::TYPE_FUNC: + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: { if ( ! val->val.string_val.length || val->val.string_val.length == 0 ) return sqlite3_bind_null(st, pos); @@ -282,9 +282,9 @@ int SQLite::AddParams(Value* val, int pos) return sqlite3_bind_text(st, pos, val->val.string_val.data, val->val.string_val.length, SQLITE_TRANSIENT); } - case zeek::TYPE_TABLE: + case TYPE_TABLE: { - zeek::ODesc desc; + ODesc desc; desc.Clear(); desc.EnableEscaping(); desc.AddEscapeSequence(set_separator); @@ -304,9 +304,9 @@ int SQLite::AddParams(Value* val, int pos) return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); } - case zeek::TYPE_VECTOR: + case TYPE_VECTOR: { - zeek::ODesc desc; + ODesc desc; desc.Clear(); desc.EnableEscaping(); desc.AddEscapeSequence(set_separator); diff --git a/src/logging/writers/sqlite/SQLite.h b/src/logging/writers/sqlite/SQLite.h index 0902195eac..a2cefbea01 100644 --- a/src/logging/writers/sqlite/SQLite.h +++ b/src/logging/writers/sqlite/SQLite.h @@ -13,12 +13,12 @@ namespace zeek::logging::writer::detail { -class SQLite : public zeek::logging::WriterBackend { +class SQLite : public WriterBackend { public: - explicit SQLite(zeek::logging::WriterFrontend* frontend); + explicit SQLite(WriterFrontend* frontend); ~SQLite() override; - static zeek::logging::WriterBackend* Instantiate(zeek::logging::WriterFrontend* frontend) + static WriterBackend* Instantiate(WriterFrontend* frontend) { return new SQLite(frontend); } protected: @@ -49,7 +49,7 @@ private: std::string unset_field; std::string empty_field; - zeek::threading::formatter::Ascii* io; + threading::formatter::Ascii* io; }; } // namespace zeek::logging::writer::detail