Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Plugins: Clean up explicit uses of namespaces in places where they're not necessary.

Browse source 
This commit covers all of the plugin classes.
This commit is contained in:
Tim Wojtulewicz 2020-08-21 09:45:16 -07:00
parent fe0c22c789
commit 70c2397f69
169 changed files with 3139 additions and 3141 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/analyzer/protocol/arp/ARP.cc
View file

@ -76,7 +76,7 @@ ARP_Analyzer::~ARP_Analyzer()
#endif #endif
void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt) void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
{ {
const u_char *data = pkt->data; const u_char *data = pkt->data;
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
@ -180,7 +180,7 @@ void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt)
} }
} }
void ARP_Analyzer::Describe(zeek::ODesc* d) const void ARP_Analyzer::Describe(ODesc* d) const
{ {
d->Add("<ARP analyzer>"); d->Add("<ARP analyzer>");
d->NL(); d->NL();
@ -191,20 +191,20 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
if ( ! bad_arp ) if ( ! bad_arp )
return; return;
zeek::event_mgr.Enqueue(bad_arp, event_mgr.Enqueue(bad_arp,
ToAddrVal(ar_spa(hdr)), ToAddrVal(ar_spa(hdr)),
ToEthAddrStr((const u_char*) ar_sha(hdr)), ToEthAddrStr((const u_char*) ar_sha(hdr)),
ToAddrVal(ar_tpa(hdr)), ToAddrVal(ar_tpa(hdr)),
ToEthAddrStr((const u_char*) ar_tha(hdr)), ToEthAddrStr((const u_char*) ar_tha(hdr)),
zeek::make_intrusive<zeek::StringVal>(msg)); make_intrusive<StringVal>(msg));
} }
void ARP_Analyzer::Corrupted(const char* msg) void ARP_Analyzer::Corrupted(const char* msg)
{ {
zeek::reporter->Weird(msg); reporter->Weird(msg);
} }
void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e, void ARP_Analyzer::RREvent(EventHandlerPtr e,
const u_char* src, const u_char *dst, const u_char* src, const u_char *dst,
const char* spa, const char* sha, const char* spa, const char* sha,
const char* tpa, const char* tha) const char* tpa, const char* tha)
@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
if ( ! e ) if ( ! e )
return; return;
zeek::event_mgr.Enqueue(e, event_mgr.Enqueue(e,
ToEthAddrStr(src), ToEthAddrStr(src),
ToEthAddrStr(dst), ToEthAddrStr(dst),
ToAddrVal(spa), ToAddrVal(spa),
@ -221,24 +221,24 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
ToEthAddrStr((const u_char*) tha)); ToEthAddrStr((const u_char*) tha));
} }
zeek::AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
{ return ToAddrVal(addr).release(); } { return ToAddrVal(addr).release(); }
zeek::AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr) AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr)
{ {
// ### For now, we only handle IPv4 addresses. // ### For now, we only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*) addr); return make_intrusive<AddrVal>(*(const uint32_t*) addr);
} }
zeek::StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr) StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr)
{ return ToEthAddrStr(addr).release(); } { return ToEthAddrStr(addr).release(); }
zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr)
{ {
char buf[1024]; char buf[1024];
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf); return make_intrusive<StringVal>(buf);
} }
} // namespace zeek::analyzer::arp } // namespace zeek::analyzer::arp

16
src/analyzer/protocol/arp/ARP.h
View file

@ -32,27 +32,27 @@ extern "C" {
namespace zeek::analyzer::arp { namespace zeek::analyzer::arp {
class ARP_Analyzer : public zeek::Obj { class ARP_Analyzer : public Obj {
public: public:
ARP_Analyzer(); ARP_Analyzer();
~ARP_Analyzer() override; ~ARP_Analyzer() override;
void NextPacket(double t, const zeek::Packet* pkt); void NextPacket(double t, const Packet* pkt);
void Describe(zeek::ODesc* d) const override; void Describe(ODesc* d) const override;
void RREvent(zeek::EventHandlerPtr e, const u_char* src, const u_char* dst, void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const char* spa, const char* sha, const char* spa, const char* sha,
const char* tpa, const char* tha); const char* tpa, const char* tha);
protected: protected:
[[deprecated("Remove in v4.1. Use ToAddrVal().")]] [[deprecated("Remove in v4.1. Use ToAddrVal().")]]
zeek::AddrVal* ConstructAddrVal(const void* addr); AddrVal* ConstructAddrVal(const void* addr);
[[deprecated("Remove in v4.1. Use ToEthAddrStr().")]] [[deprecated("Remove in v4.1. Use ToEthAddrStr().")]]
zeek::StringVal* EthAddrToStr(const u_char* addr); StringVal* EthAddrToStr(const u_char* addr);
zeek::AddrValPtr ToAddrVal(const void* addr); AddrValPtr ToAddrVal(const void* addr);
zeek::StringValPtr ToEthAddrStr(const u_char* addr); StringValPtr ToEthAddrStr(const u_char* addr);
void BadARP(const struct arp_pkthdr* hdr, const char* string); void BadARP(const struct arp_pkthdr* hdr, const char* string);
void Corrupted(const char* string); void Corrupted(const char* string);
}; };

6
src/analyzer/protocol/ayiya/AYIYA.cc
View file

@ -4,7 +4,7 @@
namespace zeek::analyzer::ayiya { namespace zeek::analyzer::ayiya {
AYIYA_Analyzer::AYIYA_Analyzer(zeek::Connection* conn) AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
: Analyzer("AYIYA", conn) : Analyzer("AYIYA", conn)
{ {
interp = new binpac::AYIYA::AYIYA_Conn(this); interp = new binpac::AYIYA::AYIYA_Conn(this);
@ -21,7 +21,7 @@ void AYIYA_Analyzer::Done()
Event(udp_session_done); Event(udp_session_done);
} }
void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -31,7 +31,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/ayiya/AYIYA.h
View file

@ -4,16 +4,16 @@
namespace zeek::analyzer::ayiya { namespace zeek::analyzer::ayiya {
class AYIYA_Analyzer final : public zeek::analyzer::Analyzer { class AYIYA_Analyzer final : public analyzer::Analyzer {
public: public:
explicit AYIYA_Analyzer(zeek::Connection* conn); explicit AYIYA_Analyzer(Connection* conn);
virtual ~AYIYA_Analyzer(); virtual ~AYIYA_Analyzer();
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen); uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new AYIYA_Analyzer(conn); } { return new AYIYA_Analyzer(conn); }
protected: protected:

18
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::bittorrent { namespace zeek::analyzer::bittorrent {
BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c) BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) : analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
{ {
interp = new binpac::BitTorrent::BitTorrent_Conn(this); interp = new binpac::BitTorrent::BitTorrent_Conn(this);
stop_orig = stop_resp = false; stop_orig = stop_resp = false;
@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
void BitTorrent_Analyzer::Done() void BitTorrent_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp; uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp;
bool& this_stop = orig ? stop_orig : stop_resp; bool& this_stop = orig ? stop_orig : stop_resp;
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -59,7 +59,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
Parent()->RemoveChildAnalyzer(this); Parent()->RemoveChildAnalyzer(this);
else else
{ {
DeliverWeird(zeek::util::fmt("Stopping BitTorrent analysis: protocol violation (%s)", DeliverWeird(util::fmt("Stopping BitTorrent analysis: protocol violation (%s)",
e.c_msg()), orig); e.c_msg()), orig);
this_stop = true; this_stop = true;
if ( stop_orig && stop_resp ) if ( stop_orig && stop_resp )
@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// TODO: Code commented out for now. I think that shoving data that // TODO: Code commented out for now. I think that shoving data that
// is definitely wrong into the parser seems like a really bad idea. // is definitely wrong into the parser seems like a really bad idea.
@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrent_Analyzer::EndpointEOF(bool is_orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
@ -121,8 +121,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird, EnqueueConnEvent(bittorrent_peer_weird,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg)); make_intrusive<StringVal>(msg));
} }
} // namespace zeek::analyzer::bittorrent } // namespace zeek::analyzer::bittorrent

6
src/analyzer/protocol/bittorrent/BitTorrent.h
View file

@ -8,9 +8,9 @@
namespace zeek::analyzer::bittorrent { namespace zeek::analyzer::bittorrent {
class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class BitTorrent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit BitTorrent_Analyzer(zeek::Connection* conn); explicit BitTorrent_Analyzer(Connection* conn);
~BitTorrent_Analyzer() override; ~BitTorrent_Analyzer() override;
void Done() override; void Done() override;
@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrent_Analyzer(conn); } { return new BitTorrent_Analyzer(conn); }
protected: protected:

94
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -15,27 +15,27 @@
namespace zeek::analyzer::bittorrent { namespace zeek::analyzer::bittorrent {
static zeek::TableTypePtr bt_tracker_headers; static TableTypePtr bt_tracker_headers;
static zeek::RecordTypePtr bittorrent_peer; static RecordTypePtr bittorrent_peer;
static zeek::TableTypePtr bittorrent_peer_set; static TableTypePtr bittorrent_peer_set;
static zeek::RecordTypePtr bittorrent_benc_value; static RecordTypePtr bittorrent_benc_value;
static zeek::TableTypePtr bittorrent_benc_dir; static TableTypePtr bittorrent_benc_dir;
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) : analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
{ {
if ( ! bt_tracker_headers ) if ( ! bt_tracker_headers )
{ {
bt_tracker_headers = bt_tracker_headers =
zeek::id::find_type<zeek::TableType>("bt_tracker_headers"); id::find_type<TableType>("bt_tracker_headers");
bittorrent_peer = bittorrent_peer =
zeek::id::find_type<zeek::RecordType>("bittorrent_peer"); id::find_type<RecordType>("bittorrent_peer");
bittorrent_peer_set = bittorrent_peer_set =
zeek::id::find_type<zeek::TableType>("bittorrent_peer_set"); id::find_type<TableType>("bittorrent_peer_set");
bittorrent_benc_value = bittorrent_benc_value =
zeek::id::find_type<zeek::RecordType>("bittorrent_benc_value"); id::find_type<RecordType>("bittorrent_benc_value");
bittorrent_benc_dir = bittorrent_benc_dir =
zeek::id::find_type<zeek::TableType>("bittorrent_benc_dir"); id::find_type<TableType>("bittorrent_benc_dir");
} }
keep_alive = false; keep_alive = false;
@ -45,7 +45,7 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
req_buf_pos = req_buf; req_buf_pos = req_buf;
req_buf_len = 0; req_buf_len = 0;
req_val_uri = nullptr; req_val_uri = nullptr;
req_val_headers = new zeek::TableVal(bt_tracker_headers); req_val_headers = new TableVal(bt_tracker_headers);
res_state = detail::BTT_RES_STATUS; res_state = detail::BTT_RES_STATUS;
res_allow_blank_line = false; res_allow_blank_line = false;
@ -53,9 +53,9 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
res_buf_pos = res_buf; res_buf_pos = res_buf;
res_buf_len = 0; res_buf_len = 0;
res_status = 0; res_status = 0;
res_val_headers = new zeek::TableVal(bt_tracker_headers); res_val_headers = new TableVal(bt_tracker_headers);
res_val_peers = new zeek::TableVal(bittorrent_peer_set); res_val_peers = new TableVal(bittorrent_peer_set);
res_val_benc = new zeek::TableVal(bittorrent_benc_dir); res_val_benc = new TableVal(bittorrent_benc_dir);
InitBencParser(); InitBencParser();
@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
void BitTorrentTracker_Analyzer::Done() void BitTorrentTracker_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
} }
void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
bool orig) bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -136,7 +136,7 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
req_buf_len -= (req_buf_pos - req_buf); req_buf_len -= (req_buf_pos - req_buf);
memmove(req_buf, req_buf_pos, req_buf_len); memmove(req_buf, req_buf_pos, req_buf_len);
req_buf_pos = req_buf; req_buf_pos = req_buf;
req_val_headers = new zeek::TableVal(bt_tracker_headers); req_val_headers = new TableVal(bt_tracker_headers);
} }
} }
} }
@ -198,9 +198,9 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
res_buf_pos = res_buf; res_buf_pos = res_buf;
res_status = 0; res_status = 0;
res_val_headers = new zeek::TableVal(bt_tracker_headers); res_val_headers = new TableVal(bt_tracker_headers);
res_val_peers = new zeek::TableVal(bittorrent_peer_set); res_val_peers = new TableVal(bittorrent_peer_set);
res_val_benc = new zeek::TableVal(bittorrent_benc_dir); res_val_benc = new TableVal(bittorrent_benc_dir);
InitBencParser(); InitBencParser();
} }
@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
} }
void BitTorrentTracker_Analyzer::InitBencParser(void) void BitTorrentTracker_Analyzer::InitBencParser(void)
@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bt_tracker_weird ) if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird, EnqueueConnEvent(bt_tracker_weird,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg) make_intrusive<StringVal>(msg)
); );
} }
@ -322,7 +322,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
case detail::BTT_REQ_DONE: case detail::BTT_REQ_DONE:
if ( *line ) if ( *line )
{ {
auto msg = zeek::util::fmt("Got post request data: %s\n", line); auto msg = util::fmt("Got post request data: %s\n", line);
Weird("bittorrent_tracker_data_post_request", msg); Weird("bittorrent_tracker_data_post_request", msg);
DeliverWeird(msg, true); DeliverWeird(msg, true);
} }
@ -338,7 +338,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
void BitTorrentTracker_Analyzer::RequestGet(char* uri) void BitTorrentTracker_Analyzer::RequestGet(char* uri)
{ {
req_val_uri = new zeek::StringVal(uri); req_val_uri = new StringVal(uri);
} }
void BitTorrentTracker_Analyzer::EmitRequest(void) void BitTorrentTracker_Analyzer::EmitRequest(void)
@ -348,8 +348,8 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
if ( bt_tracker_request ) if ( bt_tracker_request )
EnqueueConnEvent(bt_tracker_request, EnqueueConnEvent(bt_tracker_request,
ConnVal(), ConnVal(),
zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_uri}, IntrusivePtr{AdoptRef{}, req_val_uri},
zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_headers} IntrusivePtr{AdoptRef{}, req_val_headers}
); );
req_val_uri = nullptr; req_val_uri = nullptr;
@ -403,8 +403,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
EnqueueConnEvent( EnqueueConnEvent(
bt_tracker_response_not_ok, bt_tracker_response_not_ok,
ConnVal(), ConnVal(),
zeek::val_mgr->Count(res_status), val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers} IntrusivePtr{AdoptRef{}, res_val_headers}
); );
res_val_headers = nullptr; res_val_headers = nullptr;
res_buf_pos = res_buf + res_buf_len; res_buf_pos = res_buf + res_buf_len;
@ -456,8 +456,8 @@ void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value,
} }
#ifdef BTTRACKER_STORE_HEADERS #ifdef BTTRACKER_STORE_HEADERS
zeek::StringVal* name_ = new zeek::StringVal(name); auto* name_ = new StringVal(name);
zeek::StringVal* value_ = new zeek::StringVal(value); auto* value_ = new StringVal(value);
(is_request ? req_val_headers : res_val_headers)->Assign(name_, value_); (is_request ? req_val_headers : res_val_headers)->Assign(name_, value_);
Unref(name_); Unref(name_);
@ -479,17 +479,17 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
uint32_t ad = extract_uint32((u_char*) value); uint32_t ad = extract_uint32((u_char*) value);
uint16_t pt = ntohs((value[4] << 8) | value[5]); uint16_t pt = ntohs((value[4] << 8) | value[5]);
auto peer = zeek::make_intrusive<zeek::RecordVal>(bittorrent_peer); auto peer = make_intrusive<RecordVal>(bittorrent_peer);
peer->Assign(0, zeek::make_intrusive<zeek::AddrVal>(ad)); peer->Assign(0, make_intrusive<AddrVal>(ad));
peer->Assign(1, zeek::val_mgr->Port(pt, TRANSPORT_TCP)); peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(std::move(peer), nullptr); res_val_peers->Assign(std::move(peer), nullptr);
} }
} }
else else
{ {
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name); auto name_ = make_intrusive<StringVal>(name_len, name);
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value); auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
benc_value->Assign(type, zeek::make_intrusive<zeek::StringVal>(value_len, value)); benc_value->Assign(type, make_intrusive<StringVal>(value_len, value));
res_val_benc->Assign(std::move(name_), std::move(benc_value)); res_val_benc->Assign(std::move(name_), std::move(benc_value));
} }
} }
@ -497,10 +497,10 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
detail::BTT_BencTypes type, bro_int_t value) detail::BTT_BencTypes type, bro_int_t value)
{ {
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value); auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name); auto name_ = make_intrusive<StringVal>(name_len, name);
benc_value->Assign(type, zeek::val_mgr->Int(value)); benc_value->Assign(type, val_mgr->Int(value));
res_val_benc->Assign(std::move(name_), std::move(benc_value)); res_val_benc->Assign(std::move(name_), std::move(benc_value));
} }
@ -785,10 +785,10 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response ) if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response, EnqueueConnEvent(bt_tracker_response,
ConnVal(), ConnVal(),
zeek::val_mgr->Count(res_status), val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers}, IntrusivePtr{AdoptRef{}, res_val_headers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_peers}, IntrusivePtr{AdoptRef{}, res_val_peers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_benc} IntrusivePtr{AdoptRef{}, res_val_benc}
); );
res_val_headers = nullptr; res_val_headers = nullptr;

16
src/analyzer/protocol/bittorrent/BitTorrentTracker.h
View file

@ -47,9 +47,9 @@ enum BTT_BencStates {
} // namespace detail } // namespace detail
class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class BitTorrentTracker_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit BitTorrentTracker_Analyzer(zeek::Connection* conn); explicit BitTorrentTracker_Analyzer(Connection* conn);
~BitTorrentTracker_Analyzer() override; ~BitTorrentTracker_Analyzer() override;
void Done() override; void Done() override;
@ -57,7 +57,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrentTracker_Analyzer(conn); } { return new BitTorrentTracker_Analyzer(conn); }
protected: protected:
@ -96,8 +96,8 @@ protected:
char req_buf[BTTRACKER_BUF]; char req_buf[BTTRACKER_BUF];
char* req_buf_pos; char* req_buf_pos;
unsigned int req_buf_len; unsigned int req_buf_len;
zeek::StringVal* req_val_uri; StringVal* req_val_uri;
zeek::TableVal* req_val_headers; TableVal* req_val_headers;
// Response. // Response.
detail::BTT_States res_state; detail::BTT_States res_state;
@ -106,9 +106,9 @@ protected:
char* res_buf_pos; char* res_buf_pos;
unsigned int res_buf_len; unsigned int res_buf_len;
bro_uint_t res_status; bro_uint_t res_status;
zeek::TableVal* res_val_headers; TableVal* res_val_headers;
zeek::TableVal* res_val_peers; TableVal* res_val_peers;
zeek::TableVal* res_val_benc; TableVal* res_val_benc;
std::vector<char> benc_stack; std::vector<char> benc_stack;
std::vector<unsigned int> benc_count; std::vector<unsigned int> benc_count;

38
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -13,7 +13,7 @@
namespace zeek::analyzer::conn_size { namespace zeek::analyzer::conn_size {
ConnSize_Analyzer::ConnSize_Analyzer(zeek::Connection* c) ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
: Analyzer("CONNSIZE", c), : Analyzer("CONNSIZE", c),
orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts(), orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts(),
orig_bytes_thresh(), resp_bytes_thresh(), orig_pkts_thresh(), resp_pkts_thresh(), duration_thresh() orig_bytes_thresh(), resp_bytes_thresh(), orig_pkts_thresh(), resp_pkts_thresh(), duration_thresh()
@ -46,15 +46,15 @@ void ConnSize_Analyzer::Done()
Analyzer::Done(); Analyzer::Done();
} }
void ConnSize_Analyzer::ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig) void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig)
{ {
if ( ! f ) if ( ! f )
return; return;
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
zeek::val_mgr->Count(threshold), val_mgr->Count(threshold),
zeek::val_mgr->Bool(is_orig) val_mgr->Bool(is_orig)
); );
} }
@ -91,19 +91,19 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( duration_thresh != 0 ) if ( duration_thresh != 0 )
{ {
if ( ( zeek::run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed ) if ( ( run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{ {
EnqueueConnEvent(conn_duration_threshold_crossed, EnqueueConnEvent(conn_duration_threshold_crossed,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::IntervalVal>(duration_thresh), make_intrusive<IntervalVal>(duration_thresh),
zeek::val_mgr->Bool(is_orig) val_mgr->Bool(is_orig)
); );
duration_thresh = 0; duration_thresh = 0;
} }
} }
} }
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
@ -168,26 +168,26 @@ void ConnSize_Analyzer::SetDurationThreshold(double duration)
CheckThresholds(true); CheckThresholds(true);
} }
void ConnSize_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
{ {
// RecordType *connection_type is decleared in NetVar.h // RecordType *connection_type is decleared in NetVar.h
zeek::RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal(); RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal();
zeek::RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal(); RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal();
// endpoint is the RecordType from NetVar.h // endpoint is the RecordType from NetVar.h
int pktidx = zeek::id::endpoint->FieldOffset("num_pkts"); int pktidx = id::endpoint->FieldOffset("num_pkts");
int bytesidx = zeek::id::endpoint->FieldOffset("num_bytes_ip"); int bytesidx = id::endpoint->FieldOffset("num_bytes_ip");
if ( pktidx < 0 ) if ( pktidx < 0 )
zeek::reporter->InternalError("'endpoint' record missing 'num_pkts' field"); reporter->InternalError("'endpoint' record missing 'num_pkts' field");
if ( bytesidx < 0 ) if ( bytesidx < 0 )
zeek::reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, zeek::val_mgr->Count(orig_pkts)); orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, zeek::val_mgr->Count(orig_bytes)); orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, zeek::val_mgr->Count(resp_pkts)); resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, zeek::val_mgr->Count(resp_bytes)); resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
} }

12
src/analyzer/protocol/conn-size/ConnSize.h
View file

@ -8,16 +8,16 @@
namespace zeek::analyzer::conn_size { namespace zeek::analyzer::conn_size {
class ConnSize_Analyzer : public zeek::analyzer::Analyzer { class ConnSize_Analyzer : public analyzer::Analyzer {
public: public:
explicit ConnSize_Analyzer(zeek::Connection* c); explicit ConnSize_Analyzer(Connection* c);
~ConnSize_Analyzer() override; ~ConnSize_Analyzer() override;
void Init() override; void Init() override;
void Done() override; void Done() override;
// from Analyzer.h // from Analyzer.h
void UpdateConnVal(zeek::RecordVal *conn_val) override; void UpdateConnVal(RecordVal *conn_val) override;
void FlipRoles() override; void FlipRoles() override;
void SetByteAndPacketThreshold(uint64_t threshold, bool bytes, bool orig); void SetByteAndPacketThreshold(uint64_t threshold, bool bytes, bool orig);
@ -26,15 +26,15 @@ public:
void SetDurationThreshold(double duration); void SetDurationThreshold(double duration);
double GetDurationThreshold() { return duration_thresh; }; double GetDurationThreshold() { return duration_thresh; };
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ConnSize_Analyzer(conn); } { return new ConnSize_Analyzer(conn); }
protected: protected:
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
void CheckThresholds(bool is_orig); void CheckThresholds(bool is_orig);
void ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig); void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig);
uint64_t orig_bytes; uint64_t orig_bytes;
uint64_t resp_bytes; uint64_t resp_bytes;

6
src/analyzer/protocol/dce-rpc/DCE_RPC.cc
View file

@ -11,8 +11,8 @@ using namespace std;
namespace zeek::analyzer::dce_rpc { namespace zeek::analyzer::dce_rpc {
DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn) DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
{ {
had_gap = false; had_gap = false;
interp = new binpac::DCE_RPC::DCE_RPC_Conn(this); interp = new binpac::DCE_RPC::DCE_RPC_Conn(this);
@ -61,7 +61,7 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

6
src/analyzer/protocol/dce-rpc/DCE_RPC.h
View file

@ -11,9 +11,9 @@
namespace zeek::analyzer::dce_rpc { namespace zeek::analyzer::dce_rpc {
class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class DCE_RPC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit DCE_RPC_Analyzer(zeek::Connection* conn); explicit DCE_RPC_Analyzer(Connection* conn);
~DCE_RPC_Analyzer() override; ~DCE_RPC_Analyzer() override;
void Done() override; void Done() override;
@ -24,7 +24,7 @@ public:
bool SetFileID(uint64_t fid_in) bool SetFileID(uint64_t fid_in)
{ interp->set_file_id(fid_in); return true; } { interp->set_file_id(fid_in); return true; }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DCE_RPC_Analyzer(conn); } { return new DCE_RPC_Analyzer(conn); }
protected: protected:

6
src/analyzer/protocol/dhcp/DHCP.cc
View file

@ -5,7 +5,7 @@
namespace zeek::analyzer::dhcp { namespace zeek::analyzer::dhcp {
DHCP_Analyzer::DHCP_Analyzer(zeek::Connection* conn) DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
: Analyzer("DHCP", conn) : Analyzer("DHCP", conn)
{ {
interp = new binpac::DHCP::DHCP_Conn(this); interp = new binpac::DHCP::DHCP_Conn(this);
@ -22,7 +22,7 @@ void DHCP_Analyzer::Done()
} }
void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -32,7 +32,7 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/dhcp/DHCP.h
View file

@ -6,16 +6,16 @@
namespace zeek::analyzer::dhcp { namespace zeek::analyzer::dhcp {
class DHCP_Analyzer final : public zeek::analyzer::Analyzer { class DHCP_Analyzer final : public analyzer::Analyzer {
public: public:
explicit DHCP_Analyzer(zeek::Connection* conn); explicit DHCP_Analyzer(Connection* conn);
~DHCP_Analyzer() override; ~DHCP_Analyzer() override;
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DHCP_Analyzer(conn); } { return new DHCP_Analyzer(conn); }
protected: protected:

18
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -113,7 +113,7 @@ namespace detail {
bool DNP3_Base::crc_table_initialized = false; bool DNP3_Base::crc_table_initialized = false;
unsigned int DNP3_Base::crc_table[256]; unsigned int DNP3_Base::crc_table[256];
DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer) DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer)
{ {
analyzer = arg_analyzer; analyzer = arg_analyzer;
interp = new binpac::DNP3::DNP3_Conn(analyzer); interp = new binpac::DNP3::DNP3_Conn(analyzer);
@ -235,13 +235,13 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data,
if ( *len < 0 ) if ( *len < 0 )
{ {
zeek::reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len); reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len);
return -1; return -1;
} }
if ( target_len < endp->buffer_len ) if ( target_len < endp->buffer_len )
{ {
zeek::reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d", reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d",
target_len, endp->buffer_len); target_len, endp->buffer_len);
return -1; return -1;
} }
@ -250,7 +250,7 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data,
if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE ) if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE )
{ {
zeek::reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d", reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d",
endp->buffer_len, to_copy); endp->buffer_len, to_copy);
return -1; return -1;
} }
@ -296,7 +296,7 @@ bool DNP3_Base::ParseAppLayer(Endpoint* endp)
if ( data + n >= endp->buffer + endp->buffer_len ) if ( data + n >= endp->buffer + endp->buffer_len )
{ {
zeek::reporter->AnalyzerError(analyzer, reporter->AnalyzerError(analyzer,
"dnp3 app layer parsing overflow %d - %d", "dnp3 app layer parsing overflow %d - %d",
endp->buffer_len, n); endp->buffer_len, n);
return false; return false;
@ -350,7 +350,7 @@ bool DNP3_Base::CheckCRC(int len, const u_char* data, const u_char* crc16, const
if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 ) if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 )
return true; return true;
analyzer->Weird(zeek::util::fmt("dnp3_corrupt_%s_checksum", where)); analyzer->Weird(util::fmt("dnp3_corrupt_%s_checksum", where));
return false; return false;
} }
@ -386,7 +386,7 @@ unsigned int DNP3_Base::CalcCRC(int len, const u_char* data)
} }
} // namespace detail } // namespace detail
DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(zeek::Connection* c) DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(Connection* c)
: DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c) : DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c)
{ {
} }
@ -432,7 +432,7 @@ void DNP3_TCP_Analyzer::EndpointEOF(bool is_orig)
Interpreter()->FlowEOF(is_orig); Interpreter()->FlowEOF(is_orig);
} }
DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(zeek::Connection* c) DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c)
: DNP3_Base(this), Analyzer("DNP3_UDP", c) : DNP3_Base(this), Analyzer("DNP3_UDP", c)
{ {
} }
@ -441,7 +441,7 @@ DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer()
{ {
} }
void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

18
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -12,7 +12,7 @@ namespace detail {
class DNP3_Base { class DNP3_Base {
public: public:
explicit DNP3_Base(zeek::analyzer::Analyzer* analyzer); explicit DNP3_Base(analyzer::Analyzer* analyzer);
virtual ~DNP3_Base(); virtual ~DNP3_Base();
binpac::DNP3::DNP3_Conn* Interpreter() { return interp; } binpac::DNP3::DNP3_Conn* Interpreter() { return interp; }
@ -56,7 +56,7 @@ protected:
static bool crc_table_initialized; static bool crc_table_initialized;
static unsigned int crc_table[256]; static unsigned int crc_table[256];
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
binpac::DNP3::DNP3_Conn* interp; binpac::DNP3::DNP3_Conn* interp;
Endpoint orig_state; Endpoint orig_state;
@ -65,9 +65,9 @@ protected:
} // namespace detail } // namespace detail
class DNP3_TCP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class DNP3_TCP_Analyzer : public detail::DNP3_Base, public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit DNP3_TCP_Analyzer(zeek::Connection* conn); explicit DNP3_TCP_Analyzer(Connection* conn);
~DNP3_TCP_Analyzer() override; ~DNP3_TCP_Analyzer() override;
void Done() override; void Done() override;
@ -75,19 +75,19 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static Analyzer* Instantiate(zeek::Connection* conn) static Analyzer* Instantiate(Connection* conn)
{ return new DNP3_TCP_Analyzer(conn); } { return new DNP3_TCP_Analyzer(conn); }
}; };
class DNP3_UDP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::Analyzer { class DNP3_UDP_Analyzer : public detail::DNP3_Base, public analyzer::Analyzer {
public: public:
explicit DNP3_UDP_Analyzer(zeek::Connection* conn); explicit DNP3_UDP_Analyzer(Connection* conn);
~DNP3_UDP_Analyzer() override; ~DNP3_UDP_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNP3_UDP_Analyzer(conn); } { return new DNP3_UDP_Analyzer(conn); }
}; };

420
src/analyzer/protocol/dns/DNS.cc
View file

@ -21,7 +21,7 @@ namespace zeek::analyzer::dns {
namespace detail { namespace detail {
DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
{ {
analyzer = arg_analyzer; analyzer = arg_analyzer;
first_message = true; first_message = true;
@ -52,9 +52,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message ) if ( dns_message )
analyzer->EnqueueConnEvent(dns_message, analyzer->EnqueueConnEvent(dns_message,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Bool(is_query), val_mgr->Bool(is_query),
msg.BuildHdrVal(), msg.BuildHdrVal(),
zeek::val_mgr->Count(len) val_mgr->Count(len)
); );
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
@ -91,9 +91,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int skip_addl = zeek::detail::dns_skip_all_addl; int skip_addl = zeek::detail::dns_skip_all_addl;
if ( msg.ancount > 0 ) if ( msg.ancount > 0 )
{ // We did an answer, so can potentially skip auth/addl. { // We did an answer, so can potentially skip auth/addl.
static auto dns_skip_auth = zeek::id::find_val<zeek::TableVal>("dns_skip_auth"); static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
static auto dns_skip_addl = zeek::id::find_val<zeek::TableVal>("dns_skip_addl"); static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
auto server = zeek::make_intrusive<zeek::AddrVal>(analyzer->Conn()->RespAddr()); auto server = make_intrusive<AddrVal>(analyzer->Conn()->RespAddr());
skip_auth = skip_auth || msg.nscount == 0 || skip_auth = skip_auth || msg.nscount == 0 ||
dns_skip_auth->FindOrDefault(server); dns_skip_auth->FindOrDefault(server);
@ -183,7 +183,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg,
return false; return false;
} }
zeek::EventHandlerPtr dns_event = nullptr; EventHandlerPtr dns_event = nullptr;
if ( msg->QR == 0 ) if ( msg->QR == 0 )
dns_event = dns_request; dns_event = dns_request;
@ -198,14 +198,14 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg,
if ( dns_event && ! msg->skip_event ) if ( dns_event && ! msg->skip_event )
{ {
zeek::String* original_name = new zeek::String(name, name_end - name, true); String* original_name = new String(name, name_end - name, true);
// Downcase the Name to normalize it // Downcase the Name to normalize it
for ( u_char* np = name; np < name_end; ++np ) for ( u_char* np = name; np < name_end; ++np )
if ( isupper(*np) ) if ( isupper(*np) )
*np = tolower(*np); *np = tolower(*np);
zeek::String* question_name = new zeek::String(name, name_end - name, true); String* question_name = new String(name, name_end - name, true);
SendReplyOrRejectEvent(msg, dns_event, data, len, question_name, original_name); SendReplyOrRejectEvent(msg, dns_event, data, len, question_name, original_name);
} }
@ -240,7 +240,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
// Note that the exact meaning of some of these fields will be // Note that the exact meaning of some of these fields will be
// re-interpreted by other, more adventurous RR types. // re-interpreted by other, more adventurous RR types.
msg->query_name = zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)); msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
msg->atype = detail::RR_Type(ExtractShort(data, len)); msg->atype = detail::RR_Type(ExtractShort(data, len));
msg->aclass = ExtractShort(data, len); msg->aclass = ExtractShort(data, len);
msg->ttl = ExtractLong(data, len); msg->ttl = ExtractLong(data, len);
@ -352,7 +352,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
msg->BuildAnswerVal() msg->BuildAnswerVal()
); );
analyzer->Weird("DNS_RR_unknown_type", zeek::util::fmt("%d", msg->atype)); analyzer->Weird("DNS_RR_unknown_type", util::fmt("%d", msg->atype));
data += rdlength; data += rdlength;
len -= rdlength; len -= rdlength;
status = true; status = true;
@ -538,7 +538,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch"); analyzer->Weird("DNS_RR_length_mismatch");
} }
zeek::EventHandlerPtr reply_event; EventHandlerPtr reply_event;
switch ( msg->atype ) { switch ( msg->atype ) {
case detail::TYPE_NS: case detail::TYPE_NS:
reply_event = dns_NS_reply; reply_event = dns_NS_reply;
@ -564,7 +564,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)) make_intrusive<StringVal>(new String(name, name_end - name, true))
); );
return true; return true;
@ -604,15 +604,15 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event ) if ( dns_SOA_reply && ! msg->skip_event )
{ {
static auto dns_soa = zeek::id::find_type<zeek::RecordType>("dns_soa"); static auto dns_soa = id::find_type<RecordType>("dns_soa");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_soa); auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::String(mname, mname_end - mname, true))); r->Assign(0, make_intrusive<StringVal>(new String(mname, mname_end - mname, true)));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String(rname, rname_end - rname, true))); r->Assign(1, make_intrusive<StringVal>(new String(rname, rname_end - rname, true)));
r->Assign(2, zeek::val_mgr->Count(serial)); r->Assign(2, val_mgr->Count(serial));
r->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(refresh), Seconds)); r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(retry), Seconds)); r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(expire), Seconds)); r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(double(minimum), Seconds)); r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->EnqueueConnEvent(dns_SOA_reply, analyzer->EnqueueConnEvent(dns_SOA_reply,
analyzer->ConnVal(), analyzer->ConnVal(),
@ -648,8 +648,8 @@ bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)), make_intrusive<StringVal>(new String(name, name_end - name, true)),
zeek::val_mgr->Count(preference) val_mgr->Count(preference)
); );
return true; return true;
@ -689,10 +689,10 @@ bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)), make_intrusive<StringVal>(new String(name, name_end - name, true)),
zeek::val_mgr->Count(priority), val_mgr->Count(priority),
zeek::val_mgr->Count(weight), val_mgr->Count(weight),
zeek::val_mgr->Count(port) val_mgr->Count(port)
); );
return true; return true;
@ -740,9 +740,9 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
// IPv6 address, depending on FAMILY, which MUST be truncated to the // IPv6 address, depending on FAMILY, which MUST be truncated to the
// number of bits indicated by the SOURCE PREFIX-LENGTH field, // number of bits indicated by the SOURCE PREFIX-LENGTH field,
// padding with 0 bits to pad to the end of the last octet needed. // padding with 0 bits to pad to the end of the last octet needed.
if ( ecs_family == zeek::L3_IPV4 ) if ( ecs_family == L3_IPV4 )
{ {
opt.ecs_family = zeek::make_intrusive<zeek::StringVal>("v4"); opt.ecs_family = make_intrusive<StringVal>("v4");
uint32_t addr = 0; uint32_t addr = 0;
for (uint16_t shift_factor = 3; option_len > 0; option_len--) for (uint16_t shift_factor = 3; option_len > 0; option_len--)
{ {
@ -751,11 +751,11 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
shift_factor--; shift_factor--;
} }
addr = htonl(addr); addr = htonl(addr);
opt.ecs_addr = zeek::make_intrusive<zeek::AddrVal>(addr); opt.ecs_addr = make_intrusive<AddrVal>(addr);
} }
else if ( ecs_family == zeek::L3_IPV6 ) else if ( ecs_family == L3_IPV6 )
{ {
opt.ecs_family = zeek::make_intrusive<zeek::StringVal>("v6"); opt.ecs_family = make_intrusive<StringVal>("v6");
uint32_t addr[4] = { 0 }; uint32_t addr[4] = { 0 };
for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--) for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--)
{ {
@ -769,7 +769,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
{ {
addr[i] = htonl(addr[i]); addr[i] = htonl(addr[i]);
} }
opt.ecs_addr = zeek::make_intrusive<zeek::AddrVal>(addr); opt.ecs_addr = make_intrusive<AddrVal>(addr);
} }
else else
{ {
@ -872,23 +872,23 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
} }
void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len,
zeek::String** p) String** p)
{ {
uint16_t dlen = ExtractShort(data, len); uint16_t dlen = ExtractShort(data, len);
dlen = min(len, static_cast<int>(dlen)); dlen = min(len, static_cast<int>(dlen));
if ( p ) if ( p )
*p = new zeek::String(data, dlen, false); *p = new String(data, dlen, false);
data += dlen; data += dlen;
len -= dlen; len -= dlen;
} }
zeek::String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l) String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l)
{ {
l = max(l, 0); l = max(l, 0);
int dlen = min(len, l); // Len in bytes of the algorithm use int dlen = min(len, l); // Len in bytes of the algorithm use
auto rval = new zeek::String(data, dlen, false); auto rval = new String(data, dlen, false);
data += dlen; data += dlen;
len -= dlen; len -= dlen;
@ -912,7 +912,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg,
uint32_t sign_time_sec = ExtractLong(data, len); uint32_t sign_time_sec = ExtractLong(data, len);
unsigned int sign_time_msec = ExtractShort(data, len); unsigned int sign_time_msec = ExtractShort(data, len);
unsigned int fudge = ExtractShort(data, len); unsigned int fudge = ExtractShort(data, len);
zeek::String* request_MAC; String* request_MAC;
ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr); ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr);
unsigned int orig_id = ExtractShort(data, len); unsigned int orig_id = ExtractShort(data, len);
unsigned int rr_error = ExtractShort(data, len); unsigned int rr_error = ExtractShort(data, len);
@ -922,7 +922,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg,
{ {
detail::TSIG_DATA tsig; detail::TSIG_DATA tsig;
tsig.alg_name = tsig.alg_name =
new zeek::String(alg_name, alg_name_end - alg_name, true); new String(alg_name, alg_name_end - alg_name, true);
tsig.sig = request_MAC; tsig.sig = request_MAC;
tsig.time_s = sign_time_sec; tsig.time_s = sign_time_sec;
tsig.time_ms = sign_time_msec; tsig.time_ms = sign_time_msec;
@ -976,11 +976,11 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
int sig_len = rdlength - ((data - data_start) + 18); int sig_len = rdlength - ((data - data_start) + 18);
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo); detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo);
zeek::String* sign = ExtractStream(data, len, sig_len); String* sign = ExtractStream(data, len, sig_len);
switch ( dsa ) { switch ( dsa ) {
case detail::RSA_MD5: case detail::RSA_MD5:
analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", algo)); analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", util::fmt("%d", algo));
break; break;
case detail::Diffie_Hellman: case detail::Diffie_Hellman:
break; break;
@ -1005,16 +1005,16 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
case detail::ECDSA_curveP384withSHA384: case detail::ECDSA_curveP384withSHA384:
break; break;
case detail::Indirect: case detail::Indirect:
analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", algo)); analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo));
break; break;
case detail::PrivateDNS: case detail::PrivateDNS:
analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", algo)); analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", util::fmt("%d", algo));
break; break;
case detail::PrivateOID: case detail::PrivateOID:
analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", algo)); analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", util::fmt("%d", algo));
break; break;
default: default:
analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", zeek::util::fmt("%d", algo)); analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", util::fmt("%d", algo));
break; break;
} }
@ -1028,7 +1028,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
rrsig.sig_exp = sign_exp; rrsig.sig_exp = sign_exp;
rrsig.sig_incep = sign_incp; rrsig.sig_incep = sign_incp;
rrsig.key_tag = key_tag; rrsig.key_tag = key_tag;
rrsig.signer_name = new zeek::String(name, name_end - name, true); rrsig.signer_name = new String(name, name_end - name, true);
rrsig.signature = sign; rrsig.signature = sign;
analyzer->EnqueueConnEvent(dns_RRSIG, analyzer->EnqueueConnEvent(dns_RRSIG,
@ -1063,24 +1063,24 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
unsigned int dalgorithm = proto_algo & 0xff; unsigned int dalgorithm = proto_algo & 0xff;
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm); detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm);
//Evaluating the size of remaining bytes for Public Key //Evaluating the size of remaining bytes for Public Key
zeek::String* key = ExtractStream(data, len, rdlength - 4); String* key = ExtractStream(data, len, rdlength - 4);
// flags bit 7: zone key // flags bit 7: zone key
// flags bit 8: revoked // flags bit 8: revoked
// flags bit 15: Secure Entry Point, key signing key // flags bit 15: Secure Entry Point, key signing key
if ( (dflags & 0xfe7e) != 0 ) if ( (dflags & 0xfe7e) != 0 )
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", zeek::util::fmt("%d", dflags)); analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", util::fmt("%d", dflags));
// flags bit 7, 8, and 15 all set // flags bit 7, 8, and 15 all set
if ( (dflags & 0x0181) == 0x0181 ) if ( (dflags & 0x0181) == 0x0181 )
analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", zeek::util::fmt("%d", dflags)); analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", util::fmt("%d", dflags));
if ( dprotocol != 3 ) if ( dprotocol != 3 )
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", zeek::util::fmt("%d", dprotocol)); analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", util::fmt("%d", dprotocol));
switch ( dsa ) { switch ( dsa ) {
case detail::RSA_MD5: case detail::RSA_MD5:
analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break; break;
case detail::Diffie_Hellman: case detail::Diffie_Hellman:
break; break;
@ -1105,16 +1105,16 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
case detail::ECDSA_curveP384withSHA384: case detail::ECDSA_curveP384withSHA384:
break; break;
case detail::Indirect: case detail::Indirect:
analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break; break;
case detail::PrivateDNS: case detail::PrivateDNS:
analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break; break;
case detail::PrivateOID: case detail::PrivateOID:
analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break; break;
default: default:
analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm)); analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break; break;
} }
@ -1158,7 +1158,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start); int typebitmaps_len = rdlength - (data - data_start);
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec); auto char_strings = make_intrusive<VectorVal>(id::string_vec);
while ( typebitmaps_len > 0 && len > 0 ) while ( typebitmaps_len > 0 && len > 0 )
{ {
@ -1168,12 +1168,12 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
if ( bmlen == 0 ) if ( bmlen == 0 )
{ {
analyzer->Weird("DNSSEC_NSEC_bitmapLen0", zeek::util::fmt("%d", win_blck)); analyzer->Weird("DNSSEC_NSEC_bitmapLen0", util::fmt("%d", win_blck));
break; break;
} }
zeek::String* bitmap = ExtractStream(data, len, bmlen); String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), zeek::make_intrusive<zeek::StringVal>(bitmap)); char_strings->Assign(char_strings->Size(), make_intrusive<StringVal>(bitmap));
typebitmaps_len = typebitmaps_len - (2 + bmlen); typebitmaps_len = typebitmaps_len - (2 + bmlen);
} }
@ -1182,7 +1182,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)), make_intrusive<StringVal>(new String(name, name_end - name, true)),
std::move(char_strings) std::move(char_strings)
); );
@ -1233,7 +1233,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start); int typebitmaps_len = rdlength - (data - data_start);
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec); auto char_strings = make_intrusive<VectorVal>(id::string_vec);
while ( typebitmaps_len > 0 && len > 0 ) while ( typebitmaps_len > 0 && len > 0 )
{ {
@ -1243,12 +1243,12 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
if ( bmlen == 0 ) if ( bmlen == 0 )
{ {
analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", zeek::util::fmt("%d", win_blck)); analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", util::fmt("%d", win_blck));
break; break;
} }
zeek::String* bitmap = ExtractStream(data, len, bmlen); String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), zeek::make_intrusive<zeek::StringVal>(bitmap)); char_strings->Assign(char_strings->Size(), make_intrusive<StringVal>(bitmap));
typebitmaps_len = typebitmaps_len - (2 + bmlen); typebitmaps_len = typebitmaps_len - (2 + bmlen);
} }
@ -1295,7 +1295,7 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff; unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff;
unsigned int ds_dtype = ds_algo_dtype & 0xff; unsigned int ds_dtype = ds_algo_dtype & 0xff;
detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype); detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype);
zeek::String* ds_digest = ExtractStream(data, len, rdlength - 4); String* ds_digest = ExtractStream(data, len, rdlength - 4);
switch ( ds_digest_type ) { switch ( ds_digest_type ) {
case detail::SHA1: case detail::SHA1:
@ -1307,10 +1307,10 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
case detail::SHA384: case detail::SHA384:
break; break;
case detail::reserved: case detail::reserved:
analyzer->Weird("DNSSEC_DS_ResrevedDigestType", zeek::util::fmt("%d", ds_dtype)); analyzer->Weird("DNSSEC_DS_ResrevedDigestType", util::fmt("%d", ds_dtype));
break; break;
default: default:
analyzer->Weird("DNSSEC_DS_unknown_DigestType", zeek::util::fmt("%d", ds_dtype)); analyzer->Weird("DNSSEC_DS_unknown_DigestType", util::fmt("%d", ds_dtype));
break; break;
} }
@ -1349,7 +1349,7 @@ bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::AddrVal>(htonl(addr)) make_intrusive<AddrVal>(htonl(addr))
); );
return true; return true;
@ -1374,7 +1374,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg,
} }
} }
zeek::EventHandlerPtr event; EventHandlerPtr event;
if ( msg->atype == detail::TYPE_AAAA ) if ( msg->atype == detail::TYPE_AAAA )
event = dns_AAAA_reply; event = dns_AAAA_reply;
else else
@ -1385,7 +1385,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::AddrVal>(addr) make_intrusive<AddrVal>(addr)
); );
return true; return true;
@ -1409,8 +1409,8 @@ bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg,
return true; return true;
} }
static zeek::StringValPtr static StringValPtr
extract_char_string(zeek::analyzer::Analyzer* analyzer, extract_char_string(analyzer::Analyzer* analyzer,
const u_char*& data, int& len, int& rdlen) const u_char*& data, int& len, int& rdlen)
{ {
if ( rdlen <= 0 ) if ( rdlen <= 0 )
@ -1428,7 +1428,7 @@ extract_char_string(zeek::analyzer::Analyzer* analyzer,
return nullptr; return nullptr;
} }
auto rval = zeek::make_intrusive<zeek::StringVal>(str_size, reinterpret_cast<const char*>(data)); auto rval = make_intrusive<StringVal>(str_size, reinterpret_cast<const char*>(data));
rdlen -= str_size; rdlen -= str_size;
len -= str_size; len -= str_size;
@ -1448,8 +1448,8 @@ bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg,
return true; return true;
} }
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec); auto char_strings = make_intrusive<VectorVal>(id::string_vec);
zeek::StringValPtr char_string; StringValPtr char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), std::move(char_string)); char_strings->Assign(char_strings->Size(), std::move(char_string));
@ -1476,8 +1476,8 @@ bool DNS_Interpreter::ParseRR_SPF(detail::DNS_MsgInfo* msg,
return true; return true;
} }
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec); auto char_strings = make_intrusive<VectorVal>(id::string_vec);
zeek::StringValPtr char_string; StringValPtr char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), std::move(char_string)); char_strings->Assign(char_strings->Size(), std::move(char_string));
@ -1513,11 +1513,11 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
analyzer->Weird("DNS_CAA_char_str_past_rdlen"); analyzer->Weird("DNS_CAA_char_str_past_rdlen");
return false; return false;
} }
zeek::String* tag = new zeek::String(data, tagLen, true); String* tag = new String(data, tagLen, true);
len -= tagLen; len -= tagLen;
data += tagLen; data += tagLen;
rdlength -= tagLen; rdlength -= tagLen;
zeek::String* value = new zeek::String(data, rdlength, false); String* value = new String(data, rdlength, false);
len -= value->Len(); len -= value->Len();
data += value->Len(); data += value->Len();
@ -1528,9 +1528,9 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::val_mgr->Count(flags), val_mgr->Count(flags),
zeek::make_intrusive<zeek::StringVal>(tag), make_intrusive<StringVal>(tag),
zeek::make_intrusive<zeek::StringVal>(value) make_intrusive<StringVal>(value)
); );
else else
{ {
@ -1543,10 +1543,10 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg,
zeek::EventHandlerPtr event, EventHandlerPtr event,
const u_char*& data, int& len, const u_char*& data, int& len,
zeek::String* question_name, String* question_name,
zeek::String* original_name) String* original_name)
{ {
detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len)); detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len); int qclass = ExtractShort(data, len);
@ -1556,10 +1556,10 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg,
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
zeek::make_intrusive<zeek::StringVal>(question_name), make_intrusive<StringVal>(question_name),
zeek::val_mgr->Count(qtype), val_mgr->Count(qtype),
zeek::val_mgr->Count(qclass), val_mgr->Count(qclass),
zeek::make_intrusive<zeek::StringVal>(original_name) make_intrusive<StringVal>(original_name)
); );
} }
@ -1594,57 +1594,57 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
skip_event = 0; skip_event = 0;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildHdrVal() RecordValPtr DNS_MsgInfo::BuildHdrVal()
{ {
static auto dns_msg = zeek::id::find_type<zeek::RecordType>("dns_msg"); static auto dns_msg = id::find_type<RecordType>("dns_msg");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_msg); auto r = make_intrusive<RecordVal>(dns_msg);
r->Assign(0, zeek::val_mgr->Count(id)); r->Assign(0, val_mgr->Count(id));
r->Assign(1, zeek::val_mgr->Count(opcode)); r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, zeek::val_mgr->Count(rcode)); r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, zeek::val_mgr->Bool(QR)); r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, zeek::val_mgr->Bool(AA)); r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, zeek::val_mgr->Bool(TC)); r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, zeek::val_mgr->Bool(RD)); r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, zeek::val_mgr->Bool(RA)); r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, zeek::val_mgr->Count(Z)); r->Assign(8, val_mgr->Count(Z));
r->Assign(9, zeek::val_mgr->Count(qdcount)); r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, zeek::val_mgr->Count(ancount)); r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, zeek::val_mgr->Count(nscount)); r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, zeek::val_mgr->Count(arcount)); r->Assign(12, val_mgr->Count(arcount));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildAnswerVal() RecordValPtr DNS_MsgInfo::BuildAnswerVal()
{ {
static auto dns_answer = zeek::id::find_type<zeek::RecordType>("dns_answer"); static auto dns_answer = id::find_type<RecordType>("dns_answer");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_answer); auto r = make_intrusive<RecordVal>(dns_answer);
r->Assign(0, zeek::val_mgr->Count(int(answer_type))); r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
r->Assign(2, zeek::val_mgr->Count(atype)); r->Assign(2, val_mgr->Count(atype));
r->Assign(3, zeek::val_mgr->Count(aclass)); r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds)); r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val() RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
{ {
// We have to treat the additional record type in EDNS differently // We have to treat the additional record type in EDNS differently
// than a regular resource record. // than a regular resource record.
static auto dns_edns_additional = zeek::id::find_type<zeek::RecordType>("dns_edns_additional"); static auto dns_edns_additional = id::find_type<RecordType>("dns_edns_additional");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_additional); auto r = make_intrusive<RecordVal>(dns_edns_additional);
r->Assign(0, zeek::val_mgr->Count(int(answer_type))); r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS // type = 0x29 or 41 = EDNS
r->Assign(2, zeek::val_mgr->Count(atype)); r->Assign(2, val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3 // sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, zeek::val_mgr->Count(aclass)); r->Assign(3, val_mgr->Count(aclass));
// Need to break the TTL field into three components: // Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------] // initial: [------------- ttl (32) ---------------------]
@ -1657,150 +1657,150 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode; unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, zeek::val_mgr->Count(return_error)); r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, zeek::val_mgr->Count(version)); r->Assign(5, val_mgr->Count(version));
r->Assign(6, zeek::val_mgr->Count(z)); r->Assign(6, val_mgr->Count(z));
r->Assign(7, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds)); r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, zeek::val_mgr->Count(is_query)); r->Assign(8, val_mgr->Count(is_query));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt) RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt)
{ {
static auto dns_edns_ecs = zeek::id::find_type<zeek::RecordType>("dns_edns_ecs"); static auto dns_edns_ecs = id::find_type<RecordType>("dns_edns_ecs");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_ecs); auto r = make_intrusive<RecordVal>(dns_edns_ecs);
r->Assign(0, opt->ecs_family); r->Assign(0, opt->ecs_family);
r->Assign(1, zeek::val_mgr->Count(opt->ecs_src_pfx_len)); r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len));
r->Assign(2, zeek::val_mgr->Count(opt->ecs_scp_pfx_len)); r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len));
r->Assign(3, opt->ecs_addr); r->Assign(3, opt->ecs_addr);
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt) RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt)
{ {
static auto dns_edns_tcp_keepalive = zeek::id::find_type<zeek::RecordType>("dns_edns_tcp_keepalive"); static auto dns_edns_tcp_keepalive = id::find_type<RecordType>("dns_edns_tcp_keepalive");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_tcp_keepalive); auto r = make_intrusive<RecordVal>(dns_edns_tcp_keepalive);
r->Assign(0, zeek::val_mgr->Bool(opt->keepalive_timeout_omitted)); r->Assign(0, val_mgr->Bool(opt->keepalive_timeout_omitted));
r->Assign(1, zeek::val_mgr->Count(opt->keepalive_timeout)); r->Assign(1, val_mgr->Count(opt->keepalive_timeout));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt) RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
{ {
static auto dns_edns_cookie = zeek::id::find_type<zeek::RecordType>("dns_edns_cookie"); static auto dns_edns_cookie = id::find_type<RecordType>("dns_edns_cookie");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_cookie); auto r = make_intrusive<RecordVal>(dns_edns_cookie);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(opt->client_cookie)); r->Assign(0, make_intrusive<StringVal>(opt->client_cookie));
if (opt->server_cookie != nullptr) { if (opt->server_cookie != nullptr) {
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(opt->server_cookie)); r->Assign(1, make_intrusive<StringVal>(opt->server_cookie));
} }
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
{ {
static auto dns_tsig_additional = zeek::id::find_type<zeek::RecordType>("dns_tsig_additional"); static auto dns_tsig_additional = id::find_type<RecordType>("dns_tsig_additional");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_tsig_additional); auto r = make_intrusive<RecordVal>(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0; double rtime = tsig->time_s + tsig->time_ms / 1000.0;
// r->Assign(0, zeek::val_mgr->Count(int(answer_type))); // r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::make_intrusive<zeek::StringVal>(tsig->alg_name)); r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, zeek::make_intrusive<zeek::StringVal>(tsig->sig)); r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, zeek::make_intrusive<zeek::TimeVal>(rtime)); r->Assign(4, make_intrusive<TimeVal>(rtime));
r->Assign(5, zeek::make_intrusive<zeek::TimeVal>(double(tsig->fudge))); r->Assign(5, make_intrusive<TimeVal>(double(tsig->fudge)));
r->Assign(6, zeek::val_mgr->Count(tsig->orig_id)); r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, zeek::val_mgr->Count(tsig->rr_error)); r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, zeek::val_mgr->Count(is_query)); r->Assign(8, val_mgr->Count(is_query));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
{ {
static auto dns_rrsig_rr = zeek::id::find_type<zeek::RecordType>("dns_rrsig_rr"); static auto dns_rrsig_rr = id::find_type<RecordType>("dns_rrsig_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_rrsig_rr); auto r = make_intrusive<RecordVal>(dns_rrsig_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(rrsig->type_covered)); r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, zeek::val_mgr->Count(rrsig->algorithm)); r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, zeek::val_mgr->Count(rrsig->labels)); r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(rrsig->orig_ttl), Seconds)); r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_exp))); r->Assign(6, make_intrusive<TimeVal>(double(rrsig->sig_exp)));
r->Assign(7, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_incep))); r->Assign(7, make_intrusive<TimeVal>(double(rrsig->sig_incep)));
r->Assign(8, zeek::val_mgr->Count(rrsig->key_tag)); r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, zeek::make_intrusive<zeek::StringVal>(rrsig->signer_name)); r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, zeek::make_intrusive<zeek::StringVal>(rrsig->signature)); r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, zeek::val_mgr->Count(is_query)); r->Assign(11, val_mgr->Count(is_query));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
{ {
static auto dns_dnskey_rr = zeek::id::find_type<zeek::RecordType>("dns_dnskey_rr"); static auto dns_dnskey_rr = id::find_type<RecordType>("dns_dnskey_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_dnskey_rr); auto r = make_intrusive<RecordVal>(dns_dnskey_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(dnskey->dflags)); r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, zeek::val_mgr->Count(dnskey->dprotocol)); r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, zeek::val_mgr->Count(dnskey->dalgorithm)); r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(dnskey->public_key)); r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, zeek::val_mgr->Count(is_query)); r->Assign(6, val_mgr->Count(is_query));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
{ {
static auto dns_nsec3_rr = zeek::id::find_type<zeek::RecordType>("dns_nsec3_rr"); static auto dns_nsec3_rr = id::find_type<RecordType>("dns_nsec3_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_nsec3_rr); auto r = make_intrusive<RecordVal>(dns_nsec3_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(nsec3->nsec_flags)); r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, zeek::val_mgr->Count(nsec3->nsec_hash_algo)); r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, zeek::val_mgr->Count(nsec3->nsec_iter)); r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, zeek::val_mgr->Count(nsec3->nsec_salt_len)); r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_salt)); r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, zeek::val_mgr->Count(nsec3->nsec_hlen)); r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_hash)); r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(9, std::move(nsec3->bitmaps)); r->Assign(9, std::move(nsec3->bitmaps));
r->Assign(10, zeek::val_mgr->Count(is_query)); r->Assign(10, val_mgr->Count(is_query));
return r; return r;
} }
zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
{ {
static auto dns_ds_rr = zeek::id::find_type<zeek::RecordType>("dns_ds_rr"); static auto dns_ds_rr = id::find_type<RecordType>("dns_ds_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_ds_rr); auto r = make_intrusive<RecordVal>(dns_ds_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(ds->key_tag)); r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, zeek::val_mgr->Count(ds->algorithm)); r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, zeek::val_mgr->Count(ds->digest_type)); r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(ds->digest_val)); r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, zeek::val_mgr->Count(is_query)); r->Assign(6, val_mgr->Count(is_query));
return r; return r;
} }
} // namespace detail } // namespace detail
Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig, Contents_DNS::Contents_DNS(Connection* conn, bool orig,
detail::DNS_Interpreter* arg_interp) detail::DNS_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) : analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{ {
interp = arg_interp; interp = arg_interp;
@ -1856,13 +1856,13 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
if ( buf_len < msg_size ) if ( buf_len < msg_size )
{ {
buf_len = msg_size; buf_len = msg_size;
msg_buf = (u_char*) zeek::util::safe_realloc((void*) msg_buf, buf_len); msg_buf = (u_char*) util::safe_realloc((void*) msg_buf, buf_len);
} }
} }
else else
{ {
buf_len = msg_size; buf_len = msg_size;
msg_buf = (u_char*) zeek::util::safe_malloc(buf_len); msg_buf = (u_char*) util::safe_malloc(buf_len);
} }
++data; ++data;
@ -1892,8 +1892,8 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
state = detail::DNS_LEN_HI; state = detail::DNS_LEN_HI;
} }
DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn) DNS_Analyzer::DNS_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
{ {
interp = new detail::DNS_Interpreter(this); interp = new detail::DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = nullptr; contents_dns_orig = contents_dns_resp = nullptr;
@ -1908,7 +1908,7 @@ DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
else else
{ {
ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer, ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
zeek::run_state::network_time + zeek::detail::dns_session_timeout, true, run_state::network_time + zeek::detail::dns_session_timeout, true,
zeek::detail::TIMER_DNS_EXPIRE); zeek::detail::TIMER_DNS_EXPIRE);
} }
} }
@ -1924,7 +1924,7 @@ void DNS_Analyzer::Init()
void DNS_Analyzer::Done() void DNS_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( Conn()->ConnTransport() == TRANSPORT_UDP ) if ( Conn()->ConnTransport() == TRANSPORT_UDP )
Event(udp_session_done); Event(udp_session_done);
@ -1933,18 +1933,18 @@ void DNS_Analyzer::Done()
} }
void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->ParseMessage(data, len, orig ? 1 : 0); interp->ParseMessage(data, len, orig ? 1 : 0);
} }
void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, void DNS_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, analyzer::tcp::TCP_Endpoint* peer,
bool gen_event) bool gen_event)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
assert(contents_dns_orig && contents_dns_resp); assert(contents_dns_orig && contents_dns_resp);
contents_dns_orig->Flush(); contents_dns_orig->Flush();
@ -1956,10 +1956,10 @@ void DNS_Analyzer::ExpireTimer(double t)
// The - 1.0 in the following is to allow 1 second for the // The - 1.0 in the following is to allow 1 second for the
// common case of a single request followed by a single reply, // common case of a single request followed by a single reply,
// so we don't needlessly set the timer twice in that case. // so we don't needlessly set the timer twice in that case.
if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || zeek::run_state::terminating ) if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || run_state::terminating )
{ {
Event(connection_timeout); Event(connection_timeout);
zeek::sessions->Remove(Conn()); sessions->Remove(Conn());
} }
else else
ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer, ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,

76
src/analyzer/protocol/dns/DNS.h
View file

@ -152,10 +152,10 @@ struct EDNS_ADDITIONAL { // size
}; };
struct EDNS_ECS { struct EDNS_ECS {
zeek::StringValPtr ecs_family; ///< EDNS client subnet address family StringValPtr ecs_family; ///< EDNS client subnet address family
uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length
uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length
zeek::IntrusivePtr<zeek::AddrVal> ecs_addr; ///< EDNS client subnet address IntrusivePtr<AddrVal> ecs_addr; ///< EDNS client subnet address
}; };
struct EDNS_TCP_KEEPALIVE { struct EDNS_TCP_KEEPALIVE {
@ -169,10 +169,10 @@ struct EDNS_COOKIE {
}; };
struct TSIG_DATA { struct TSIG_DATA {
zeek::String* alg_name; String* alg_name;
unsigned long time_s; unsigned long time_s;
unsigned short time_ms; unsigned short time_ms;
zeek::String* sig; String* sig;
unsigned short fudge; unsigned short fudge;
unsigned short orig_id; unsigned short orig_id;
unsigned short rr_error; unsigned short rr_error;
@ -186,15 +186,15 @@ struct RRSIG_DATA {
unsigned long sig_exp; // 32 unsigned long sig_exp; // 32
unsigned long sig_incep; // 32 unsigned long sig_incep; // 32
unsigned short key_tag; //16 unsigned short key_tag; //16
zeek::String* signer_name; String* signer_name;
zeek::String* signature; String* signature;
}; };
struct DNSKEY_DATA { struct DNSKEY_DATA {
unsigned short dflags; // 16 : ExtractShort(data, len) unsigned short dflags; // 16 : ExtractShort(data, len)
unsigned short dalgorithm; // 8 unsigned short dalgorithm; // 8
unsigned short dprotocol; // 8 unsigned short dprotocol; // 8
zeek::String* public_key; // Variable lenght Public Key String* public_key; // Variable lenght Public Key
}; };
struct NSEC3_DATA { struct NSEC3_DATA {
@ -202,34 +202,34 @@ struct NSEC3_DATA {
unsigned short nsec_hash_algo; unsigned short nsec_hash_algo;
unsigned short nsec_iter; unsigned short nsec_iter;
unsigned short nsec_salt_len; unsigned short nsec_salt_len;
zeek::String* nsec_salt; String* nsec_salt;
unsigned short nsec_hlen; unsigned short nsec_hlen;
zeek::String* nsec_hash; String* nsec_hash;
zeek::VectorValPtr bitmaps; VectorValPtr bitmaps;
}; };
struct DS_DATA { struct DS_DATA {
unsigned short key_tag; // 16 : ExtractShort(data, len) unsigned short key_tag; // 16 : ExtractShort(data, len)
unsigned short algorithm; // 8 unsigned short algorithm; // 8
unsigned short digest_type; // 8 unsigned short digest_type; // 8
zeek::String* digest_val; // Variable lenght Digest of DNSKEY RR String* digest_val; // Variable lenght Digest of DNSKEY RR
}; };
class DNS_MsgInfo { class DNS_MsgInfo {
public: public:
DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query); DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
zeek::RecordValPtr BuildHdrVal(); RecordValPtr BuildHdrVal();
zeek::RecordValPtr BuildAnswerVal(); RecordValPtr BuildAnswerVal();
zeek::RecordValPtr BuildEDNS_Val(); RecordValPtr BuildEDNS_Val();
zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*); RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*);
zeek::RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*); RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*);
zeek::RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*); RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*);
zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*); RecordValPtr BuildTSIG_Val(struct TSIG_DATA*);
zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*); RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*);
zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*); RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*);
zeek::RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*); RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*);
zeek::RecordValPtr BuildDS_Val(struct DS_DATA*); RecordValPtr BuildDS_Val(struct DS_DATA*);
int id; int id;
int opcode; ///< query type, see DNS_Opcode int opcode; ///< query type, see DNS_Opcode
@ -246,7 +246,7 @@ public:
int arcount; ///< number of additional RRs int arcount; ///< number of additional RRs
int is_query; ///< whether it came from the session initiator int is_query; ///< whether it came from the session initiator
zeek::StringValPtr query_name; StringValPtr query_name;
RR_Type atype; RR_Type atype;
int aclass; ///< normally = 1, inet int aclass; ///< normally = 1, inet
uint32_t ttl; uint32_t ttl;
@ -261,7 +261,7 @@ public:
class DNS_Interpreter { class DNS_Interpreter {
public: public:
explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer); explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
void ParseMessage(const u_char* data, int len, int is_query); void ParseMessage(const u_char* data, int len, int is_query);
@ -292,9 +292,9 @@ protected:
uint16_t ExtractShort(const u_char*& data, int& len); uint16_t ExtractShort(const u_char*& data, int& len);
uint32_t ExtractLong(const u_char*& data, int& len); uint32_t ExtractLong(const u_char*& data, int& len);
void ExtractOctets(const u_char*& data, int& len, zeek::String** p); void ExtractOctets(const u_char*& data, int& len, String** p);
zeek::String* ExtractStream(const u_char*& data, int& len, int sig_len); String* ExtractStream(const u_char*& data, int& len, int sig_len);
bool ParseRR_Name(detail::DNS_MsgInfo* msg, bool ParseRR_Name(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength, const u_char*& data, int& len, int rdlength,
@ -352,12 +352,12 @@ protected:
bool ParseRR_DS(detail::DNS_MsgInfo* msg, bool ParseRR_DS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength, const u_char*& data, int& len, int rdlength,
const u_char* msg_start); const u_char* msg_start);
void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event, void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
const u_char*& data, int& len, const u_char*& data, int& len,
zeek::String* question_name, String* question_name,
zeek::String* original_name); String* original_name);
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
bool first_message; bool first_message;
}; };
@ -371,9 +371,9 @@ enum TCP_DNS_state {
// Support analyzer which chunks the TCP stream into "packets". // Support analyzer which chunks the TCP stream into "packets".
// ### This should be merged with TCP_Contents_RPC. // ### This should be merged with TCP_Contents_RPC.
class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { class Contents_DNS final : public analyzer::tcp::TCP_SupportAnalyzer {
public: public:
Contents_DNS(zeek::Connection* c, bool orig, detail::DNS_Interpreter* interp); Contents_DNS(Connection* c, bool orig, detail::DNS_Interpreter* interp);
~Contents_DNS() override; ~Contents_DNS() override;
void Flush(); ///< process any partially-received data void Flush(); ///< process any partially-received data
@ -394,21 +394,21 @@ protected:
}; };
// Works for both TCP and UDP. // Works for both TCP and UDP.
class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class DNS_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit DNS_Analyzer(zeek::Connection* conn); explicit DNS_Analyzer(Connection* conn);
~DNS_Analyzer() override; ~DNS_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
void Init() override; void Init() override;
void Done() override; void Done() override;
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void ExpireTimer(double t); void ExpireTimer(double t);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNS_Analyzer(conn); } { return new DNS_Analyzer(conn); }
protected: protected:

32
src/analyzer/protocol/file/File.cc
View file

@ -11,7 +11,7 @@
namespace zeek::analyzer::file { namespace zeek::analyzer::file {
File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn) File_Analyzer::File_Analyzer(const char* name, Connection* conn)
: TCP_ApplicationAnalyzer(name, conn) : TCP_ApplicationAnalyzer(name, conn)
{ {
buffer_len = 0; buffer_len = 0;
@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
int n = std::min(len, BUFFER_SIZE - buffer_len); int n = std::min(len, BUFFER_SIZE - buffer_len);
@ -33,10 +33,10 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
if ( orig ) if ( orig )
file_id_orig = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_orig); orig, file_id_orig);
else else
file_id_resp = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_resp); orig, file_id_resp);
} }
@ -45,35 +45,35 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
if ( orig ) if ( orig )
file_id_orig = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_orig); file_id_orig);
else else
file_id_resp = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_resp); file_id_resp);
} }
void File_Analyzer::Done() void File_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( buffer_len && buffer_len != BUFFER_SIZE ) if ( buffer_len && buffer_len != BUFFER_SIZE )
Identify(); Identify();
if ( ! file_id_orig.empty() ) if ( ! file_id_orig.empty() )
zeek::file_mgr->EndOfFile(file_id_orig); file_mgr->EndOfFile(file_id_orig);
else else
zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
if ( ! file_id_resp.empty() ) if ( ! file_id_resp.empty() )
zeek::file_mgr->EndOfFile(file_id_resp); file_mgr->EndOfFile(file_id_resp);
else else
zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
} }
void File_Analyzer::Identify() void File_Analyzer::Identify()
{ {
zeek::detail::RuleMatcher::MIME_Matches matches; detail::RuleMatcher::MIME_Matches matches;
zeek::file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len, file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
&matches); &matches);
std::string match = matches.empty() ? "<unknown>" std::string match = matches.empty() ? "<unknown>"
: *(matches.begin()->second.begin()); : *(matches.begin()->second.begin());
@ -82,9 +82,9 @@ void File_Analyzer::Identify()
EnqueueConnEvent( EnqueueConnEvent(
file_transferred, file_transferred,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(buffer_len, buffer), make_intrusive<StringVal>(buffer_len, buffer),
zeek::make_intrusive<zeek::StringVal>("<unknown>"), make_intrusive<StringVal>("<unknown>"),
zeek::make_intrusive<zeek::StringVal>(match) make_intrusive<StringVal>(match)
); );
} }

14
src/analyzer/protocol/file/File.h
View file

@ -8,9 +8,9 @@
namespace zeek::analyzer::file { namespace zeek::analyzer::file {
class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class File_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
File_Analyzer(const char* name, zeek::Connection* conn); File_Analyzer(const char* name, Connection* conn);
void Done() override; void Done() override;
@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) // static analyzer::Analyzer* Instantiate(Connection* conn)
// { return new File_Analyzer(conn); } // { return new File_Analyzer(conn); }
protected: protected:
@ -33,21 +33,21 @@ protected:
class IRC_Data : public File_Analyzer { class IRC_Data : public File_Analyzer {
public: public:
explicit IRC_Data(zeek::Connection* conn) explicit IRC_Data(Connection* conn)
: File_Analyzer("IRC_Data", conn) : File_Analyzer("IRC_Data", conn)
{ } { }
static Analyzer* Instantiate(zeek::Connection* conn) static Analyzer* Instantiate(Connection* conn)
{ return new IRC_Data(conn); } { return new IRC_Data(conn); }
}; };
class FTP_Data : public File_Analyzer { class FTP_Data : public File_Analyzer {
public: public:
explicit FTP_Data(zeek::Connection* conn) explicit FTP_Data(Connection* conn)
: File_Analyzer("FTP_Data", conn) : File_Analyzer("FTP_Data", conn)
{ } { }
static Analyzer* Instantiate(zeek::Connection* conn) static Analyzer* Instantiate(Connection* conn)
{ return new FTP_Data(conn); } { return new FTP_Data(conn); }
}; };

26
src/analyzer/protocol/finger/Finger.cc
View file

@ -13,25 +13,25 @@
namespace zeek::analyzer::finger { namespace zeek::analyzer::finger {
Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn) Finger_Analyzer::Finger_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
{ {
did_deliver = 0; did_deliver = 0;
content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); content_line_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig->SetIsNULSensitive(true); content_line_orig->SetIsNULSensitive(true);
content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); content_line_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_orig);
AddSupportAnalyzer(content_line_resp); AddSupportAnalyzer(content_line_resp);
} }
void Finger_Analyzer::Done() void Finger_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() ) if ( TCP() )
if ( (! did_deliver || content_line_orig->HasPartialLine()) && if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text // ### should include the partial text
Weird("partial_finger_request"); Weird("partial_finger_request");
} }
@ -50,12 +50,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_request ) if ( ! finger_request )
return; return;
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
// Check for /W. // Check for /W.
int long_cnt = (line + 2 <= end_of_line && line[0] == '/' && toupper(line[1]) == 'W'); int long_cnt = (line + 2 <= end_of_line && line[0] == '/' && toupper(line[1]) == 'W');
if ( long_cnt ) if ( long_cnt )
line = zeek::util::skip_whitespace(line+2, end_of_line); line = util::skip_whitespace(line+2, end_of_line);
assert(line <= end_of_line); assert(line <= end_of_line);
size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on. size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on.
@ -69,9 +69,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request ) if ( finger_request )
EnqueueConnEvent(finger_request, EnqueueConnEvent(finger_request,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(long_cnt), val_mgr->Bool(long_cnt),
zeek::make_intrusive<zeek::StringVal>(at - line, line), make_intrusive<StringVal>(at - line, line),
zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host) make_intrusive<StringVal>(end_of_line - host, host)
); );
Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line, Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line,
@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
EnqueueConnEvent(finger_reply, EnqueueConnEvent(finger_reply,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line) make_intrusive<StringVal>(end_of_line - line, line)
); );
} }
} }

10
src/analyzer/protocol/finger/Finger.h
View file

@ -7,21 +7,21 @@
namespace zeek::analyzer::finger { namespace zeek::analyzer::finger {
class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class Finger_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit Finger_Analyzer(zeek::Connection* conn); explicit Finger_Analyzer(Connection* conn);
~Finger_Analyzer() override {} ~Finger_Analyzer() override {}
void Done() override; void Done() override;
// Line-based input. // Line-based input.
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Finger_Analyzer(conn); } { return new Finger_Analyzer(conn); }
protected: protected:
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; analyzer::tcp::ContentLine_Analyzer* content_line_resp;
int did_deliver; int did_deliver;
}; };

68
src/analyzer/protocol/ftp/FTP.cc
View file

@ -17,18 +17,18 @@
namespace zeek::analyzer::ftp { namespace zeek::analyzer::ftp {
FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) FTP_Analyzer::FTP_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
{ {
pending_reply = 0; pending_reply = 0;
nvt_orig = new zeek::analyzer::login::NVT_Analyzer(conn, true); nvt_orig = new analyzer::login::NVT_Analyzer(conn, true);
nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetCRLFAsEOL(LF_as_EOL);
nvt_orig->SetIsNULSensitive(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL);
nvt_resp = new zeek::analyzer::login::NVT_Analyzer(conn, false); nvt_resp = new analyzer::login::NVT_Analyzer(conn, false);
nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetCRLFAsEOL(LF_as_EOL); nvt_resp->SetCRLFAsEOL(LF_as_EOL);
@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
void FTP_Analyzer::Done() void FTP_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( nvt_orig->HasPartialLine() && if ( nvt_orig->HasPartialLine() &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text // ### should include the partial text
Weird("partial_ftp_request"); Weird("partial_ftp_request");
} }
@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line)
void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
return; return;
@ -75,31 +75,31 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it. // Could emit "ftp empty request/reply" weird, but maybe not worth it.
return; return;
zeek::Args vl; Args vl;
zeek::EventHandlerPtr f; EventHandlerPtr f;
if ( orig ) if ( orig )
{ {
int cmd_len; int cmd_len;
const char* cmd; const char* cmd;
zeek::StringVal* cmd_str; StringVal* cmd_str;
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
zeek::util::get_word(end_of_line - line, line, cmd_len, cmd); util::get_word(end_of_line - line, line, cmd_len, cmd);
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); line = util::skip_whitespace(line + cmd_len, end_of_line);
if ( cmd_len == 0 ) if ( cmd_len == 0 )
{ {
// Weird("FTP command missing", end_of_line - orig_line, orig_line); // Weird("FTP command missing", end_of_line - orig_line, orig_line);
cmd_str = new zeek::StringVal("<missing>"); cmd_str = new StringVal("<missing>");
} }
else else
cmd_str = (new zeek::StringVal(cmd_len, cmd))->ToUpper(); cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = { vl = {
ConnVal(), ConnVal(),
zeek::IntrusivePtr{zeek::AdoptRef{}, cmd_str}, IntrusivePtr{AdoptRef{}, cmd_str},
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
}; };
f = ftp_request; f = ftp_request;
@ -109,7 +109,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
"AUTH", cmd_len) == 0 ) "AUTH", cmd_len) == 0 )
auth_requested = std::string(line, end_of_line - line); auth_requested = std::string(line, end_of_line - line);
if ( zeek::detail::rule_matcher ) if ( detail::rule_matcher )
Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd, Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd,
end_of_line - cmd, true, true, true, true); end_of_line - cmd, true, true, true, true);
} }
@ -125,7 +125,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
length > 3 && line[3] == ' ' ) length > 3 && line[3] == ' ' )
{ {
// This is the end of the reply. // This is the end of the reply.
line = zeek::util::skip_whitespace(line + 3, end_of_line); line = util::skip_whitespace(line + 3, end_of_line);
pending_reply = 0; pending_reply = 0;
cont_resp = 0; cont_resp = 0;
} }
@ -140,7 +140,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
if ( reply_code > 0 && length > 3 && line[3] == '-' ) if ( reply_code > 0 && length > 3 && line[3] == '-' )
{ // a continued reply { // a continued reply
pending_reply = reply_code; pending_reply = reply_code;
line = zeek::util::skip_whitespace(line + 4, end_of_line); line = util::skip_whitespace(line + 4, end_of_line);
cont_resp = 1; cont_resp = 1;
} }
else else
@ -152,7 +152,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
(const char*) data, length); (const char*) data, length);
if ( line < end_of_line ) if ( line < end_of_line )
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
else else
line = end_of_line; line = end_of_line;
@ -166,7 +166,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Server wants to proceed with an ADAT exchange and we // Server wants to proceed with an ADAT exchange and we
// know how to analyze the GSI mechanism, so attach analyzer // know how to analyze the GSI mechanism, so attach analyzer
// to look for that. // to look for that.
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl ) if ( ssl )
{ {
ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true));
@ -177,9 +177,9 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
vl = { vl = {
ConnVal(), ConnVal(),
zeek::val_mgr->Count(reply_code), val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
zeek::val_mgr->Bool(cont_resp) val_mgr->Bool(cont_resp)
}; };
f = ftp_reply; f = ftp_reply;
@ -204,20 +204,20 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
const char* line = (const char*) data; const char* line = (const char*) data;
const char* end_of_line = line + len; const char* end_of_line = line + len;
zeek::String* decoded_adat = nullptr; String* decoded_adat = nullptr;
if ( orig ) if ( orig )
{ {
int cmd_len; int cmd_len;
const char* cmd; const char* cmd;
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
zeek::util::get_word(len, line, cmd_len, cmd); util::get_word(len, line, cmd_len, cmd);
if ( strncmp(cmd, "ADAT", cmd_len) == 0 ) if ( strncmp(cmd, "ADAT", cmd_len) == 0 )
{ {
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); line = util::skip_whitespace(line + cmd_len, end_of_line);
zeek::StringVal encoded(end_of_line - line, line); StringVal encoded(end_of_line - line, line);
decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn()); decoded_adat = detail::decode_base64(encoded.AsString(), nullptr, Conn());
if ( first_token ) if ( first_token )
{ {
@ -286,12 +286,12 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
if ( len > 3 && line[0] == '-' ) if ( len > 3 && line[0] == '-' )
line++; line++;
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
if ( end_of_line - line >= 5 && strncmp(line, "ADAT=", 5) == 0 ) if ( end_of_line - line >= 5 && strncmp(line, "ADAT=", 5) == 0 )
{ {
line += 5; line += 5;
zeek::StringVal encoded(end_of_line - line, line); StringVal encoded(end_of_line - line, line);
decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn()); decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn());
} }

14
src/analyzer/protocol/ftp/FTP.h
View file

@ -8,21 +8,21 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login);
namespace zeek::analyzer::ftp { namespace zeek::analyzer::ftp {
class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class FTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit FTP_Analyzer(zeek::Connection* conn); explicit FTP_Analyzer(Connection* conn);
void Done() override; void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ {
return new FTP_Analyzer(conn); return new FTP_Analyzer(conn);
} }
protected: protected:
zeek::analyzer::login::NVT_Analyzer* nvt_orig; analyzer::login::NVT_Analyzer* nvt_orig;
zeek::analyzer::login::NVT_Analyzer* nvt_resp; analyzer::login::NVT_Analyzer* nvt_resp;
uint32_t pending_reply; // code associated with multi-line reply, or 0 uint32_t pending_reply; // code associated with multi-line reply, or 0
std::string auth_requested; // AUTH method requested std::string auth_requested; // AUTH method requested
}; };
@ -34,9 +34,9 @@ protected:
* analyzer just decodes the tokens and passes them on to the parent, which must * analyzer just decodes the tokens and passes them on to the parent, which must
* be an SSL analyzer instance. * be an SSL analyzer instance.
*/ */
class FTP_ADAT_Analyzer final : public zeek::analyzer::SupportAnalyzer { class FTP_ADAT_Analyzer final : public analyzer::SupportAnalyzer {
public: public:
FTP_ADAT_Analyzer(zeek::Connection* conn, bool arg_orig) FTP_ADAT_Analyzer(Connection* conn, bool arg_orig)
: SupportAnalyzer("FTP_ADAT", conn, arg_orig), : SupportAnalyzer("FTP_ADAT", conn, arg_orig),
first_token(true) { } first_token(true) { }

42
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -36,8 +36,8 @@ GnutellaMsgState::GnutellaMsgState()
} // namespace detail } // namespace detail
Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn) Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
{ {
state = 0; state = 0;
new_state = 0; new_state = 0;
@ -57,7 +57,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
void Gnutella_Analyzer::Done() void Gnutella_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
@ -76,9 +76,9 @@ void Gnutella_Analyzer::Done()
if ( ! p->msg_sent && p->msg_pos ) if ( ! p->msg_sent && p->msg_pos )
EnqueueConnEvent(gnutella_partial_binary_msg, EnqueueConnEvent(gnutella_partial_binary_msg,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(p->msg), make_intrusive<StringVal>(p->msg),
zeek::val_mgr->Bool((i == 0)), val_mgr->Bool((i == 0)),
zeek::val_mgr->Count(p->msg_pos)); val_mgr->Count(p->msg_pos));
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
SendEvents(p, (i == 0)); SendEvents(p, (i == 0));
@ -122,16 +122,16 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
if ( gnutella_http_notify ) if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, ConnVal()); EnqueueConnEvent(gnutella_http_notify, ConnVal());
zeek::analyzer::Analyzer* a = zeek::analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
if ( a && Parent()->AddChildAnalyzer(a) ) if ( a && Parent()->AddChildAnalyzer(a) )
{ {
if ( Parent()->IsAnalyzer("TCP") ) if ( Parent()->IsAnalyzer("TCP") )
{ {
// Replay buffered data. // Replay buffered data.
zeek::analyzer::pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA(); analyzer::pia::PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia ) if ( pia )
static_cast<zeek::analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a); static_cast<analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
} }
Parent()->RemoveChildAnalyzer(this); Parent()->RemoveChildAnalyzer(this);
@ -180,8 +180,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
if ( gnutella_text_msg ) if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg, EnqueueConnEvent(gnutella_text_msg,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(ms->headers.data())); make_intrusive<StringVal>(ms->headers.data()));
ms->headers = ""; ms->headers = "";
state |= new_state; state |= new_state;
@ -217,15 +217,15 @@ void Gnutella_Analyzer::SendEvents(detail::GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg, EnqueueConnEvent(gnutella_binary_msg,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(is_orig), val_mgr->Bool(is_orig),
zeek::val_mgr->Count(p->msg_type), val_mgr->Count(p->msg_type),
zeek::val_mgr->Count(p->msg_ttl), val_mgr->Count(p->msg_ttl),
zeek::val_mgr->Count(p->msg_hops), val_mgr->Count(p->msg_hops),
zeek::val_mgr->Count(p->msg_len), val_mgr->Count(p->msg_len),
zeek::make_intrusive<zeek::StringVal>(p->payload), make_intrusive<StringVal>(p->payload),
zeek::val_mgr->Count(p->payload_len), val_mgr->Count(p->payload_len),
zeek::val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))), val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
zeek::val_mgr->Bool((p->payload_left == 0))); val_mgr->Bool((p->payload_left == 0)));
} }
@ -304,7 +304,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
ms = orig ? orig_msg_state : resp_msg_state; ms = orig ? orig_msg_state : resp_msg_state;
ms->current_offset = 0; ms->current_offset = 0;

6
src/analyzer/protocol/gnutella/Gnutella.h
View file

@ -36,15 +36,15 @@ public:
} // namespace detail } // namespace detail
class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class Gnutella_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit Gnutella_Analyzer(zeek::Connection* conn); explicit Gnutella_Analyzer(Connection* conn);
~Gnutella_Analyzer() override; ~Gnutella_Analyzer() override;
void Done () override; void Done () override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Gnutella_Analyzer(conn); } { return new Gnutella_Analyzer(conn); }
private: private:

14
src/analyzer/protocol/gssapi/GSSAPI.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::gssapi { namespace zeek::analyzer::gssapi {
GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c) GSSAPI_Analyzer::GSSAPI_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c) : analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
{ {
interp = new binpac::GSSAPI::GSSAPI_Conn(this); interp = new binpac::GSSAPI::GSSAPI_Conn(this);
} }
@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer()
void GSSAPI_Analyzer::Done() void GSSAPI_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done()
void GSSAPI_Analyzer::EndpointEOF(bool is_orig) void GSSAPI_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -45,13 +45,13 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/gssapi/GSSAPI.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::gssapi { namespace zeek::analyzer::gssapi {
class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class GSSAPI_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit GSSAPI_Analyzer(zeek::Connection* conn); explicit GSSAPI_Analyzer(Connection* conn);
~GSSAPI_Analyzer() override; ~GSSAPI_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GSSAPI_Analyzer(conn); } { return new GSSAPI_Analyzer(conn); }
protected: protected:

6
src/analyzer/protocol/gtpv1/GTPv1.cc
View file

@ -6,7 +6,7 @@
namespace zeek::analyzer::gtpv1 { namespace zeek::analyzer::gtpv1 {
GTPv1_Analyzer::GTPv1_Analyzer(zeek::Connection* conn) GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
: Analyzer("GTPV1", conn) : Analyzer("GTPV1", conn)
{ {
interp = new binpac::GTPv1::GTPv1_Conn(this); interp = new binpac::GTPv1::GTPv1_Conn(this);
@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done()
Event(udp_session_done); Event(udp_session_done);
} }
void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
try try
@ -32,7 +32,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/gtpv1/GTPv1.h
View file

@ -4,16 +4,16 @@
namespace zeek::analyzer::gtpv1 { namespace zeek::analyzer::gtpv1 {
class GTPv1_Analyzer final : public zeek::analyzer::Analyzer { class GTPv1_Analyzer final : public analyzer::Analyzer {
public: public:
explicit GTPv1_Analyzer(zeek::Connection* conn); explicit GTPv1_Analyzer(Connection* conn);
virtual ~GTPv1_Analyzer(); virtual ~GTPv1_Analyzer();
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen); uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GTPv1_Analyzer(conn); } { return new GTPv1_Analyzer(conn); }
protected: protected:

366
src/analyzer/protocol/http/HTTP.cc
View file

File diff suppressed because it is too large Load diff

70
src/analyzer/protocol/http/HTTP.h
View file

@ -27,9 +27,9 @@ class HTTP_Entity;
class HTTP_Message; class HTTP_Message;
class HTTP_Analyzer; class HTTP_Analyzer;
class HTTP_Entity final : public zeek::analyzer::mime::MIME_Entity { class HTTP_Entity final : public analyzer::mime::MIME_Entity {
public: public:
HTTP_Entity(HTTP_Message* msg, zeek::analyzer::mime::MIME_Entity* parent_entity, HTTP_Entity(HTTP_Message* msg, analyzer::mime::MIME_Entity* parent_entity,
int expect_body); int expect_body);
~HTTP_Entity() override ~HTTP_Entity() override
{ {
@ -58,7 +58,7 @@ protected:
int64_t body_length; int64_t body_length;
int64_t header_length; int64_t header_length;
enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
zeek::analyzer::zip::ZIP_Analyzer* zip; analyzer::zip::ZIP_Analyzer* zip;
bool deliver_body; bool deliver_body;
bool is_partial_content; bool is_partial_content;
uint64_t offset; uint64_t offset;
@ -66,7 +66,7 @@ protected:
bool send_size; // whether to send size indication to FAF bool send_size; // whether to send size indication to FAF
std::string precomputed_file_id; std::string precomputed_file_id;
zeek::analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); } analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
void DeliverBody(int len, const char* data, bool trailing_CRLF); void DeliverBody(int len, const char* data, bool trailing_CRLF);
void DeliverBodyClear(int len, const char* data, bool trailing_CRLF); void DeliverBodyClear(int len, const char* data, bool trailing_CRLF);
@ -75,7 +75,7 @@ protected:
void SetPlainDelivery(int64_t length); void SetPlainDelivery(int64_t length);
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; void SubmitHeader(analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders() override; void SubmitAllHeaders() override;
}; };
@ -96,11 +96,11 @@ enum {
// HTTP_Message::EndEntity -> Message::Done // HTTP_Message::EndEntity -> Message::Done
// HTTP_MessageDone -> {Request,Reply}Made // HTTP_MessageDone -> {Request,Reply}Made
class HTTP_Message final : public zeek::analyzer::mime::MIME_Message { class HTTP_Message final : public analyzer::mime::MIME_Message {
friend class HTTP_Entity; friend class HTTP_Entity;
public: public:
HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message(HTTP_Analyzer* analyzer, analyzer::tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length); bool is_orig, int expect_body, int64_t init_header_length);
~HTTP_Message() override; ~HTTP_Message() override;
void Done(bool interrupted, const char* msg); void Done(bool interrupted, const char* msg);
@ -108,16 +108,16 @@ public:
bool Undelivered(int64_t len); bool Undelivered(int64_t len);
void BeginEntity(zeek::analyzer::mime::MIME_Entity* /* entity */) override; void BeginEntity(analyzer::mime::MIME_Entity* /* entity */) override;
void EndEntity(zeek::analyzer::mime::MIME_Entity* entity) override; void EndEntity(analyzer::mime::MIME_Entity* entity) override;
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; void SubmitHeader(analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) override; void SubmitAllHeaders(analyzer::mime::MIME_HeaderList& /* hlist */) override;
void SubmitData(int len, const char* buf) override; void SubmitData(int len, const char* buf) override;
bool RequestBuffer(int* plen, char** pbuf) override; bool RequestBuffer(int* plen, char** pbuf) override;
void SubmitAllData(); void SubmitAllData();
void SubmitEvent(int event_type, const char* detail) override; void SubmitEvent(int event_type, const char* detail) override;
void SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */); void SubmitTrailingHeaders(analyzer::mime::MIME_HeaderList& /* hlist */);
void SetPlainDelivery(int64_t length); void SetPlainDelivery(int64_t length);
void SkipEntityData(); void SkipEntityData();
@ -129,7 +129,7 @@ public:
protected: protected:
HTTP_Analyzer* analyzer; HTTP_Analyzer* analyzer;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line; analyzer::tcp::ContentLine_Analyzer* content_line;
bool is_orig; bool is_orig;
char* entity_data_buffer; char* entity_data_buffer;
@ -145,18 +145,18 @@ protected:
HTTP_Entity* current_entity; HTTP_Entity* current_entity;
zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg); RecordValPtr BuildMessageStat(bool interrupted, const char* msg);
}; };
class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class HTTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
HTTP_Analyzer(zeek::Connection* conn); HTTP_Analyzer(Connection* conn);
void HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h); void HTTP_Header(bool is_orig, analyzer::mime::MIME_Header* h);
void HTTP_EntityData(bool is_orig, zeek::String* entity_data); void HTTP_EntityData(bool is_orig, String* entity_data);
void HTTP_MessageDone(bool is_orig, HTTP_Message* message); void HTTP_MessageDone(bool is_orig, HTTP_Message* message);
void HTTP_Event(const char* category, const char* detail); void HTTP_Event(const char* category, const char* detail);
void HTTP_Event(const char* category, zeek::StringValPtr detail); void HTTP_Event(const char* category, StringValPtr detail);
void SkipEntityData(bool is_orig); void SkipEntityData(bool is_orig);
@ -168,7 +168,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
void ConnectionFinished(bool half_finished) override; void ConnectionFinished(bool half_finished) override;
void ConnectionReset() override; void ConnectionReset() override;
@ -195,7 +195,7 @@ public:
int GetRequestOngoing() { return request_ongoing; }; int GetRequestOngoing() { return request_ongoing; };
int GetReplyOngoing() { return reply_ongoing; }; int GetReplyOngoing() { return reply_ongoing; };
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new HTTP_Analyzer(conn); } { return new HTTP_Analyzer(conn); }
static bool Available() static bool Available()
@ -210,7 +210,7 @@ protected:
int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_RequestLine(const char* line, const char* end_of_line);
int HTTP_ReplyLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line);
void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, void InitHTTPMessage(analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
int expect_body, int64_t init_header_length); int expect_body, int64_t init_header_length);
const char* PrefixMatch(const char* line, const char* end_of_line, const char* PrefixMatch(const char* line, const char* end_of_line,
@ -230,14 +230,14 @@ protected:
void RequestMade(bool interrupted, const char* msg); void RequestMade(bool interrupted, const char* msg);
void ReplyMade(bool interrupted, const char* msg); void ReplyMade(bool interrupted, const char* msg);
void RequestClash(zeek::Val* clash_val); void RequestClash(Val* clash_val);
const zeek::String* UnansweredRequestMethod(); const String* UnansweredRequestMethod();
int HTTP_ReplyCode(const char* code_str); int HTTP_ReplyCode(const char* code_str);
int ExpectReplyMessageBody(); int ExpectReplyMessageBody();
zeek::StringValPtr TruncateURI(const zeek::StringValPtr& uri); StringValPtr TruncateURI(const StringValPtr& uri);
int request_state, reply_state; int request_state, reply_state;
int num_requests, num_replies; int num_requests, num_replies;
@ -248,7 +248,7 @@ protected:
int request_ongoing, reply_ongoing; int request_ongoing, reply_ongoing;
bool connect_request; bool connect_request;
zeek::analyzer::pia::PIA_TCP *pia; analyzer::pia::PIA_TCP *pia;
// set to true after a connection was upgraded // set to true after a connection was upgraded
bool upgraded; bool upgraded;
// set to true when encountering an "connection" header in a reply. // set to true when encountering an "connection" header in a reply.
@ -257,22 +257,22 @@ protected:
// in a reply. // in a reply.
std::string upgrade_protocol; std::string upgrade_protocol;
zeek::StringValPtr request_method; StringValPtr request_method;
// request_URI is in the original form (may contain '%<hex><hex>' // request_URI is in the original form (may contain '%<hex><hex>'
// sequences). // sequences).
zeek::StringValPtr request_URI; StringValPtr request_URI;
// unescaped_URI does not contain escaped sequences. // unescaped_URI does not contain escaped sequences.
zeek::StringValPtr unescaped_URI; StringValPtr unescaped_URI;
std::queue<zeek::StringValPtr> unanswered_requests; std::queue<StringValPtr> unanswered_requests;
int reply_code; int reply_code;
zeek::StringValPtr reply_reason_phrase; StringValPtr reply_reason_phrase;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; analyzer::tcp::ContentLine_Analyzer* content_line_resp;
HTTP_Message* request_message; HTTP_Message* request_message;
HTTP_Message* reply_message; HTTP_Message* reply_message;
@ -281,8 +281,8 @@ protected:
extern bool is_reserved_URI_char(unsigned char ch); extern bool is_reserved_URI_char(unsigned char ch);
extern bool is_unreserved_URI_char(unsigned char ch); extern bool is_unreserved_URI_char(unsigned char ch);
extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end, extern String* unescape_URI(const u_char* line, const u_char* line_end,
zeek::analyzer::Analyzer* analyzer); analyzer::Analyzer* analyzer);
} // namespace zeek::analyzer::http } // namespace zeek::analyzer::http

290
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -20,7 +20,7 @@
namespace zeek::analyzer::icmp { namespace zeek::analyzer::icmp {
ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c) ICMP_Analyzer::ICMP_Analyzer(Connection* c)
: TransportLayerAnalyzer("ICMP", c), : TransportLayerAnalyzer("ICMP", c),
icmp_conn_val(), type(), code(), request_len(-1), reply_len(-1) icmp_conn_val(), type(), code(), request_len(-1), reply_len(-1)
{ {
@ -35,7 +35,7 @@ void ICMP_Analyzer::Done()
} }
void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
assert(ip); assert(ip);
@ -64,7 +64,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
break; break;
default: default:
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "unexpected IP proto in ICMP analyzer: %d", ip->NextProto()); this, "unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
return; return;
} }
@ -76,7 +76,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
} }
} }
Conn()->SetLastTime(zeek::run_state::current_timestamp); Conn()->SetLastTime(run_state::current_timestamp);
if ( zeek::detail::rule_matcher ) if ( zeek::detail::rule_matcher )
{ {
@ -99,12 +99,12 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
len_stat += len; len_stat += len;
if ( ip->NextProto() == IPPROTO_ICMP ) if ( ip->NextProto() == IPPROTO_ICMP )
NextICMP4(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip); NextICMP4(run_state::current_timestamp, icmpp, len, caplen, data, ip);
else if ( ip->NextProto() == IPPROTO_ICMPV6 ) else if ( ip->NextProto() == IPPROTO_ICMPV6 )
NextICMP6(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip); NextICMP6(run_state::current_timestamp, icmpp, len, caplen, data, ip);
else else
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "expected ICMP as IP packet's protocol, got %d", ip->NextProto()); this, "expected ICMP as IP packet's protocol, got %d", ip->NextProto());
return; return;
} }
@ -119,7 +119,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
} }
void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr ) const u_char*& data, const IP_Hdr* ip_hdr )
{ {
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -140,7 +140,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c
} }
void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr ) const u_char*& data, const IP_Hdr* ip_hdr )
{ {
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -199,7 +199,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
int icmpv6, const u_char* data, int icmpv6, const u_char* data,
const zeek::IP_Hdr* ip_hdr) const IP_Hdr* ip_hdr)
{ {
if ( icmp_sent ) if ( icmp_sent )
EnqueueConnEvent(icmp_sent, EnqueueConnEvent(icmp_sent,
@ -210,51 +210,51 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
if ( icmp_sent_payload ) if ( icmp_sent_payload )
{ {
zeek::String* payload = new zeek::String(data, std::min(len, caplen), false); String* payload = new String(data, std::min(len, caplen), false);
EnqueueConnEvent(icmp_sent_payload, EnqueueConnEvent(icmp_sent_payload,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr), BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
BuildInfo(icmpp, len, icmpv6, ip_hdr), BuildInfo(icmpp, len, icmpv6, ip_hdr),
zeek::make_intrusive<zeek::StringVal>(payload) make_intrusive<StringVal>(payload)
); );
} }
} }
zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const zeek::IP_Hdr* ip_hdr) int icmpv6, const IP_Hdr* ip_hdr)
{ {
if ( ! icmp_conn_val ) if ( ! icmp_conn_val )
{ {
static auto icmp_conn = zeek::id::find_type<zeek::RecordType>("icmp_conn"); static auto icmp_conn = id::find_type<RecordType>("icmp_conn");
icmp_conn_val = zeek::make_intrusive<zeek::RecordVal>(icmp_conn); icmp_conn_val = make_intrusive<RecordVal>(icmp_conn);
icmp_conn_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(Conn()->OrigAddr())); icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, zeek::make_intrusive<zeek::AddrVal>(Conn()->RespAddr())); icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, zeek::val_mgr->Count(icmpp->icmp_type)); icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, zeek::val_mgr->Count(icmpp->icmp_code)); icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, zeek::val_mgr->Count(len)); icmp_conn_val->Assign(4, val_mgr->Count(len));
icmp_conn_val->Assign(5, zeek::val_mgr->Count(ip_hdr->TTL())); icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, zeek::val_mgr->Bool(icmpv6)); icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
} }
return icmp_conn_val; return icmp_conn_val;
} }
zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len, RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const zeek::IP_Hdr* ip_hdr) bool icmpv6, const IP_Hdr* ip_hdr)
{ {
static auto icmp_info = zeek::id::find_type<zeek::RecordType>("icmp_info"); static auto icmp_info = id::find_type<RecordType>("icmp_info");
auto rval = zeek::make_intrusive<zeek::RecordVal>(icmp_info); auto rval = make_intrusive<RecordVal>(icmp_info);
rval->Assign(0, zeek::val_mgr->Bool(icmpv6)); rval->Assign(0, val_mgr->Bool(icmpv6));
rval->Assign(1, zeek::val_mgr->Count(icmpp->icmp_type)); rval->Assign(1, val_mgr->Count(icmpp->icmp_type));
rval->Assign(2, zeek::val_mgr->Count(icmpp->icmp_code)); rval->Assign(2, val_mgr->Count(icmpp->icmp_code));
rval->Assign(3, zeek::val_mgr->Count(len)); rval->Assign(3, val_mgr->Count(len));
rval->Assign(4, zeek::val_mgr->Count(ip_hdr->TTL())); rval->Assign(4, val_mgr->Count(ip_hdr->TTL()));
return rval; return rval;
} }
TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port) TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
{ {
const u_char* transport_hdr; const u_char* transport_hdr;
uint32_t ip_hdr_len = ip_hdr->HdrLen(); uint32_t ip_hdr_len = ip_hdr->HdrLen();
@ -319,17 +319,17 @@ TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uin
return proto; return proto;
} }
zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data) RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
{ {
const zeek::IP_Hdr ip_hdr_data((const struct ip*) data, false); const IP_Hdr ip_hdr_data((const struct ip*) data, false);
const zeek::IP_Hdr* ip_hdr = &ip_hdr_data; const IP_Hdr* ip_hdr = &ip_hdr_data;
uint32_t ip_hdr_len = ip_hdr->HdrLen(); uint32_t ip_hdr_len = ip_hdr->HdrLen();
uint32_t ip_len, frag_offset; uint32_t ip_len, frag_offset;
TransportProto proto = TRANSPORT_UNKNOWN; TransportProto proto = TRANSPORT_UNKNOWN;
int DF, MF, bad_hdr_len, bad_checksum; int DF, MF, bad_hdr_len, bad_checksum;
zeek::IPAddr src_addr, dst_addr; IPAddr src_addr, dst_addr;
uint32_t src_port, dst_port; uint32_t src_port, dst_port;
if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) ) if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) )
@ -345,7 +345,7 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da
{ {
bad_hdr_len = 0; bad_hdr_len = 0;
ip_len = ip_hdr->TotalLen(); ip_len = ip_hdr->TotalLen();
bad_checksum = ! zeek::run_state::current_pkt->l3_checksummed && bad_checksum = ! run_state::current_pkt->l3_checksummed &&
(ones_complement_checksum((void*) ip_hdr->IP4_Hdr(), ip_hdr_len, 0) != 0xffff); (ones_complement_checksum((void*) ip_hdr->IP4_Hdr(), ip_hdr_len, 0) != 0xffff);
src_addr = ip_hdr->SrcAddr(); src_addr = ip_hdr->SrcAddr();
@ -366,34 +366,34 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da
} }
} }
static auto icmp_context = zeek::id::find_type<zeek::RecordType>("icmp_context"); static auto icmp_context = id::find_type<RecordType>("icmp_context");
auto iprec = zeek::make_intrusive<zeek::RecordVal>(icmp_context); auto iprec = make_intrusive<RecordVal>(icmp_context);
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = make_intrusive<RecordVal>(id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr)); id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, zeek::val_mgr->Port(src_port, proto)); id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr)); id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, zeek::val_mgr->Count(ip_len)); iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, zeek::val_mgr->Count(proto)); iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, zeek::val_mgr->Count(frag_offset)); iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, zeek::val_mgr->Bool(bad_checksum)); iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, zeek::val_mgr->Bool(MF)); iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, zeek::val_mgr->Bool(DF)); iprec->Assign(7, val_mgr->Bool(DF));
return iprec; return iprec;
} }
zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data) RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
{ {
int DF = 0, MF = 0, bad_hdr_len = 0; int DF = 0, MF = 0, bad_hdr_len = 0;
TransportProto proto = TRANSPORT_UNKNOWN; TransportProto proto = TRANSPORT_UNKNOWN;
zeek::IPAddr src_addr; IPAddr src_addr;
zeek::IPAddr dst_addr; IPAddr dst_addr;
uint32_t ip_len, frag_offset = 0; uint32_t ip_len, frag_offset = 0;
uint32_t src_port, dst_port; uint32_t src_port, dst_port;
@ -405,8 +405,8 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
} }
else else
{ {
const zeek::IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len); const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
const zeek::IP_Hdr* ip_hdr = &ip_hdr_data; const IP_Hdr* ip_hdr = &ip_hdr_data;
ip_len = ip_hdr->TotalLen(); ip_len = ip_hdr->TotalLen();
src_addr = ip_hdr->SrcAddr(); src_addr = ip_hdr->SrcAddr();
@ -426,24 +426,24 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
} }
} }
static auto icmp_context = zeek::id::find_type<zeek::RecordType>("icmp_context"); static auto icmp_context = id::find_type<RecordType>("icmp_context");
auto iprec = zeek::make_intrusive<zeek::RecordVal>(icmp_context); auto iprec = make_intrusive<RecordVal>(icmp_context);
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = make_intrusive<RecordVal>(id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr)); id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, zeek::val_mgr->Port(src_port, proto)); id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr)); id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, zeek::val_mgr->Count(ip_len)); iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, zeek::val_mgr->Count(proto)); iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, zeek::val_mgr->Count(frag_offset)); iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum. // bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, zeek::val_mgr->False()); iprec->Assign(5, val_mgr->False());
iprec->Assign(6, zeek::val_mgr->Bool(MF)); iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, zeek::val_mgr->Bool(DF)); iprec->Assign(7, val_mgr->Bool(DF));
return iprec; return iprec;
} }
@ -453,7 +453,7 @@ bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
return false; return false;
} }
void ICMP_Analyzer::Describe(zeek::ODesc* d) const void ICMP_Analyzer::Describe(ODesc* d) const
{ {
d->Add(Conn()->StartTime()); d->Add(Conn()->StartTime());
d->Add("("); d->Add("(");
@ -472,7 +472,7 @@ void ICMP_Analyzer::Describe(zeek::ODesc* d) const
d->Add(Conn()->RespAddr()); d->Add(Conn()->RespAddr());
} }
void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val) void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
{ {
const auto& orig_endp = conn_val->GetField("orig"); const auto& orig_endp = conn_val->GetField("orig");
const auto& resp_endp = conn_val->GetField("resp"); const auto& resp_endp = conn_val->GetField("resp");
@ -484,7 +484,7 @@ void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
} }
void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig) void ICMP_Analyzer::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{ {
Conn()->EnableStatusUpdateTimer(); Conn()->EnableStatusUpdateTimer();
@ -493,30 +493,30 @@ void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, zeek::val_mgr->Count(0)); endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, zeek::val_mgr->Count(int(ICMP_INACTIVE))); endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
} }
else else
{ {
endp->Assign(0, zeek::val_mgr->Count(size)); endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, zeek::val_mgr->Count(int(ICMP_ACTIVE))); endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
} }
} }
unsigned int ICMP_Analyzer::MemoryAllocation() const unsigned int ICMP_Analyzer::MemoryAllocation() const
{ {
return Analyzer::MemoryAllocation() return Analyzer::MemoryAllocation()
+ padded_sizeof(*this) - padded_sizeof(zeek::Connection) + padded_sizeof(*this) - padded_sizeof(Connection)
+ (icmp_conn_val ? icmp_conn_val->MemoryAllocation() : 0); + (icmp_conn_val ? icmp_conn_val->MemoryAllocation() : 0);
} }
void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
// For handling all Echo related ICMP messages // For handling all Echo related ICMP messages
zeek::EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 ) if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST) f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST)
@ -531,23 +531,23 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
int iid = ntohs(icmpp->icmp_hun.ih_idseq.icd_id); int iid = ntohs(icmpp->icmp_hun.ih_idseq.icd_id);
int iseq = ntohs(icmpp->icmp_hun.ih_idseq.icd_seq); int iseq = ntohs(icmpp->icmp_hun.ih_idseq.icd_seq);
zeek::String* payload = new zeek::String(data, caplen, false); String* payload = new String(data, caplen, false);
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
zeek::val_mgr->Count(iid), val_mgr->Count(iid),
zeek::val_mgr->Count(iseq), val_mgr->Count(iseq),
zeek::make_intrusive<zeek::StringVal>(payload) make_intrusive<StringVal>(payload)
); );
} }
void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = icmp_router_advertisement; EventHandlerPtr f = icmp_router_advertisement;
if ( ! f ) if ( ! f )
return; return;
@ -566,33 +566,33 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
zeek::val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
zeek::val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
zeek::make_intrusive<zeek::IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds), make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(reachable), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(retrans), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
); );
} }
void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = icmp_neighbor_advertisement; EventHandlerPtr f = icmp_neighbor_advertisement;
if ( ! f ) if ( ! f )
return; return;
zeek::IPAddr tgtaddr; IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
@ -600,27 +600,27 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
zeek::make_intrusive<zeek::AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
); );
} }
void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = icmp_neighbor_solicitation; EventHandlerPtr f = icmp_neighbor_solicitation;
if ( ! f ) if ( ! f )
return; return;
zeek::IPAddr tgtaddr; IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
@ -628,27 +628,27 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
); );
} }
void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = icmp_redirect; EventHandlerPtr f = icmp_redirect;
if ( ! f ) if ( ! f )
return; return;
zeek::IPAddr tgtaddr, dstaddr; IPAddr tgtaddr, dstaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
if ( caplen >= 2 * (int)sizeof(in6_addr) ) if ( caplen >= 2 * (int)sizeof(in6_addr) )
dstaddr = zeek::IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
@ -656,17 +656,17 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
zeek::make_intrusive<zeek::AddrVal>(dstaddr), make_intrusive<AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
); );
} }
void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = icmp_router_solicitation; EventHandlerPtr f = icmp_router_solicitation;
if ( ! f ) if ( ! f )
return; return;
@ -681,9 +681,9 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -701,16 +701,16 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr), BuildICMPVal(icmpp, len, 0, ip_hdr),
BuildInfo(icmpp, len, 0, ip_hdr), BuildInfo(icmpp, len, 0, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code), val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data) ExtractICMP4Context(caplen, data)
); );
} }
void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr) int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{ {
zeek::EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -740,18 +740,18 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr), BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code), val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data) ExtractICMP6Context(caplen, data)
); );
} }
zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
{ {
static auto icmp6_nd_option_type = zeek::id::find_type<zeek::RecordType>("icmp6_nd_option"); static auto icmp6_nd_option_type = id::find_type<RecordType>("icmp6_nd_option");
static auto icmp6_nd_prefix_info_type = zeek::id::find_type<zeek::RecordType>("icmp6_nd_prefix_info"); static auto icmp6_nd_prefix_info_type = id::find_type<RecordType>("icmp6_nd_prefix_info");
auto vv = zeek::make_intrusive<zeek::VectorVal>( auto vv = make_intrusive<VectorVal>(
zeek::id::find_type<zeek::VectorType>("icmp6_nd_options")); id::find_type<VectorType>("icmp6_nd_options"));
while ( caplen > 0 ) while ( caplen > 0 )
{ {
@ -771,9 +771,9 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
break; break;
} }
auto rv = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_option_type); auto rv = make_intrusive<RecordVal>(icmp6_nd_option_type);
rv->Assign(0, zeek::val_mgr->Count(type)); rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, zeek::val_mgr->Count(length)); rv->Assign(1, val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields. // Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2; length = length * 8 - 2;
@ -791,8 +791,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
{ {
if ( caplen >= length ) if ( caplen >= length )
{ {
zeek::String* link_addr = new zeek::String(data, length, false); String* link_addr = new String(data, length, false);
rv->Assign(2, zeek::make_intrusive<zeek::StringVal>(link_addr)); rv->Assign(2, make_intrusive<StringVal>(link_addr));
} }
else else
set_payload_field = true; set_payload_field = true;
@ -805,19 +805,19 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
{ {
if ( caplen >= 30 ) if ( caplen >= 30 )
{ {
auto info = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type); auto info = make_intrusive<RecordVal>(icmp6_nd_prefix_info_type);
uint8_t prefix_len = *((const uint8_t*)(data)); uint8_t prefix_len = *((const uint8_t*)(data));
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0; bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0; bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
uint32_t valid_life = *((const uint32_t*)(data + 2)); uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6)); uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14)); in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, zeek::val_mgr->Count(prefix_len)); info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, zeek::val_mgr->Bool(L_flag)); info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, zeek::val_mgr->Bool(A_flag)); info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds)); info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds)); info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(prefix))); info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info)); rv->Assign(3, std::move(info));
} }
@ -845,7 +845,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
// MTU option // MTU option
{ {
if ( caplen >= 6 ) if ( caplen >= 6 )
rv->Assign(5, zeek::val_mgr->Count(ntohl(*((const uint32_t*)(data + 2))))); rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else else
set_payload_field = true; set_payload_field = true;
@ -861,8 +861,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
if ( set_payload_field ) if ( set_payload_field )
{ {
zeek::String* payload = new zeek::String(data, std::min((int)length, caplen), false); String* payload = new String(data, std::min((int)length, caplen), false);
rv->Assign(6, zeek::make_intrusive<zeek::StringVal>(payload)); rv->Assign(6, make_intrusive<StringVal>(payload));
} }
data += length; data += length;

58
src/analyzer/protocol/icmp/ICMP.h
View file

@ -8,7 +8,7 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek);
namespace zeek { namespace zeek {
using VectorValPtr = zeek::IntrusivePtr<VectorVal>; using VectorValPtr = IntrusivePtr<VectorVal>;
} }
namespace zeek::analyzer::icmp { namespace zeek::analyzer::icmp {
@ -20,77 +20,77 @@ enum ICMP_EndpointState {
// We do not have an PIA for ICMP (yet) and therefore derive from // We do not have an PIA for ICMP (yet) and therefore derive from
// RuleMatcherState to perform our own matching. // RuleMatcherState to perform our own matching.
class ICMP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { class ICMP_Analyzer final : public analyzer::TransportLayerAnalyzer {
public: public:
explicit ICMP_Analyzer(zeek::Connection* conn); explicit ICMP_Analyzer(Connection* conn);
void UpdateConnVal(zeek::RecordVal *conn_val) override; void UpdateConnVal(RecordVal *conn_val) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ICMP_Analyzer(conn); } { return new ICMP_Analyzer(conn); }
protected: protected:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
bool IsReuse(double t, const u_char* pkt) override; bool IsReuse(double t, const u_char* pkt) override;
unsigned int MemoryAllocation() const override; unsigned int MemoryAllocation() const override;
void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
const u_char* data, const zeek::IP_Hdr* ip_hdr); const u_char* data, const IP_Hdr* ip_hdr);
void Echo(double t, const struct icmp* icmpp, int len, void Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Redirect(double t, const struct icmp* icmpp, int len, void Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void RouterAdvert(double t, const struct icmp* icmpp, int len, void RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborAdvert(double t, const struct icmp* icmpp, int len, void NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborSolicit(double t, const struct icmp* icmpp, int len, void NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void RouterSolicit(double t, const struct icmp* icmpp, int len, void RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Describe(zeek::ODesc* d) const; void Describe(ODesc* d) const;
zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len, RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const zeek::IP_Hdr* ip_hdr); int icmpv6, const IP_Hdr* ip_hdr);
zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len, RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const zeek::IP_Hdr* ip_hdr); bool icmpv6, const IP_Hdr* ip_hdr);
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr ); const u_char*& data, const IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP4Context(int len, const u_char*& data); RecordValPtr ExtractICMP4Context(int len, const u_char*& data);
void Context4(double t, const struct icmp* icmpp, int len, int caplen, void Context4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr); const u_char*& data, const IP_Hdr* ip_hdr);
TransportProto GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port,
uint32_t* dst_port); uint32_t* dst_port);
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr ); const u_char*& data, const IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP6Context(int len, const u_char*& data); RecordValPtr ExtractICMP6Context(int len, const u_char*& data);
void Context6(double t, const struct icmp* icmpp, int len, int caplen, void Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr); const u_char*& data, const IP_Hdr* ip_hdr);
// RFC 4861 Neighbor Discover message options // RFC 4861 Neighbor Discover message options
zeek::VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data); VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data);
zeek::RecordValPtr icmp_conn_val; RecordValPtr icmp_conn_val;
int type; int type;
int code; int code;
int request_len, reply_len; int request_len, reply_len;
zeek::detail::RuleMatcherState matcher_state; detail::RuleMatcherState matcher_state;
private: private:
void UpdateEndpointVal(const zeek::ValPtr& endp, bool is_orig); void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
}; };
// Returns the counterpart type to the given type (e.g., the counterpart // Returns the counterpart type to the given type (e.g., the counterpart

78
src/analyzer/protocol/ident/Ident.cc
View file

@ -13,13 +13,13 @@
namespace zeek::analyzer::ident { namespace zeek::analyzer::ident {
Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) Ident_Analyzer::Ident_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
{ {
did_bad_reply = did_deliver = false; did_bad_reply = did_deliver = false;
orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); orig_ident = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); resp_ident = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident->SetIsNULSensitive(true); orig_ident->SetIsNULSensitive(true);
resp_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true);
@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
void Ident_Analyzer::Done() void Ident_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() ) if ( TCP() )
if ( (! did_deliver || orig_ident->HasPartialLine()) && if ( (! did_deliver || orig_ident->HasPartialLine()) &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) && TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE && TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ) TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE )
Weird("partial_ident_request"); Weird("partial_ident_request");
} }
void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
int remote_port, local_port; int remote_port, local_port;
const char* line = (const char*) data; const char* line = (const char*) data;
const char* orig_line = line; const char* orig_line = line;
const char* end_of_line = line + length; const char* end_of_line = line + length;
zeek::analyzer::tcp::TCP_Endpoint* s = nullptr; analyzer::tcp::TCP_Endpoint* s = nullptr;
if ( TCP() ) if ( TCP() )
s = is_orig ? TCP()->Orig() : TCP()->Resp(); s = is_orig ? TCP()->Orig() : TCP()->Resp();
@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = ParsePair(line, end_of_line, remote_port, local_port); line = ParsePair(line, end_of_line, remote_port, local_port);
if ( ! line ) if ( ! line )
{ {
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || (s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled. // not surprising the request is mangled.
return; return;
@ -80,14 +80,14 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( line != end_of_line ) if ( line != end_of_line )
{ {
zeek::String s((const u_char*)orig_line, length, true); String s((const u_char*)orig_line, length, true);
Weird("ident_request_addendum", s.CheckString()); Weird("ident_request_addendum", s.CheckString());
} }
EnqueueConnEvent(ident_request, EnqueueConnEvent(ident_request,
ConnVal(), ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP), val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP) val_mgr->Port(remote_port, TRANSPORT_TCP)
); );
did_deliver = true; did_deliver = true;
@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( ! line || line == end_of_line || line[0] != ':' ) if ( ! line || line == end_of_line || line[0] != ':' )
{ {
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || (s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled. // not surprising the request is mangled.
return; return;
@ -112,7 +112,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return; return;
} }
line = zeek::util::skip_whitespace(line + 1, end_of_line); line = util::skip_whitespace(line + 1, end_of_line);
int restlen = end_of_line - line; int restlen = end_of_line - line;
int is_error; int is_error;
@ -132,7 +132,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return; return;
} }
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
if ( line >= end_of_line || line[0] != ':' ) if ( line >= end_of_line || line[0] != ':' )
{ {
@ -140,16 +140,16 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return; return;
} }
line = zeek::util::skip_whitespace(line + 1, end_of_line); line = util::skip_whitespace(line + 1, end_of_line);
if ( is_error ) if ( is_error )
{ {
if ( ident_error ) if ( ident_error )
EnqueueConnEvent(ident_error, EnqueueConnEvent(ident_error,
ConnVal(), ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP), val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP), val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line) make_intrusive<StringVal>(end_of_line - line, line)
); );
} }
@ -172,18 +172,18 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
while ( --sys_end > sys_type && isspace(*sys_end) ) while ( --sys_end > sys_type && isspace(*sys_end) )
; ;
zeek::String* sys_type_s = String* sys_type_s =
new zeek::String((const u_char*) sys_type, new String((const u_char*) sys_type,
sys_end - sys_type + 1, true); sys_end - sys_type + 1, true);
line = zeek::util::skip_whitespace(colon + 1, end_of_line); line = util::skip_whitespace(colon + 1, end_of_line);
EnqueueConnEvent(ident_reply, EnqueueConnEvent(ident_reply,
ConnVal(), ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP), val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP), val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
zeek::make_intrusive<zeek::StringVal>(sys_type_s) make_intrusive<StringVal>(sys_type_s)
); );
} }
} }
@ -214,7 +214,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
{ {
int n = 0; int n = 0;
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
if ( line >= end_of_line || ! isdigit(*line) ) if ( line >= end_of_line || ! isdigit(*line) )
return nullptr; return nullptr;
@ -227,7 +227,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
} }
while ( line < end_of_line && isdigit(*line) ); while ( line < end_of_line && isdigit(*line) );
line = zeek::util::skip_whitespace(line, end_of_line); line = util::skip_whitespace(line, end_of_line);
if ( n < 0 || n > 65535 ) if ( n < 0 || n > 65535 )
{ {
@ -242,7 +242,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
void Ident_Analyzer::BadRequest(int length, const char* line) void Ident_Analyzer::BadRequest(int length, const char* line)
{ {
zeek::String s((const u_char*)line, length, true); String s((const u_char*)line, length, true);
Weird("bad_ident_request", s.CheckString()); Weird("bad_ident_request", s.CheckString());
} }
@ -250,7 +250,7 @@ void Ident_Analyzer::BadReply(int length, const char* line)
{ {
if ( ! did_bad_reply ) if ( ! did_bad_reply )
{ {
zeek::String s((const u_char*)line, length, true); String s((const u_char*)line, length, true);
Weird("bad_ident_reply", s.CheckString()); Weird("bad_ident_reply", s.CheckString());
did_bad_reply = true; did_bad_reply = true;
} }

10
src/analyzer/protocol/ident/Ident.h
View file

@ -7,14 +7,14 @@
namespace zeek::analyzer::ident { namespace zeek::analyzer::ident {
class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class Ident_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit Ident_Analyzer(zeek::Connection* conn); explicit Ident_Analyzer(Connection* conn);
void Done() override; void Done() override;
void DeliverStream(int length, const u_char* data, bool is_orig) override; void DeliverStream(int length, const u_char* data, bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Ident_Analyzer(conn); } { return new Ident_Analyzer(conn); }
protected: protected:
@ -26,8 +26,8 @@ protected:
void BadRequest(int length, const char* line); void BadRequest(int length, const char* line);
void BadReply(int length, const char* line); void BadReply(int length, const char* line);
zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident; analyzer::tcp::ContentLine_Analyzer* orig_ident;
zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident; analyzer::tcp::ContentLine_Analyzer* resp_ident;
bool did_deliver; bool did_deliver;
bool did_bad_reply; bool did_bad_reply;

16
src/analyzer/protocol/imap/IMAP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::imap { namespace zeek::analyzer::imap {
IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn) IMAP_Analyzer::IMAP_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
{ {
interp = new binpac::IMAP::IMAP_Conn(this); interp = new binpac::IMAP::IMAP_Conn(this);
had_gap = false; had_gap = false;
@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer()
void IMAP_Analyzer::Done() void IMAP_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -29,13 +29,13 @@ void IMAP_Analyzer::Done()
void IMAP_Analyzer::EndpointEOF(bool is_orig) void IMAP_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls_active ) if ( tls_active )
{ {
@ -61,13 +61,13 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }
@ -79,7 +79,7 @@ void IMAP_Analyzer::StartTLS()
// TLS datastream. // TLS datastream.
tls_active = true; tls_active = true;
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
} }

8
src/analyzer/protocol/imap/IMAP.h
View file

@ -10,21 +10,21 @@
namespace zeek::analyzer::imap { namespace zeek::analyzer::imap {
class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class IMAP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit IMAP_Analyzer(zeek::Connection* conn); explicit IMAP_Analyzer(Connection* conn);
~IMAP_Analyzer() override; ~IMAP_Analyzer() override;
void Done() override; void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
void StartTLS(); void StartTLS();
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new IMAP_Analyzer(conn); } { return new IMAP_Analyzer(conn); }
protected: protected:

314
src/analyzer/protocol/irc/IRC.cc
View file

@ -13,8 +13,8 @@ using namespace std;
namespace zeek::analyzer::irc { namespace zeek::analyzer::irc {
IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) IRC_Analyzer::IRC_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
{ {
invalid_msg_count = 0; invalid_msg_count = 0;
invalid_msg_max_count = 20; invalid_msg_max_count = 20;
@ -23,15 +23,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
orig_zip_status = NO_ZIP; orig_zip_status = NO_ZIP;
resp_zip_status = NO_ZIP; resp_zip_status = NO_ZIP;
starttls = false; starttls = false;
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
AddSupportAnalyzer(cl_orig); AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(cl_resp); AddSupportAnalyzer(cl_resp);
} }
void IRC_Analyzer::Done() void IRC_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
} }
inline void IRC_Analyzer::SkipLeadingWhitespace(string& str) inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
@ -45,9 +45,9 @@ inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
static auto irc_join_list = zeek::id::find_type<zeek::TableType>("irc_join_list"); static auto irc_join_list = id::find_type<TableType>("irc_join_list");
static auto irc_join_info = zeek::id::find_type<zeek::RecordType>("irc_join_info"); static auto irc_join_info = id::find_type<RecordType>("irc_join_info");
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
if ( starttls ) if ( starttls )
{ {
@ -239,10 +239,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_network_info, EnqueueConnEvent(irc_network_info,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::val_mgr->Int(users), val_mgr->Int(users),
zeek::val_mgr->Int(services), val_mgr->Int(services),
zeek::val_mgr->Int(servers)); val_mgr->Int(servers));
} }
break; break;
@ -273,21 +273,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set); auto set = make_intrusive<TableVal>(id::string_set);
for ( auto& part : parts ) for ( auto& part : parts )
{ {
if ( part[0] == '@' ) if ( part[0] == '@' )
part = part.substr(1); part = part.substr(1);
auto idx = zeek::make_intrusive<zeek::StringVal>(part); auto idx = make_intrusive<StringVal>(part);
set->Assign(std::move(idx), nullptr); set->Assign(std::move(idx), nullptr);
} }
EnqueueConnEvent(irc_names_info, EnqueueConnEvent(irc_names_info,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(type.c_str()), make_intrusive<StringVal>(type.c_str()),
zeek::make_intrusive<zeek::StringVal>(channel.c_str()), make_intrusive<StringVal>(channel.c_str()),
std::move(set)); std::move(set));
} }
break; break;
@ -318,10 +318,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_server_info, EnqueueConnEvent(irc_server_info,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::val_mgr->Int(users), val_mgr->Int(users),
zeek::val_mgr->Int(services), val_mgr->Int(services),
zeek::val_mgr->Int(servers)); val_mgr->Int(servers));
} }
break; break;
@ -339,8 +339,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_info, EnqueueConnEvent(irc_channel_info,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::val_mgr->Int(channels)); val_mgr->Int(channels));
} }
break; break;
@ -370,9 +370,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_global_users, EnqueueConnEvent(irc_global_users,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(eop - prefix, prefix), make_intrusive<StringVal>(eop - prefix, prefix),
zeek::make_intrusive<zeek::StringVal>(++msg)); make_intrusive<StringVal>(++msg));
break; break;
} }
@ -392,13 +392,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
zeek::Args vl; Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig)); vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4); parts.erase(parts.begin(), parts.begin() + 4);
@ -409,7 +409,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' ) if ( real_name[0] == ':' )
real_name = real_name.substr(1); real_name = real_name.substr(1);
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(real_name.c_str())); vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
EnqueueConnEvent(irc_whois_user_line, std::move(vl)); EnqueueConnEvent(irc_whois_user_line, std::move(vl));
} }
@ -434,8 +434,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_operator_line, EnqueueConnEvent(irc_whois_operator_line,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); make_intrusive<StringVal>(parts[0].c_str()));
} }
break; break;
@ -461,18 +461,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set); auto set = make_intrusive<TableVal>(id::string_set);
for ( const auto& part : parts ) for ( const auto& part : parts )
{ {
auto idx = zeek::make_intrusive<zeek::StringVal>(part); auto idx = make_intrusive<StringVal>(part);
set->Assign(std::move(idx), nullptr); set->Assign(std::move(idx), nullptr);
} }
EnqueueConnEvent(irc_whois_channel_line, EnqueueConnEvent(irc_whois_channel_line,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
std::move(set)); std::move(set));
} }
break; break;
@ -501,9 +501,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_topic, EnqueueConnEvent(irc_channel_topic,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(t)); make_intrusive<StringVal>(t));
} }
else else
{ {
@ -534,16 +534,16 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_line, EnqueueConnEvent(irc_who_line,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[3].c_str()), make_intrusive<StringVal>(parts[3].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[4].c_str()), make_intrusive<StringVal>(parts[4].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[5].c_str()), make_intrusive<StringVal>(parts[5].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[6].c_str()), make_intrusive<StringVal>(parts[6].c_str()),
zeek::val_mgr->Int(atoi(parts[7].c_str())), val_mgr->Int(atoi(parts[7].c_str())),
zeek::make_intrusive<zeek::StringVal>(parts[8].c_str())); make_intrusive<StringVal>(parts[8].c_str()));
} }
break; break;
@ -555,7 +555,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_invalid_nick ) if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick, EnqueueConnEvent(irc_invalid_nick,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig)); val_mgr->Bool(orig));
break; break;
// Operator responses. // Operator responses.
@ -564,8 +564,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_oper_response ) if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response, EnqueueConnEvent(irc_oper_response,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::val_mgr->Bool(code == 381)); val_mgr->Bool(code == 381));
break; break;
case 670: case 670:
@ -578,10 +578,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_reply ) if ( irc_reply )
EnqueueConnEvent(irc_reply, EnqueueConnEvent(irc_reply,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::val_mgr->Count(code), val_mgr->Count(code),
zeek::make_intrusive<zeek::StringVal>(params.c_str())); make_intrusive<StringVal>(params.c_str()));
break; break;
} }
return; return;
@ -648,14 +648,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message ) if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message, EnqueueConnEvent(irc_dcc_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
zeek::make_intrusive<zeek::AddrVal>(htonl(raw_ip)), make_intrusive<AddrVal>(htonl(raw_ip)),
zeek::val_mgr->Count(atoi(parts[4].c_str())), val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? zeek::val_mgr->Count(atoi(parts[5].c_str())) : zeek::val_mgr->Count(0) parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
); );
} }
@ -664,10 +664,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_privmsg_message ) if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message, EnqueueConnEvent(irc_privmsg_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
} }
@ -689,10 +689,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_notice_message, EnqueueConnEvent(irc_notice_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
@ -713,10 +713,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squery_message, EnqueueConnEvent(irc_squery_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
@ -724,22 +724,22 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
// extract username and real name // extract username and real name
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
zeek::Args vl; Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig)); vl.emplace_back(val_mgr->Bool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString()); else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString()); else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString()); else vl.emplace_back(val_mgr->EmptyString());
string realname; string realname;
for ( size_t i = 3; i < parts.size(); i++ ) for ( size_t i = 3; i < parts.size(); i++ )
@ -750,7 +750,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
const char* name = realname.c_str(); const char* name = realname.c_str();
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(*name == ':' ? name + 1 : name)); vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
EnqueueConnEvent(irc_user_message, std::move(vl)); EnqueueConnEvent(irc_user_message, std::move(vl));
} }
@ -762,9 +762,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() == 2 ) if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message, EnqueueConnEvent(irc_oper_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()) make_intrusive<StringVal>(parts[1].c_str())
); );
else else
@ -781,13 +781,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
zeek::Args vl; Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig)); vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(prefix.c_str())); vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
if ( parts.size() > 2 ) if ( parts.size() > 2 )
{ {
@ -798,10 +798,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' ) if ( comment[0] == ':' )
comment = comment.substr(1); comment = comment.substr(1);
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(comment.c_str())); vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
} }
else else
vl.emplace_back(zeek::val_mgr->EmptyString()); vl.emplace_back(val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl)); EnqueueConnEvent(irc_kick_message, std::move(vl));
} }
@ -827,7 +827,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
auto list = zeek::make_intrusive<zeek::TableVal>(irc_join_list); auto list = make_intrusive<TableVal>(irc_join_list);
vector<string> channels = SplitWords(parts[0], ','); vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords; vector<string> passwords;
@ -838,21 +838,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
string empty_string = ""; string empty_string = "";
for ( size_t i = 0; i < channels.size(); ++i ) for ( size_t i = 0; i < channels.size(); ++i )
{ {
auto info = zeek::make_intrusive<zeek::RecordVal>(irc_join_info); auto info = make_intrusive<RecordVal>(irc_join_info);
info->Assign(0, zeek::make_intrusive<zeek::StringVal>(nickname.c_str())); info->Assign(0, make_intrusive<StringVal>(nickname.c_str()));
info->Assign(1, zeek::make_intrusive<zeek::StringVal>(channels[i].c_str())); info->Assign(1, make_intrusive<StringVal>(channels[i].c_str()));
if ( i < passwords.size() ) if ( i < passwords.size() )
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(passwords[i].c_str())); info->Assign(2, make_intrusive<StringVal>(passwords[i].c_str()));
else else
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str())); info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode. // User mode.
info->Assign(3, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str())); info->Assign(3, make_intrusive<StringVal>(empty_string.c_str()));
list->Assign(std::move(info), nullptr); list->Assign(std::move(info), nullptr);
} }
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -871,13 +871,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ','); vector<string> users = SplitWords(parts[1], ',');
auto list = zeek::make_intrusive<zeek::TableVal>(irc_join_list); auto list = make_intrusive<TableVal>(irc_join_list);
string empty_string = ""; string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i ) for ( unsigned int i = 0; i < users.size(); ++i )
{ {
auto info = zeek::make_intrusive<zeek::RecordVal>(irc_join_info); auto info = make_intrusive<RecordVal>(irc_join_info);
string nick = users[i]; string nick = users[i];
string mode = "none"; string mode = "none";
@ -901,18 +901,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
mode = "voice"; mode = "voice";
} }
info->Assign(0, zeek::make_intrusive<zeek::StringVal>(nick.c_str())); info->Assign(0, make_intrusive<StringVal>(nick.c_str()));
info->Assign(1, zeek::make_intrusive<zeek::StringVal>(channel.c_str())); info->Assign(1, make_intrusive<StringVal>(channel.c_str()));
// Password: // Password:
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str())); info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode: // User mode:
info->Assign(3, zeek::make_intrusive<zeek::StringVal>(mode.c_str())); info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
list->Assign(std::move(info), nullptr); list->Assign(std::move(info), nullptr);
} }
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -941,20 +941,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(0, pos); nick = nick.substr(0, pos);
vector<string> channelList = SplitWords(channels, ','); vector<string> channelList = SplitWords(channels, ',');
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set); auto set = make_intrusive<TableVal>(id::string_set);
for ( const auto& channel : channelList ) for ( const auto& channel : channelList )
{ {
auto idx = zeek::make_intrusive<zeek::StringVal>(channel); auto idx = make_intrusive<StringVal>(channel);
set->Assign(std::move(idx), nullptr); set->Assign(std::move(idx), nullptr);
} }
EnqueueConnEvent(irc_part_message, EnqueueConnEvent(irc_part_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
std::move(set), std::move(set),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
@ -974,9 +974,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_quit_message, EnqueueConnEvent(irc_quit_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nickname.c_str()), make_intrusive<StringVal>(nickname.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
@ -988,9 +988,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_nick_message, EnqueueConnEvent(irc_nick_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()) make_intrusive<StringVal>(nick.c_str())
); );
} }
@ -1013,11 +1013,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_message, EnqueueConnEvent(irc_who_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
parts.size() > 0 ? parts.size() > 0 ?
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()) : make_intrusive<StringVal>(parts[0].c_str()) :
zeek::val_mgr->EmptyString(), val_mgr->EmptyString(),
zeek::val_mgr->Bool(oper) val_mgr->Bool(oper)
); );
} }
@ -1043,9 +1043,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_message, EnqueueConnEvent(irc_whois_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(server.c_str()), make_intrusive<StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(users.c_str()) make_intrusive<StringVal>(users.c_str())
); );
} }
@ -1056,9 +1056,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_error_message, EnqueueConnEvent(irc_error_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
} }
@ -1072,10 +1072,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_invite_message, EnqueueConnEvent(irc_invite_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()) make_intrusive<StringVal>(parts[1].c_str())
); );
} }
else else
@ -1087,9 +1087,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params.size() > 0 ) if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message, EnqueueConnEvent(irc_mode_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
else else
@ -1100,8 +1100,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_password_message, EnqueueConnEvent(irc_password_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
} }
@ -1122,10 +1122,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squit_message, EnqueueConnEvent(irc_squit_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(server.c_str()), make_intrusive<StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
} }
@ -1136,10 +1136,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_request, EnqueueConnEvent(irc_request,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()), make_intrusive<StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
} }
} }
@ -1150,10 +1150,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_message, EnqueueConnEvent(irc_message,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()), make_intrusive<StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
} }
} }
@ -1163,8 +1163,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
orig_zip_status = ZIP_LOADED; orig_zip_status = ZIP_LOADED;
resp_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED;
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), true)); AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), false)); AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), false));
} }
return; return;
@ -1179,7 +1179,7 @@ void IRC_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp); RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);

10
src/analyzer/protocol/irc/IRC.h
View file

@ -9,14 +9,14 @@ namespace zeek::analyzer::irc {
/** /**
* \brief Main class for analyzing IRC traffic. * \brief Main class for analyzing IRC traffic.
*/ */
class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class IRC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { WAIT_FOR_REGISTRATION, REGISTERED, };
enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
public: public:
/** /**
* \brief Constructor, builds a new analyzer object. * \brief Constructor, builds a new analyzer object.
*/ */
explicit IRC_Analyzer(zeek::Connection* conn); explicit IRC_Analyzer(Connection* conn);
/** /**
* \brief Called when connection is closed. * \brief Called when connection is closed.
@ -32,7 +32,7 @@ public:
*/ */
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ {
return new IRC_Analyzer(conn); return new IRC_Analyzer(conn);
} }
@ -64,8 +64,8 @@ private:
*/ */
std::vector<std::string> SplitWords(const std::string& input, char split); std::vector<std::string> SplitWords(const std::string& input, char split);
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; analyzer::tcp::ContentLine_Analyzer* cl_resp;
bool starttls; // if true, connection has been upgraded to tls bool starttls; // if true, connection has been upgraded to tls
}; };

34
src/analyzer/protocol/krb/KRB.cc
View file

@ -16,7 +16,7 @@ krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
std::once_flag KRB_Analyzer::krb_initialized; std::once_flag KRB_Analyzer::krb_initialized;
#endif #endif
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) KRB_Analyzer::KRB_Analyzer(Connection* conn)
: Analyzer("KRB", conn) : Analyzer("KRB", conn)
{ {
interp = new binpac::KRB::KRB_Conn(this); interp = new binpac::KRB::KRB_Conn(this);
@ -29,19 +29,19 @@ KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
static void warn_krb(const char* msg, krb5_context ctx, krb5_error_code code) static void warn_krb(const char* msg, krb5_context ctx, krb5_error_code code)
{ {
auto err = krb5_get_error_message(ctx, code); auto err = krb5_get_error_message(ctx, code);
zeek::reporter->Warning("%s (%s)", msg, err); reporter->Warning("%s (%s)", msg, err);
krb5_free_error_message(ctx, err); krb5_free_error_message(ctx, err);
} }
void KRB_Analyzer::Initialize_Krb() void KRB_Analyzer::Initialize_Krb()
{ {
if ( zeek::BifConst::KRB::keytab->Len() == 0 ) if ( BifConst::KRB::keytab->Len() == 0 )
return; // no keytab set return; // no keytab set
const char* keytab_filename = zeek::BifConst::KRB::keytab->CheckString(); const char* keytab_filename = BifConst::KRB::keytab->CheckString();
if ( access(keytab_filename, R_OK) != 0 ) if ( access(keytab_filename, R_OK) != 0 )
{ {
zeek::reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename); reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
return; return;
} }
@ -73,7 +73,7 @@ void KRB_Analyzer::Done()
} }
void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -83,30 +83,30 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* principal, StringValPtr KRB_Analyzer::GetAuthenticationInfo(const String* principal,
const zeek::String* ciphertext, const String* ciphertext,
const bro_uint_t enctype) const bro_uint_t enctype)
{ {
#ifdef USE_KRB5 #ifdef USE_KRB5
if ( !krb_available ) if ( !krb_available )
return nullptr; return nullptr;
zeek::String delim("/"); String delim("/");
int pos = principal->FindSubstring(&delim); int pos = principal->FindSubstring(&delim);
if ( pos == -1 ) if ( pos == -1 )
{ {
zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr; return nullptr;
} }
std::unique_ptr<zeek::String> service = unique_ptr<zeek::String>(principal->GetSubstring(0, pos)); std::unique_ptr<String> service = unique_ptr<String>(principal->GetSubstring(0, pos));
std::unique_ptr<zeek::String> hostname = unique_ptr<zeek::String>(principal->GetSubstring(pos + 1, -1)); std::unique_ptr<String> hostname = unique_ptr<String>(principal->GetSubstring(pos + 1, -1));
if ( !service || !hostname ) if ( !service || !hostname )
{ {
zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr; return nullptr;
} }
krb5_principal sprinc; krb5_principal sprinc;
@ -117,13 +117,13 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ
return nullptr; return nullptr;
} }
auto tkt = static_cast<krb5_ticket*>(zeek::util::safe_malloc(sizeof(krb5_ticket))); auto tkt = static_cast<krb5_ticket*>(util::safe_malloc(sizeof(krb5_ticket)));
memset(tkt, 0, sizeof(krb5_ticket)); memset(tkt, 0, sizeof(krb5_ticket));
tkt->server = sprinc; tkt->server = sprinc;
tkt->enc_part.enctype = enctype; tkt->enc_part.enctype = enctype;
auto ctd = static_cast<char*>(zeek::util::safe_malloc(ciphertext->Len())); auto ctd = static_cast<char*>(util::safe_malloc(ciphertext->Len()));
memcpy(ctd, ciphertext->Bytes(), ciphertext->Len()); memcpy(ctd, ciphertext->Bytes(), ciphertext->Len());
tkt->enc_part.ciphertext.data = ctd; tkt->enc_part.ciphertext.data = ctd;
tkt->enc_part.ciphertext.length = ciphertext->Len(); tkt->enc_part.ciphertext.length = ciphertext->Len();
@ -147,7 +147,7 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ
return nullptr; return nullptr;
} }
auto ret = zeek::make_intrusive<zeek::StringVal>(cp); auto ret = make_intrusive<StringVal>(cp);
krb5_free_unparsed_name(krb_context, cp); krb5_free_unparsed_name(krb_context, cp);
krb5_free_ticket(krb_context, tkt); krb5_free_ticket(krb_context, tkt);

12
src/analyzer/protocol/krb/KRB.h
View file

@ -12,21 +12,21 @@
namespace zeek::analyzer::krb { namespace zeek::analyzer::krb {
class KRB_Analyzer final : public zeek::analyzer::Analyzer { class KRB_Analyzer final : public analyzer::Analyzer {
public: public:
explicit KRB_Analyzer(zeek::Connection* conn); explicit KRB_Analyzer(Connection* conn);
virtual ~KRB_Analyzer(); virtual ~KRB_Analyzer();
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen); uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal, StringValPtr GetAuthenticationInfo(const String* principal,
const zeek::String* ciphertext, const String* ciphertext,
const bro_uint_t enctype); const bro_uint_t enctype);
protected: protected:

14
src/analyzer/protocol/krb/KRB_TCP.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::krb_tcp { namespace zeek::analyzer::krb_tcp {
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) KRB_Analyzer::KRB_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
{ {
interp = new binpac::KRB_TCP::KRB_Conn(this); interp = new binpac::KRB_TCP::KRB_Conn(this);
had_gap = false; had_gap = false;
@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer()
void KRB_Analyzer::Done() void KRB_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -29,13 +29,13 @@ void KRB_Analyzer::Done()
void KRB_Analyzer::EndpointEOF(bool is_orig) void KRB_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
if ( TCP()->IsPartial() ) if ( TCP()->IsPartial() )
@ -53,13 +53,13 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

14
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -8,25 +8,25 @@
namespace zeek::analyzer::krb_tcp { namespace zeek::analyzer::krb_tcp {
class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class KRB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit KRB_Analyzer(zeek::Connection* conn); explicit KRB_Analyzer(Connection* conn);
~KRB_Analyzer() override; ~KRB_Analyzer() override;
void Done() override; void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal, StringValPtr GetAuthenticationInfo(const String* principal,
const zeek::String* ciphertext, const String* ciphertext,
const bro_uint_t enctype) const bro_uint_t enctype)
{ return zeek::val_mgr->EmptyString(); } { return val_mgr->EmptyString(); }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }
protected: protected:

114
src/analyzer/protocol/login/Login.cc
View file

@ -17,18 +17,18 @@
namespace zeek::analyzer::login { namespace zeek::analyzer::login {
static zeek::RE_Matcher* re_skip_authentication = nullptr; static RE_Matcher* re_skip_authentication = nullptr;
static zeek::RE_Matcher* re_direct_login_prompts; static RE_Matcher* re_direct_login_prompts;
static zeek::RE_Matcher* re_login_prompts; static RE_Matcher* re_login_prompts;
static zeek::RE_Matcher* re_login_non_failure_msgs; static RE_Matcher* re_login_non_failure_msgs;
static zeek::RE_Matcher* re_login_failure_msgs; static RE_Matcher* re_login_failure_msgs;
static zeek::RE_Matcher* re_login_success_msgs; static RE_Matcher* re_login_success_msgs;
static zeek::RE_Matcher* re_login_timeouts; static RE_Matcher* re_login_timeouts;
static zeek::RE_Matcher* init_RE(zeek::ListVal* l); static RE_Matcher* init_RE(ListVal* l);
Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn) Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text() : analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
{ {
state = LOGIN_STATE_AUTHENTICATE; state = LOGIN_STATE_AUTHENTICATE;
num_user_lines_seen = lines_scanned = 0; num_user_lines_seen = lines_scanned = 0;
@ -45,13 +45,13 @@ Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn)
if ( ! re_skip_authentication ) if ( ! re_skip_authentication )
{ {
zeek::ListValPtr skip_authentication = zeek::id::find_val("skip_authentication")->AsTableVal()->ToPureListVal(); ListValPtr skip_authentication = id::find_val("skip_authentication")->AsTableVal()->ToPureListVal();
zeek::ListValPtr direct_login_prompts = zeek::id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal(); ListValPtr direct_login_prompts = id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_prompts = zeek::id::find_val("login_prompts")->AsTableVal()->ToPureListVal(); ListValPtr login_prompts = id::find_val("login_prompts")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_non_failure_msgs = zeek::id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal(); ListValPtr login_non_failure_msgs = id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_failure_msgs = zeek::id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal(); ListValPtr login_failure_msgs = id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_success_msgs = zeek::id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal(); ListValPtr login_success_msgs = id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_timeouts = zeek::id::find_val("login_timeouts")->AsTableVal()->ToPureListVal(); ListValPtr login_timeouts = id::find_val("login_timeouts")->AsTableVal()->ToPureListVal();
#ifdef USE_PERFTOOLS_DEBUG #ifdef USE_PERFTOOLS_DEBUG
HeapLeakChecker::Disabler disabler; HeapLeakChecker::Disabler disabler;
@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer()
void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
char* str = new char[length+1]; char* str = new char[length+1];
@ -91,7 +91,7 @@ void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
str[j++] = line[i]; str[j++] = line[i];
else else
{ {
if ( Conn()->FlagEvent(zeek::NUL_IN_LINE) ) if ( Conn()->FlagEvent(NUL_IN_LINE) )
Weird("NUL_in_line"); Weird("NUL_in_line");
} }
@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state == LOGIN_STATE_AUTHENTICATE ) if ( state == LOGIN_STATE_AUTHENTICATE )
{ {
if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || if ( TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ) TCP()->RespState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL )
state = LOGIN_STATE_CONFUSED; // unknown login state state = LOGIN_STATE_CONFUSED; // unknown login state
else else
{ {
@ -129,7 +129,7 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state != LOGIN_STATE_CONFUSED ) if ( state != LOGIN_STATE_CONFUSED )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "bad state in Login_Analyzer::NewLine"); this, "bad state in Login_Analyzer::NewLine");
return; return;
} }
@ -323,38 +323,38 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else else
{ {
if ( zeek::util::streq(name, "USER") ) if ( util::streq(name, "USER") )
{ {
if ( username ) if ( username )
{ {
const zeek::String* u = username->AsString(); const String* u = username->AsString();
const zeek::byte_vec ub = u->Bytes(); const byte_vec ub = u->Bytes();
const char* us = (const char*) ub; const char* us = (const char*) ub;
if ( ! zeek::util::streq(val, us) ) if ( ! util::streq(val, us) )
Confused("multiple_USERs", val); Confused("multiple_USERs", val);
Unref(username); Unref(username);
} }
// "val" gets copied here. // "val" gets copied here.
username = new zeek::StringVal(val); username = new StringVal(val);
} }
else if ( login_terminal && zeek::util::streq(name, "TERM") ) else if ( login_terminal && util::streq(name, "TERM") )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val) make_intrusive<StringVal>(val)
); );
else if ( login_display && zeek::util::streq(name, "DISPLAY") ) else if ( login_display && util::streq(name, "DISPLAY") )
EnqueueConnEvent(login_display, EnqueueConnEvent(login_display,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val) make_intrusive<StringVal>(val)
); );
else if ( login_prompt && zeek::util::streq(name, "TTYPROMPT") ) else if ( login_prompt && util::streq(name, "TTYPROMPT") )
EnqueueConnEvent(login_prompt, EnqueueConnEvent(login_prompt,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val) make_intrusive<StringVal>(val)
); );
} }
@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
void Login_Analyzer::EndpointEOF(bool orig) void Login_Analyzer::EndpointEOF(bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
{ {
@ -373,7 +373,7 @@ void Login_Analyzer::EndpointEOF(bool orig)
} }
} }
void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line, void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
bool no_user_okay) bool no_user_okay)
{ {
if ( ! f ) if ( ! f )
@ -389,7 +389,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
if ( no_user_okay ) if ( no_user_okay )
{ {
Unref(username); Unref(username);
username = new zeek::StringVal("<none>"); username = new StringVal("<none>");
} }
else else
@ -414,7 +414,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
if ( no_user_okay ) if ( no_user_okay )
{ {
Unref(username); Unref(username);
username = new zeek::StringVal("<none>"); username = new StringVal("<none>");
} }
else else
@ -425,16 +425,16 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
} }
} }
zeek::Val* password = HaveTypeahead() ? Val* password = HaveTypeahead() ?
PopUserTextVal() : new zeek::StringVal("<none>"); PopUserTextVal() : new StringVal("<none>");
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
zeek::IntrusivePtr{zeek::NewRef{}, username}, IntrusivePtr{NewRef{}, username},
client_name ? zeek::IntrusivePtr{zeek::NewRef{}, client_name} client_name ? IntrusivePtr{NewRef{}, client_name}
: zeek::val_mgr->EmptyString(), : val_mgr->EmptyString(),
zeek::IntrusivePtr{zeek::AdoptRef{}, password}, IntrusivePtr{AdoptRef{}, password},
zeek::make_intrusive<zeek::StringVal>(line) make_intrusive<StringVal>(line)
); );
} }
@ -446,14 +446,14 @@ const char* Login_Analyzer::GetUsername(const char* line) const
return line; return line;
} }
void Login_Analyzer::LineEvent(zeek::EventHandlerPtr f, const char* line) void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
{ {
if ( ! f ) if ( ! f )
return; return;
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(line) make_intrusive<StringVal>(line)
); );
} }
@ -465,8 +465,8 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused ) if ( login_confused )
EnqueueConnEvent(login_confused, EnqueueConnEvent(login_confused,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(msg), make_intrusive<StringVal>(msg),
zeek::make_intrusive<zeek::StringVal>(line) make_intrusive<StringVal>(line)
); );
if ( login_confused_text ) if ( login_confused_text )
@ -489,7 +489,7 @@ void Login_Analyzer::ConfusionText(const char* line)
if ( login_confused_text ) if ( login_confused_text )
EnqueueConnEvent(login_confused_text, EnqueueConnEvent(login_confused_text,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(line) make_intrusive<StringVal>(line)
); );
} }
@ -562,7 +562,7 @@ void Login_Analyzer::AddUserText(const char* line)
if ( ++user_text_last == MAX_USER_TEXT ) if ( ++user_text_last == MAX_USER_TEXT )
user_text_last = 0; user_text_last = 0;
user_text[user_text_last] = zeek::util::copy_string(line); user_text[user_text_last] = util::copy_string(line);
++num_user_text; ++num_user_text;
} }
@ -572,7 +572,7 @@ char* Login_Analyzer::PeekUserText()
{ {
if ( num_user_text <= 0 ) if ( num_user_text <= 0 )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "underflow in Login_Analyzer::PeekUserText()"); this, "underflow in Login_Analyzer::PeekUserText()");
return nullptr; return nullptr;
} }
@ -595,14 +595,14 @@ char* Login_Analyzer::PopUserText()
return s; return s;
} }
zeek::Val* Login_Analyzer::PopUserTextVal() Val* Login_Analyzer::PopUserTextVal()
{ {
char* s = PopUserText(); char* s = PopUserText();
if ( s ) if ( s )
return new zeek::StringVal(new zeek::String(true, zeek::byte_vec(s), strlen(s))); return new StringVal(new String(true, byte_vec(s), strlen(s)));
else else
return zeek::val_mgr->EmptyString()->Ref(); return val_mgr->EmptyString()->Ref();
} }
bool Login_Analyzer::MatchesTypeahead(const char* line) const bool Login_Analyzer::MatchesTypeahead(const char* line) const
@ -612,7 +612,7 @@ bool Login_Analyzer::MatchesTypeahead(const char* line) const
if ( i == MAX_USER_TEXT ) if ( i == MAX_USER_TEXT )
i = 0; i = 0;
if ( zeek::util::streq(user_text[i], line) ) if ( util::streq(user_text[i], line) )
return true; return true;
} }
@ -625,9 +625,9 @@ void Login_Analyzer::FlushEmptyTypeahead()
delete [] PopUserText(); delete [] PopUserText();
} }
zeek::RE_Matcher* init_RE(zeek::ListVal* l) RE_Matcher* init_RE(ListVal* l)
{ {
zeek::RE_Matcher* re = l->BuildRE(); RE_Matcher* re = l->BuildRE();
if ( re ) if ( re )
re->Compile(); re->Compile();

14
src/analyzer/protocol/login/Login.h
View file

@ -19,9 +19,9 @@ enum login_state {
// Maximum # lines look after login for failure. // Maximum # lines look after login for failure.
#define MAX_LOGIN_LOOKAHEAD 10 #define MAX_LOGIN_LOOKAHEAD 10
class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class Login_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
Login_Analyzer(const char* name, zeek::Connection* conn); Login_Analyzer(const char* name, Connection* conn);
~Login_Analyzer() override; ~Login_Analyzer() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
@ -37,9 +37,9 @@ protected:
void NewLine(bool orig, char* line); void NewLine(bool orig, char* line);
void AuthenticationDialog(bool orig, char* line); void AuthenticationDialog(bool orig, char* line);
void LoginEvent(zeek::EventHandlerPtr f, const char* line, bool no_user_okay=false); void LoginEvent(EventHandlerPtr f, const char* line, bool no_user_okay=false);
const char* GetUsername(const char* line) const; const char* GetUsername(const char* line) const;
void LineEvent(zeek::EventHandlerPtr f, const char* line); void LineEvent(EventHandlerPtr f, const char* line);
void Confused(const char* msg, const char* addl); void Confused(const char* msg, const char* addl);
void ConfusionText(const char* line); void ConfusionText(const char* line);
@ -55,7 +55,7 @@ protected:
void AddUserText(const char* line); // complains on overflow void AddUserText(const char* line); // complains on overflow
char* PeekUserText(); // internal warning on underflow char* PeekUserText(); // internal warning on underflow
char* PopUserText(); // internal warning on underflow char* PopUserText(); // internal warning on underflow
zeek::Val* PopUserTextVal(); Val* PopUserTextVal();
bool MatchesTypeahead(const char* line) const; bool MatchesTypeahead(const char* line) const;
bool HaveTypeahead() const { return num_user_text > 0; } bool HaveTypeahead() const { return num_user_text > 0; }
@ -68,8 +68,8 @@ protected:
int user_text_first, user_text_last; // indices into user_text int user_text_first, user_text_last; // indices into user_text
int num_user_text; // number of entries in user_text int num_user_text; // number of entries in user_text
zeek::Val* username; // last username reported Val* username; // last username reported
zeek::Val* client_name; // rlogin client name (or nil if none) Val* client_name; // rlogin client name (or nil if none)
login_state state; login_state state;
int lines_scanned; int lines_scanned;

22
src/analyzer/protocol/login/NVT.cc
View file

@ -44,7 +44,7 @@ void TelnetOption::RecvOption(unsigned int type)
if ( ! peer ) if ( ! peer )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
endp, "option peer missing in TelnetOption::RecvOption"); endp, "option peer missing in TelnetOption::RecvOption");
return; return;
} }
@ -92,7 +92,7 @@ void TelnetOption::RecvOption(unsigned int type)
break; break;
default: default:
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
endp, "bad option type in TelnetOption::RecvOption"); endp, "bad option type in TelnetOption::RecvOption");
return; return;
} }
@ -176,7 +176,7 @@ void TelnetEncryptOption::RecvSubOption(u_char* data, int len)
if ( ! peer ) if ( ! peer )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
endp, "option peer missing in TelnetEncryptOption::RecvSubOption"); endp, "option peer missing in TelnetEncryptOption::RecvSubOption");
return; return;
} }
@ -216,7 +216,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
if ( ! peer ) if ( ! peer )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
endp, "option peer missing in TelnetAuthenticateOption::RecvSubOption"); endp, "option peer missing in TelnetAuthenticateOption::RecvSubOption");
return; return;
} }
@ -251,7 +251,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
case AUTHENTICATION_NAME: case AUTHENTICATION_NAME:
{ {
char* auth_name = new char[len]; char* auth_name = new char[len];
zeek::util::safe_strncpy(auth_name, (char*) data + 1, len); util::safe_strncpy(auth_name, (char*) data + 1, len);
endp->SetAuthName(auth_name); endp->SetAuthName(auth_name);
} }
break; break;
@ -309,7 +309,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
break; break;
} }
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*> static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>
(endp->Parent())->SetEnv(endp->IsOrig(), (endp->Parent())->SetEnv(endp->IsOrig(),
var_name, var_val); var_name, var_val);
} }
@ -382,8 +382,8 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
} // namespace detail } // namespace detail
NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
: zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options() : analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
{ {
} }
@ -463,7 +463,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
if ( login_terminal ) if ( login_terminal )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(terminal, len, false)) make_intrusive<StringVal>(new String(terminal, len, false))
); );
} }
@ -538,7 +538,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data)
else else
{ {
if ( Conn()->FlagEvent(zeek::SINGULAR_LF) ) if ( Conn()->FlagEvent(SINGULAR_LF) )
Conn()->Weird("line_terminated_with_single_LF"); Conn()->Weird("line_terminated_with_single_LF");
buf[offset++] = c; buf[offset++] = c;
} }
@ -576,7 +576,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data)
if ( ! (CRLFAsEOL() & CR_as_EOL) && if ( ! (CRLFAsEOL() & CR_as_EOL) &&
last_char == '\r' && c != '\n' && c != '\0' ) last_char == '\r' && c != '\n' && c != '\0' )
{ {
if ( Conn()->FlagEvent(zeek::SINGULAR_CR) ) if ( Conn()->FlagEvent(SINGULAR_CR) )
Weird("line_terminated_with_single_CR"); Weird("line_terminated_with_single_CR");
} }

4
src/analyzer/protocol/login/NVT.h
View file

@ -126,9 +126,9 @@ protected:
} // namespace detail } // namespace detail
class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { class NVT_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public: public:
NVT_Analyzer(zeek::Connection* conn, bool orig); NVT_Analyzer(Connection* conn, bool orig);
~NVT_Analyzer() override; ~NVT_Analyzer() override;
TelnetOption* FindOption(unsigned int code); TelnetOption* FindOption(unsigned int code);

41
src/analyzer/protocol/login/RSH.cc
View file

@ -13,9 +13,9 @@ namespace zeek::analyzer::login {
// FIXME: this code should probably be merged with Rlogin.cc. // FIXME: this code should probably be merged with Rlogin.cc.
Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig,
Rsh_Analyzer* arg_analyzer) Rsh_Analyzer* arg_analyzer)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) : analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
{ {
num_bytes_to_scan = 0; num_bytes_to_scan = 0;
analyzer = arg_analyzer; analyzer = arg_analyzer;
@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer()
void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
{ {
zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP(); analyzer::tcp::TCP_Analyzer* tcp = static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp); assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) { switch ( state ) {
case RSH_FIRST_NULL: case RSH_FIRST_NULL:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to // We can be in closed if the data's due to
// a dataful FIN being the first thing we see. // a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{ {
state = RSH_UNKNOWN; state = RSH_UNKNOWN;
++len, --data; // put back c and reprocess ++len, --data; // put back c and reprocess
@ -131,7 +131,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
break; break;
default: default:
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "bad state in Contents_Rsh_Analyzer::DoDeliver"); this, "bad state in Contents_Rsh_Analyzer::DoDeliver");
break; break;
} }
@ -144,7 +144,7 @@ void Contents_Rsh_Analyzer::BadProlog()
state = RSH_UNKNOWN; state = RSH_UNKNOWN;
} }
Rsh_Analyzer::Rsh_Analyzer(zeek::Connection* conn) Rsh_Analyzer::Rsh_Analyzer(Connection* conn)
: Login_Analyzer("RSH", conn) : Login_Analyzer("RSH", conn)
{ {
contents_orig = new Contents_Rsh_Analyzer(conn, true, this); contents_orig = new Contents_Rsh_Analyzer(conn, true, this);
@ -168,31 +168,31 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
return; return;
} }
zeek::Args vl; Args vl;
vl.reserve(4 + orig); vl.reserve(4 + orig);
const char* line = (const char*) data; const char* line = (const char*) data;
line = zeek::util::skip_whitespace(line); line = util::skip_whitespace(line);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
if ( client_name ) if ( client_name )
vl.emplace_back(zeek::NewRef{}, client_name); vl.emplace_back(NewRef{}, client_name);
else else
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>("<none>")); vl.emplace_back(make_intrusive<StringVal>("<none>"));
if ( username ) if ( username )
vl.emplace_back(zeek::NewRef{}, username); vl.emplace_back(NewRef{}, username);
else else
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>("<none>")); vl.emplace_back(make_intrusive<StringVal>("<none>"));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(line)); vl.emplace_back(make_intrusive<StringVal>(line));
if ( orig ) if ( orig )
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl.emplace_back(zeek::val_mgr->True()); vl.emplace_back(val_mgr->True());
else else
vl.emplace_back(zeek::val_mgr->False()); vl.emplace_back(val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl)); EnqueueConnEvent(rsh_request, std::move(vl));
} }
@ -205,23 +205,22 @@ void Rsh_Analyzer::ClientUserName(const char* s)
{ {
if ( client_name ) if ( client_name )
{ {
zeek::reporter->AnalyzerError(this, "multiple rsh client names"); reporter->AnalyzerError(this, "multiple rsh client names");
return; return;
} }
client_name = new zeek::StringVal(s); client_name = new StringVal(s);
} }
void Rsh_Analyzer::ServerUserName(const char* s) void Rsh_Analyzer::ServerUserName(const char* s)
{ {
if ( username ) if ( username )
{ {
zeek::reporter->AnalyzerError(this, reporter->AnalyzerError(this, "multiple rsh initial client names");
"multiple rsh initial client names");
return; return;
} }
username = new zeek::StringVal(s); username = new StringVal(s);
} }
} // namespace zeek::analyzer::login } // namespace zeek::analyzer::login

8
src/analyzer/protocol/login/RSH.h
View file

@ -22,9 +22,9 @@ enum rsh_state {
RSH_UNKNOWN, // we don't know what state we're in RSH_UNKNOWN, // we don't know what state we're in
}; };
class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { class Contents_Rsh_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public: public:
Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer); Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer);
~Contents_Rsh_Analyzer() override; ~Contents_Rsh_Analyzer() override;
rsh_state RshSaveState() const { return save_state; } rsh_state RshSaveState() const { return save_state; }
@ -41,14 +41,14 @@ protected:
class Rsh_Analyzer final : public Login_Analyzer { class Rsh_Analyzer final : public Login_Analyzer {
public: public:
explicit Rsh_Analyzer(zeek::Connection* conn); explicit Rsh_Analyzer(Connection* conn);
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void ClientUserName(const char* s); void ClientUserName(const char* s);
void ServerUserName(const char* s); void ServerUserName(const char* s);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rsh_Analyzer(conn); } { return new Rsh_Analyzer(conn); }
Contents_Rsh_Analyzer* contents_orig; Contents_Rsh_Analyzer* contents_orig;

24
src/analyzer/protocol/login/Rlogin.cc
View file

@ -11,8 +11,8 @@
namespace zeek::analyzer::login { namespace zeek::analyzer::login {
Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) : analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
{ {
num_bytes_to_scan = 0; num_bytes_to_scan = 0;
analyzer = arg_analyzer; analyzer = arg_analyzer;
@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer()
void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
{ {
auto* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP(); auto* tcp = static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp); assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) { switch ( state ) {
case RLOGIN_FIRST_NULL: case RLOGIN_FIRST_NULL:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to // We can be in closed if the data's due to
// a dataful FIN being the first thing we see. // a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{ {
state = RLOGIN_UNKNOWN; state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess ++len, --data; // put back c and reprocess
@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
break; break;
case RLOGIN_SERVER_ACK: case RLOGIN_SERVER_ACK:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to // We can be in closed if the data's due to
// a dataful FIN being the first thing we see. // a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{ {
state = RLOGIN_UNKNOWN; state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess ++len, --data; // put back c and reprocess
@ -194,7 +194,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
break; break;
default: default:
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "bad state in Contents_Rlogin_Analyzer::DoDeliver"); this, "bad state in Contents_Rlogin_Analyzer::DoDeliver");
break; break;
} }
@ -208,7 +208,7 @@ void Contents_Rlogin_Analyzer::BadProlog()
} }
Rlogin_Analyzer::Rlogin_Analyzer(zeek::Connection* conn) Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn)
: Login_Analyzer("RLOGIN", conn) : Login_Analyzer("RLOGIN", conn)
{ {
Contents_Rlogin_Analyzer* orig = Contents_Rlogin_Analyzer* orig =
@ -227,11 +227,11 @@ void Rlogin_Analyzer::ClientUserName(const char* s)
{ {
if ( client_name ) if ( client_name )
{ {
zeek::reporter->AnalyzerError(this, "multiple rlogin client names"); reporter->AnalyzerError(this, "multiple rlogin client names");
return; return;
} }
client_name = new zeek::StringVal(s); client_name = new StringVal(s);
} }
void Rlogin_Analyzer::ServerUserName(const char* s) void Rlogin_Analyzer::ServerUserName(const char* s)
@ -246,7 +246,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
if ( login_terminal ) if ( login_terminal )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(s) make_intrusive<StringVal>(s)
); );
} }

8
src/analyzer/protocol/login/Rlogin.h
View file

@ -30,9 +30,9 @@ enum rlogin_state {
RLOGIN_UNKNOWN, // we don't know what state we're in RLOGIN_UNKNOWN, // we don't know what state we're in
}; };
class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { class Contents_Rlogin_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public: public:
Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Contents_Rlogin_Analyzer(Connection* conn, bool orig,
Rlogin_Analyzer* analyzer); Rlogin_Analyzer* analyzer);
~Contents_Rlogin_Analyzer() override; ~Contents_Rlogin_Analyzer() override;
@ -55,13 +55,13 @@ protected:
class Rlogin_Analyzer final : public Login_Analyzer { class Rlogin_Analyzer final : public Login_Analyzer {
public: public:
explicit Rlogin_Analyzer(zeek::Connection* conn); explicit Rlogin_Analyzer(Connection* conn);
void ClientUserName(const char* s); void ClientUserName(const char* s);
void ServerUserName(const char* s); void ServerUserName(const char* s);
void TerminalType(const char* s); void TerminalType(const char* s);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rlogin_Analyzer(conn); } { return new Rlogin_Analyzer(conn); }
}; };

2
src/analyzer/protocol/login/Telnet.cc
View file

@ -9,7 +9,7 @@
namespace zeek::analyzer::login { namespace zeek::analyzer::login {
Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn) Telnet_Analyzer::Telnet_Analyzer(Connection* conn)
: Login_Analyzer("TELNET", conn) : Login_Analyzer("TELNET", conn)
{ {
NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true); NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true);

4
src/analyzer/protocol/login/Telnet.h
View file

@ -8,10 +8,10 @@ namespace zeek::analyzer::login {
class Telnet_Analyzer : public Login_Analyzer { class Telnet_Analyzer : public Login_Analyzer {
public: public:
explicit Telnet_Analyzer(zeek::Connection* conn); explicit Telnet_Analyzer(Connection* conn);
~Telnet_Analyzer() override {} ~Telnet_Analyzer() override {}
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Telnet_Analyzer(conn); } { return new Telnet_Analyzer(conn); }
}; };

172
src/analyzer/protocol/mime/MIME.cc
View file

@ -21,7 +21,7 @@
namespace zeek::analyzer::mime { namespace zeek::analyzer::mime {
static const zeek::data_chunk_t null_data_chunk = { 0, nullptr }; static const data_chunk_t null_data_chunk = { 0, nullptr };
int mime_header_only = 0; int mime_header_only = 0;
int mime_decode_data = 1; int mime_decode_data = 1;
@ -98,7 +98,7 @@ static const char* MIMEContentEncodingName[] = {
nullptr, nullptr,
}; };
bool is_null_data_chunk(zeek::data_chunk_t b) bool is_null_data_chunk(data_chunk_t b)
{ {
return b.data == nullptr; return b.data == nullptr;
} }
@ -108,39 +108,39 @@ bool is_lws(char ch)
return ch == 9 || ch == 32; return ch == 9 || ch == 32;
} }
zeek::StringVal* new_string_val(int length, const char* data) StringVal* new_string_val(int length, const char* data)
{ return to_string_val(length, data).release(); } { return to_string_val(length, data).release(); }
zeek::StringVal* new_string_val(const char* data, const char* end_of_data) StringVal* new_string_val(const char* data, const char* end_of_data)
{ return to_string_val(data, end_of_data).release(); } { return to_string_val(data, end_of_data).release(); }
zeek::StringVal* new_string_val(const zeek::data_chunk_t buf) StringVal* new_string_val(const data_chunk_t buf)
{ return to_string_val(buf).release(); } { return to_string_val(buf).release(); }
zeek::StringValPtr to_string_val(int length, const char* data) StringValPtr to_string_val(int length, const char* data)
{ {
return zeek::make_intrusive<zeek::StringVal>(length, data); return make_intrusive<StringVal>(length, data);
} }
zeek::StringValPtr to_string_val(const char* data, const char* end_of_data) StringValPtr to_string_val(const char* data, const char* end_of_data)
{ {
return zeek::make_intrusive<zeek::StringVal>(end_of_data - data, data); return make_intrusive<StringVal>(end_of_data - data, data);
} }
zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf) StringValPtr to_string_val(const data_chunk_t buf)
{ {
return to_string_val(buf.length, buf.data); return to_string_val(buf.length, buf.data);
} }
static zeek::data_chunk_t get_data_chunk(zeek::String* s) static data_chunk_t get_data_chunk(String* s)
{ {
zeek::data_chunk_t b; data_chunk_t b;
b.length = s->Len(); b.length = s->Len();
b.data = (const char*) s->Bytes(); b.data = (const char*) s->Bytes();
return b; return b;
} }
int fputs(zeek::data_chunk_t b, FILE* fp) int fputs(data_chunk_t b, FILE* fp)
{ {
for ( int i = 0; i < b.length; ++i ) for ( int i = 0; i < b.length; ++i )
if ( fputc(b.data[i], fp) == EOF ) if ( fputc(b.data[i], fp) == EOF )
@ -150,12 +150,12 @@ int fputs(zeek::data_chunk_t b, FILE* fp)
void MIME_Mail::Undelivered(int len) void MIME_Mail::Undelivered(int len)
{ {
cur_entity_id = zeek::file_mgr->Gap(cur_entity_len, len, cur_entity_id = file_mgr->Gap(cur_entity_len, len,
analyzer->GetAnalyzerTag(), analyzer->Conn(), analyzer->GetAnalyzerTag(), analyzer->Conn(),
is_orig, cur_entity_id); is_orig, cur_entity_id);
} }
bool istrequal(zeek::data_chunk_t s, const char* t) bool istrequal(data_chunk_t s, const char* t)
{ {
int len = strlen(t); int len = strlen(t);
@ -233,7 +233,7 @@ int MIME_skip_lws_comments(int len, const char* data)
return len; return len;
} }
int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name) int MIME_get_field_name(int len, const char* data, data_chunk_t* name)
{ {
int i = MIME_skip_lws_comments(len, data); int i = MIME_skip_lws_comments(len, data);
while ( i < len ) while ( i < len )
@ -281,7 +281,7 @@ static bool MIME_is_token_char (char ch, bool is_boundary = false)
// See RFC 2045, page 12. // See RFC 2045, page 12.
// A token is composed of characters that are not SPACE, CTLs or tspecials // A token is composed of characters that are not SPACE, CTLs or tspecials
int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token, int MIME_get_token(int len, const char* data, data_chunk_t* token,
bool is_boundary) bool is_boundary)
{ {
int i = 0; int i = 0;
@ -313,7 +313,7 @@ int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token,
return -1; return -1;
} }
int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second) int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second)
{ {
int offset; int offset;
const char* data_start = data; const char* data_start = data;
@ -353,7 +353,7 @@ int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* fir
} }
// See RFC 2822, page 13. // See RFC 2822, page 13.
int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str) int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str)
{ {
int offset = MIME_skip_lws_comments(len, data); int offset = MIME_skip_lws_comments(len, data);
@ -380,7 +380,7 @@ int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str)
return -1; return -1;
} }
int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_boundary) int MIME_get_value(int len, const char* data, String*& buf, bool is_boundary)
{ {
int offset = 0; int offset = 0;
@ -392,7 +392,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
if ( len > 0 && *data == '"' ) if ( len > 0 && *data == '"' )
{ {
zeek::data_chunk_t str; data_chunk_t str;
int end = MIME_get_quoted_string(len, data, &str); int end = MIME_get_quoted_string(len, data, &str);
if ( end < 0 ) if ( end < 0 )
return -1; return -1;
@ -403,12 +403,12 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
else else
{ {
zeek::data_chunk_t str; data_chunk_t str;
int end = MIME_get_token(len, data, &str, is_boundary); int end = MIME_get_token(len, data, &str, is_boundary);
if ( end < 0 ) if ( end < 0 )
return -1; return -1;
buf = new zeek::String((const u_char*)str.data, str.length, true); buf = new String((const u_char*)str.data, str.length, true);
return offset + end; return offset + end;
} }
} }
@ -416,7 +416,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
// Decode each quoted-pair: a '\' followed by a character by the // Decode each quoted-pair: a '\' followed by a character by the
// quoted character. The decoded string is returned. // quoted character. The decoded string is returned.
zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf) String* MIME_decode_quoted_pairs(data_chunk_t buf)
{ {
const char* data = buf.data; const char* data = buf.data;
char* dest = new char[buf.length+1]; char* dest = new char[buf.length+1];
@ -436,7 +436,7 @@ zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf)
dest[j++] = data[i]; dest[j++] = data[i];
dest[j] = 0; dest[j] = 0;
return new zeek::String(true, (zeek::byte_vec) dest, j); return new String(true, (byte_vec) dest, j);
} }
MIME_Multiline::MIME_Multiline() MIME_Multiline::MIME_Multiline()
@ -452,10 +452,10 @@ MIME_Multiline::~MIME_Multiline()
void MIME_Multiline::append(int len, const char* data) void MIME_Multiline::append(int len, const char* data)
{ {
buffer.push_back(new zeek::String((const u_char*) data, len, true)); buffer.push_back(new String((const u_char*) data, len, true));
} }
zeek::String* MIME_Multiline::get_concatenated_line() String* MIME_Multiline::get_concatenated_line()
{ {
if ( buffer.empty() ) if ( buffer.empty() )
return nullptr; return nullptr;
@ -472,7 +472,7 @@ MIME_Header::MIME_Header(MIME_Multiline* hl)
lines = hl; lines = hl;
name = value = value_token = rest_value = null_data_chunk; name = value = value_token = rest_value = null_data_chunk;
zeek::String* s = hl->get_concatenated_line(); String* s = hl->get_concatenated_line();
int len = s->Len(); int len = s->Len();
const char* data = (const char*) s->Bytes(); const char* data = (const char*) s->Bytes();
@ -518,7 +518,7 @@ int MIME_Header::get_first_token()
} }
} }
zeek::data_chunk_t MIME_Header::get_value_token() data_chunk_t MIME_Header::get_value_token()
{ {
if ( ! is_null_data_chunk(value_token) ) if ( ! is_null_data_chunk(value_token) )
return value_token; return value_token;
@ -526,7 +526,7 @@ zeek::data_chunk_t MIME_Header::get_value_token()
return value_token; return value_token;
} }
zeek::data_chunk_t MIME_Header::get_value_after_token() data_chunk_t MIME_Header::get_value_after_token()
{ {
if ( ! is_null_data_chunk(rest_value) ) if ( ! is_null_data_chunk(rest_value) )
return rest_value; return rest_value;
@ -555,8 +555,8 @@ void MIME_Entity::init()
need_to_parse_parameters = 0; need_to_parse_parameters = 0;
content_type_str = zeek::make_intrusive<zeek::StringVal>("TEXT"); content_type_str = make_intrusive<StringVal>("TEXT");
content_subtype_str = zeek::make_intrusive<zeek::StringVal>("PLAIN"); content_subtype_str = make_intrusive<StringVal>("PLAIN");
content_encoding_str = nullptr; content_encoding_str = nullptr;
multipart_boundary = nullptr; multipart_boundary = nullptr;
@ -581,7 +581,7 @@ void MIME_Entity::init()
MIME_Entity::~MIME_Entity() MIME_Entity::~MIME_Entity()
{ {
if ( ! end_of_data ) if ( ! end_of_data )
zeek::reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr, reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr,
"missing MIME_Entity::EndOfData() before ~MIME_Entity"); "missing MIME_Entity::EndOfData() before ~MIME_Entity");
delete current_header_line; delete current_header_line;
@ -759,7 +759,7 @@ void MIME_Entity::FinishHeader()
delete h; delete h;
} }
int MIME_Entity::LookupMIMEHeaderName(zeek::data_chunk_t name) int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name)
{ {
// A linear lookup should be fine for now. // A linear lookup should be fine for now.
// header names are case-insensitive (RFC 822, 2822, 2045). // header names are case-insensitive (RFC 822, 2822, 2045).
@ -790,11 +790,11 @@ void MIME_Entity::ParseMIMEHeader(MIME_Header* h)
bool MIME_Entity::ParseContentTypeField(MIME_Header* h) bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
{ {
zeek::data_chunk_t val = h->get_value(); data_chunk_t val = h->get_value();
int len = val.length; int len = val.length;
const char* data = val.data; const char* data = val.data;
zeek::data_chunk_t ty, subty; data_chunk_t ty, subty;
int offset; int offset;
offset = MIME_get_slash_token_pair(len, data, &ty, &subty); offset = MIME_get_slash_token_pair(len, data, &ty, &subty);
@ -806,9 +806,9 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
data += offset; data += offset;
len -= offset; len -= offset;
content_type_str = zeek::make_intrusive<zeek::StringVal>(ty.length, ty.data); content_type_str = make_intrusive<StringVal>(ty.length, ty.data);
content_type_str->ToUpper(); content_type_str->ToUpper();
content_subtype_str = zeek::make_intrusive<zeek::StringVal>(subty.length, subty.data); content_subtype_str = make_intrusive<StringVal>(subty.length, subty.data);
content_subtype_str->ToUpper(); content_subtype_str->ToUpper();
ParseContentType(ty, subty); ParseContentType(ty, subty);
@ -829,7 +829,7 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
bool MIME_Entity::ParseContentEncodingField(MIME_Header* h) bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
{ {
zeek::data_chunk_t enc; data_chunk_t enc;
enc = h->get_value_token(); enc = h->get_value_token();
if ( is_null_data_chunk(enc) ) if ( is_null_data_chunk(enc) )
@ -839,12 +839,12 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
} }
delete content_encoding_str; delete content_encoding_str;
content_encoding_str = new zeek::String((const u_char*)enc.data, enc.length, true); content_encoding_str = new String((const u_char*)enc.data, enc.length, true);
ParseContentEncoding(enc); ParseContentEncoding(enc);
if ( need_to_parse_parameters ) if ( need_to_parse_parameters )
{ {
zeek::data_chunk_t val = h->get_value_after_token(); data_chunk_t val = h->get_value_after_token();
if ( ! is_null_data_chunk(val) ) if ( ! is_null_data_chunk(val) )
ParseFieldParameters(val.length, val.data); ParseFieldParameters(val.length, val.data);
} }
@ -854,7 +854,7 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
bool MIME_Entity::ParseFieldParameters(int len, const char* data) bool MIME_Entity::ParseFieldParameters(int len, const char* data)
{ {
zeek::data_chunk_t attr; data_chunk_t attr;
while ( true ) while ( true )
{ {
@ -887,7 +887,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
data += offset; data += offset;
len -= offset; len -= offset;
zeek::String* val = nullptr; String* val = nullptr;
if ( current_field_type == MIME_CONTENT_TYPE && if ( current_field_type == MIME_CONTENT_TYPE &&
content_type == CONTENT_TYPE_MULTIPART && content_type == CONTENT_TYPE_MULTIPART &&
@ -903,9 +903,9 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
continue; continue;
} }
zeek::data_chunk_t vd = get_data_chunk(val); data_chunk_t vd = get_data_chunk(val);
delete multipart_boundary; delete multipart_boundary;
multipart_boundary = new zeek::String((const u_char*)vd.data, multipart_boundary = new String((const u_char*)vd.data,
vd.length, true); vd.length, true);
} }
else else
@ -927,7 +927,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
return true; return true;
} }
void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type) void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type)
{ {
int i; int i;
for ( i = 0; MIMEContentTypeName[i]; ++i ) for ( i = 0; MIMEContentTypeName[i]; ++i )
@ -954,7 +954,7 @@ void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t s
} }
} }
void MIME_Entity::ParseContentEncoding(zeek::data_chunk_t encoding_mechanism) void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism)
{ {
int i; int i;
for ( i = 0; MIMEContentEncodingName[i]; ++i ) for ( i = 0; MIMEContentEncodingName[i]; ++i )
@ -968,7 +968,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
{ {
if ( ! multipart_boundary ) if ( ! multipart_boundary )
{ {
zeek::reporter->Warning("boundary delimiter was not specified for a multipart message\n"); reporter->Warning("boundary delimiter was not specified for a multipart message\n");
DEBUG_MSG("headers of the MIME entity for debug:\n"); DEBUG_MSG("headers of the MIME entity for debug:\n");
DebugPrintHeaders(); DebugPrintHeaders();
return NOT_MULTIPART_BOUNDARY; return NOT_MULTIPART_BOUNDARY;
@ -978,7 +978,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
{ {
len -= 2; data += 2; len -= 2; data += 2;
zeek::data_chunk_t delim = get_data_chunk(multipart_boundary); data_chunk_t delim = get_data_chunk(multipart_boundary);
int i; int i;
for ( i = 0; i < len && i < delim.length; ++i ) for ( i = 0; i < len && i < delim.length; ++i )
@ -1083,8 +1083,8 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
if ( i + 2 < len ) if ( i + 2 < len )
{ {
int a, b; int a, b;
a = zeek::util::decode_hex(data[i+1]); a = util::decode_hex(data[i+1]);
b = zeek::util::decode_hex(data[i+2]); b = util::decode_hex(data[i+2]);
if ( a >= 0 && b >= 0 ) if ( a >= 0 && b >= 0 )
{ {
@ -1114,7 +1114,7 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
else else
{ {
IllegalEncoding(zeek::util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i]))); IllegalEncoding(util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i])));
DataOctet(data[i]); DataOctet(data[i]);
} }
} }
@ -1145,15 +1145,15 @@ void MIME_Entity::StartDecodeBase64()
{ {
if ( base64_decoder ) if ( base64_decoder )
{ {
zeek::reporter->InternalWarning("previous MIME Base64 decoder not released"); reporter->InternalWarning("previous MIME Base64 decoder not released");
delete base64_decoder; delete base64_decoder;
} }
zeek::analyzer::Analyzer* analyzer = message->GetAnalyzer(); analyzer::Analyzer* analyzer = message->GetAnalyzer();
if ( ! analyzer ) if ( ! analyzer )
{ {
zeek::reporter->InternalWarning("no analyzer associated with MIME message"); reporter->InternalWarning("no analyzer associated with MIME message");
return; return;
} }
@ -1184,7 +1184,7 @@ bool MIME_Entity::GetDataBuffer()
int ret = message->RequestBuffer(&data_buf_length, &data_buf_data); int ret = message->RequestBuffer(&data_buf_length, &data_buf_data);
if ( ! ret || data_buf_length == 0 || data_buf_data == nullptr ) if ( ! ret || data_buf_length == 0 || data_buf_data == nullptr )
{ {
// zeek::reporter->InternalError("cannot get data buffer from MIME_Message", ""); // reporter->InternalError("cannot get data buffer from MIME_Message", "");
return false; return false;
} }
@ -1291,13 +1291,13 @@ void MIME_Entity::DebugPrintHeaders()
#endif #endif
} }
zeek::RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h) RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
{ return ToHeaderVal(h).release(); } { return ToHeaderVal(h).release(); }
zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h) RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h)
{ {
static auto mime_header_rec = zeek::id::find_type<zeek::RecordType>("mime_header_rec"); static auto mime_header_rec = id::find_type<RecordType>("mime_header_rec");
auto header_record = zeek::make_intrusive<zeek::RecordVal>(mime_header_rec); auto header_record = make_intrusive<RecordVal>(mime_header_rec);
header_record->Assign(0, to_string_val(h->get_name())); header_record->Assign(0, to_string_val(h->get_name()));
auto upper_hn = to_string_val(h->get_name()); auto upper_hn = to_string_val(h->get_name());
upper_hn->ToUpper(); upper_hn->ToUpper();
@ -1306,17 +1306,17 @@ zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h)
return header_record; return header_record;
} }
zeek::TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
{ return ToHeaderTable(hlist).release(); } { return ToHeaderTable(hlist).release(); }
zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist) TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
{ {
static auto mime_header_list = zeek::id::find_type<zeek::TableType>("mime_header_list"); static auto mime_header_list = id::find_type<TableType>("mime_header_list");
auto t = zeek::make_intrusive<zeek::TableVal>(mime_header_list); auto t = make_intrusive<TableVal>(mime_header_list);
for ( size_t i = 0; i < hlist.size(); ++i ) for ( size_t i = 0; i < hlist.size(); ++i )
{ {
auto index = zeek::val_mgr->Count(i + 1); // index starting from 1 auto index = val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i]; MIME_Header* h = hlist[i];
t->Assign(std::move(index), ToHeaderVal(h)); t->Assign(std::move(index), ToHeaderVal(h));
} }
@ -1324,7 +1324,7 @@ zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
return t; return t;
} }
MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf_size) MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, bool orig, int buf_size)
: MIME_Message(mail_analyzer), md5_hash() : MIME_Message(mail_analyzer), md5_hash()
{ {
analyzer = mail_analyzer; analyzer = mail_analyzer;
@ -1345,12 +1345,12 @@ MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf
length = max_chunk_length; length = max_chunk_length;
buffer_start = data_start = 0; buffer_start = data_start = 0;
data_buffer = new zeek::String(true, new u_char[length+1], length); data_buffer = new String(true, new u_char[length+1], length);
if ( mime_content_hash ) if ( mime_content_hash )
{ {
compute_content_hash = 1; compute_content_hash = 1;
md5_hash = zeek::detail::hash_init(zeek::detail::Hash_MD5); md5_hash = zeek::detail::hash_init(detail::Hash_MD5);
} }
else else
compute_content_hash = 0; compute_content_hash = 0;
@ -1375,14 +1375,14 @@ void MIME_Mail::Done()
analyzer->EnqueueConnEvent(mime_content_hash, analyzer->EnqueueConnEvent(mime_content_hash,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(content_hash_length), val_mgr->Count(content_hash_length),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(true, digest, 16)) make_intrusive<StringVal>(new String(true, digest, 16))
); );
} }
MIME_Message::Done(); MIME_Message::Done();
zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
} }
MIME_Mail::~MIME_Mail() MIME_Mail::~MIME_Mail()
@ -1411,12 +1411,12 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{ {
if ( mime_entity_data ) if ( mime_entity_data )
{ {
zeek::String* s = concatenate(entity_content); String* s = concatenate(entity_content);
analyzer->EnqueueConnEvent(mime_entity_data, analyzer->EnqueueConnEvent(mime_entity_data,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(s->Len()), val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s) make_intrusive<StringVal>(s)
); );
if ( ! mime_all_data ) if ( ! mime_all_data )
@ -1428,7 +1428,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
if ( mime_end_entity ) if ( mime_end_entity )
analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal()); analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear(); cur_entity_id.clear();
} }
@ -1454,7 +1454,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
{ {
if ( buf != (char*) data_buffer->Bytes() + buffer_start ) if ( buf != (char*) data_buffer->Bytes() + buffer_start )
{ {
zeek::reporter->AnalyzerError(GetAnalyzer(), reporter->AnalyzerError(GetAnalyzer(),
"MIME buffer misalignment"); "MIME buffer misalignment");
return; return;
} }
@ -1467,7 +1467,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
if ( mime_entity_data || mime_all_data ) if ( mime_entity_data || mime_all_data )
{ {
zeek::String* s = new zeek::String((const u_char*) buf, len, false); String* s = new String((const u_char*) buf, len, false);
if ( mime_entity_data ) if ( mime_entity_data )
entity_content.push_back(s); entity_content.push_back(s);
@ -1482,12 +1482,12 @@ void MIME_Mail::SubmitData(int len, const char* buf)
analyzer->EnqueueConnEvent(mime_segment_data, analyzer->EnqueueConnEvent(mime_segment_data,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(data_len), val_mgr->Count(data_len),
zeek::make_intrusive<zeek::StringVal>(data_len, data) make_intrusive<StringVal>(data_len, data)
); );
} }
cur_entity_id = zeek::file_mgr->DataIn( cur_entity_id = file_mgr->DataIn(
reinterpret_cast<const u_char*>(buf), len, reinterpret_cast<const u_char*>(buf), len,
analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig, analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig,
cur_entity_id); cur_entity_id);
@ -1525,13 +1525,13 @@ void MIME_Mail::SubmitAllData()
{ {
if ( mime_all_data ) if ( mime_all_data )
{ {
zeek::String* s = concatenate(all_content); String* s = concatenate(all_content);
delete_strings(all_content); delete_strings(all_content);
analyzer->EnqueueConnEvent(mime_all_data, analyzer->EnqueueConnEvent(mime_all_data,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(s->Len()), val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s) make_intrusive<StringVal>(s)
); );
} }
} }
@ -1550,7 +1550,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
break; break;
default: default:
zeek::reporter->AnalyzerError(GetAnalyzer(), reporter->AnalyzerError(GetAnalyzer(),
"unrecognized MIME_Mail event"); "unrecognized MIME_Mail event");
return; return;
} }
@ -1558,8 +1558,8 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event ) if ( mime_event )
analyzer->EnqueueConnEvent(mime_event, analyzer->EnqueueConnEvent(mime_event,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::make_intrusive<zeek::StringVal>(category), make_intrusive<StringVal>(category),
zeek::make_intrusive<zeek::StringVal>(detail) make_intrusive<StringVal>(detail)
); );
} }

104
src/analyzer/protocol/mime/MIME.h
View file

@ -15,8 +15,8 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Base64Converter, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(Base64Converter, zeek::detail);
namespace zeek { namespace zeek {
using TableValPtr = zeek::IntrusivePtr<TableVal>; using TableValPtr = IntrusivePtr<TableVal>;
using StringValPtr = zeek::IntrusivePtr<StringVal>; using StringValPtr = IntrusivePtr<StringVal>;
} }
namespace zeek::analyzer::mime { namespace zeek::analyzer::mime {
@ -61,11 +61,11 @@ public:
~MIME_Multiline(); ~MIME_Multiline();
void append(int len, const char* data); void append(int len, const char* data);
zeek::String* get_concatenated_line(); String* get_concatenated_line();
protected: protected:
std::vector<const zeek::String*> buffer; std::vector<const String*> buffer;
zeek::String* line; String* line;
}; };
class MIME_Header { class MIME_Header {
@ -73,19 +73,19 @@ public:
explicit MIME_Header(MIME_Multiline* hl); explicit MIME_Header(MIME_Multiline* hl);
~MIME_Header(); ~MIME_Header();
zeek::data_chunk_t get_name() const { return name; } data_chunk_t get_name() const { return name; }
zeek::data_chunk_t get_value() const { return value; } data_chunk_t get_value() const { return value; }
zeek::data_chunk_t get_value_token(); data_chunk_t get_value_token();
zeek::data_chunk_t get_value_after_token(); data_chunk_t get_value_after_token();
protected: protected:
int get_first_token(); int get_first_token();
MIME_Multiline* lines; MIME_Multiline* lines;
zeek::data_chunk_t name; data_chunk_t name;
zeek::data_chunk_t value; data_chunk_t value;
zeek::data_chunk_t value_token, rest_value; data_chunk_t value_token, rest_value;
}; };
@ -102,11 +102,11 @@ public:
MIME_Entity* Parent() const { return parent; } MIME_Entity* Parent() const { return parent; }
int MIMEContentType() const { return content_type; } int MIMEContentType() const { return content_type; }
[[deprecated("Remove in v4.1. Use GetContentType().")]] [[deprecated("Remove in v4.1. Use GetContentType().")]]
zeek::StringVal* ContentType() const { return content_type_str.get(); } StringVal* ContentType() const { return content_type_str.get(); }
[[deprecated("Remove in v4.1. Use GetContentSubType().")]] [[deprecated("Remove in v4.1. Use GetContentSubType().")]]
zeek::StringVal* ContentSubType() const { return content_subtype_str.get(); } StringVal* ContentSubType() const { return content_subtype_str.get(); }
const zeek::StringValPtr& GetContentType() const { return content_type_str; } const StringValPtr& GetContentType() const { return content_type_str; }
const zeek::StringValPtr& GetContentSubType() const { return content_subtype_str; } const StringValPtr& GetContentSubType() const { return content_subtype_str; }
int ContentTransferEncoding() const { return content_encoding; } int ContentTransferEncoding() const { return content_encoding; }
protected: protected:
@ -118,13 +118,13 @@ protected:
void FinishHeader(); void FinishHeader();
void ParseMIMEHeader(MIME_Header* h); void ParseMIMEHeader(MIME_Header* h);
int LookupMIMEHeaderName(zeek::data_chunk_t name); int LookupMIMEHeaderName(data_chunk_t name);
bool ParseContentTypeField(MIME_Header* h); bool ParseContentTypeField(MIME_Header* h);
bool ParseContentEncodingField(MIME_Header* h); bool ParseContentEncodingField(MIME_Header* h);
bool ParseFieldParameters(int len, const char* data); bool ParseFieldParameters(int len, const char* data);
void ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type); void ParseContentType(data_chunk_t type, data_chunk_t sub_type);
void ParseContentEncoding(zeek::data_chunk_t encoding_mechanism); void ParseContentEncoding(data_chunk_t encoding_mechanism);
void BeginBody(); void BeginBody();
void NewDataLine(int len, const char* data, bool trailing_CRLF); void NewDataLine(int len, const char* data, bool trailing_CRLF);
@ -162,10 +162,10 @@ protected:
int current_field_type; int current_field_type;
int need_to_parse_parameters; int need_to_parse_parameters;
zeek::StringValPtr content_type_str; StringValPtr content_type_str;
zeek::StringValPtr content_subtype_str; StringValPtr content_subtype_str;
zeek::String* content_encoding_str; String* content_encoding_str;
zeek::String* multipart_boundary; String* multipart_boundary;
int content_type, content_subtype, content_encoding; int content_type, content_subtype, content_encoding;
@ -190,7 +190,7 @@ protected:
class MIME_Message { class MIME_Message {
public: public:
explicit MIME_Message(zeek::analyzer::Analyzer* arg_analyzer) explicit MIME_Message(analyzer::Analyzer* arg_analyzer)
{ {
// Cannot initialize top_level entity because we do // Cannot initialize top_level entity because we do
// not know its type yet (MIME_Entity / MIME_Mail / // not know its type yet (MIME_Entity / MIME_Mail /
@ -203,7 +203,7 @@ public:
virtual ~MIME_Message() virtual ~MIME_Message()
{ {
if ( ! finished ) if ( ! finished )
zeek::reporter->AnalyzerError(analyzer, reporter->AnalyzerError(analyzer,
"missing MIME_Message::Done() call"); "missing MIME_Message::Done() call");
} }
@ -216,7 +216,7 @@ public:
top_level->Deliver(len, data, trailing_CRLF); top_level->Deliver(len, data, trailing_CRLF);
} }
zeek::analyzer::Analyzer* GetAnalyzer() const { return analyzer; } analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
// Events generated by MIME_Entity // Events generated by MIME_Entity
virtual void BeginEntity(MIME_Entity*) = 0; virtual void BeginEntity(MIME_Entity*) = 0;
@ -228,23 +228,23 @@ public:
virtual void SubmitEvent(int event_type, const char* detail) = 0; virtual void SubmitEvent(int event_type, const char* detail) = 0;
protected: protected:
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
MIME_Entity* top_level; MIME_Entity* top_level;
bool finished; bool finished;
[[deprecated("Remove in v4.1. Use ToHeaderVal().")]] [[deprecated("Remove in v4.1. Use ToHeaderVal().")]]
zeek::RecordVal* BuildHeaderVal(MIME_Header* h); RecordVal* BuildHeaderVal(MIME_Header* h);
[[deprecated("Remove in v4.1. Use ToHeaderTable().")]] [[deprecated("Remove in v4.1. Use ToHeaderTable().")]]
zeek::TableVal* BuildHeaderTable(MIME_HeaderList& hlist); TableVal* BuildHeaderTable(MIME_HeaderList& hlist);
zeek::RecordValPtr ToHeaderVal(MIME_Header* h); RecordValPtr ToHeaderVal(MIME_Header* h);
zeek::TableValPtr ToHeaderTable(MIME_HeaderList& hlist); TableValPtr ToHeaderTable(MIME_HeaderList& hlist);
}; };
class MIME_Mail final : public MIME_Message { class MIME_Mail final : public MIME_Message {
public: public:
MIME_Mail(zeek::analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0); MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
~MIME_Mail() override; ~MIME_Mail() override;
void Done() override; void Done() override;
@ -267,40 +267,40 @@ protected:
int compute_content_hash; int compute_content_hash;
int content_hash_length; int content_hash_length;
EVP_MD_CTX* md5_hash; EVP_MD_CTX* md5_hash;
std::vector<const zeek::String*> entity_content; std::vector<const String*> entity_content;
std::vector<const zeek::String*> all_content; std::vector<const String*> all_content;
zeek::String* data_buffer; String* data_buffer;
uint64_t cur_entity_len; uint64_t cur_entity_len;
std::string cur_entity_id; std::string cur_entity_id;
}; };
extern bool is_null_data_chunk(zeek::data_chunk_t b); extern bool is_null_data_chunk(data_chunk_t b);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] [[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(int length, const char* data); extern StringVal* new_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] [[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data); extern StringVal* new_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] [[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf); extern StringVal* new_string_val(const data_chunk_t buf);
extern zeek::StringValPtr to_string_val(int length, const char* data); extern StringValPtr to_string_val(int length, const char* data);
extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data); extern StringValPtr to_string_val(const char* data, const char* end_of_data);
extern zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf); extern StringValPtr to_string_val(const data_chunk_t buf);
extern int fputs(zeek::data_chunk_t b, FILE* fp); extern int fputs(data_chunk_t b, FILE* fp);
extern bool istrequal(zeek::data_chunk_t s, const char* t); extern bool istrequal(data_chunk_t s, const char* t);
extern bool is_lws(char ch); extern bool is_lws(char ch);
extern bool MIME_is_field_name_char(char ch); extern bool MIME_is_field_name_char(char ch);
extern int MIME_count_leading_lws(int len, const char* data); extern int MIME_count_leading_lws(int len, const char* data);
extern int MIME_count_trailing_lws(int len, const char* data); extern int MIME_count_trailing_lws(int len, const char* data);
extern int MIME_skip_comments(int len, const char* data); extern int MIME_skip_comments(int len, const char* data);
extern int MIME_skip_lws_comments(int len, const char* data); extern int MIME_skip_lws_comments(int len, const char* data);
extern int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token, extern int MIME_get_token(int len, const char* data, data_chunk_t* token,
bool is_boundary = false); bool is_boundary = false);
extern int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second); extern int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second);
extern int MIME_get_value(int len, const char* data, zeek::String*& buf, extern int MIME_get_value(int len, const char* data, String*& buf,
bool is_boundary = false); bool is_boundary = false);
extern int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name); extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name);
extern zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf); extern String* MIME_decode_quoted_pairs(data_chunk_t buf);
} // namespace zeek::analyzer::mime } // namespace zeek::analyzer::mime

2
src/analyzer/protocol/modbus/Modbus.cc
View file

@ -6,7 +6,7 @@
namespace zeek::analyzer::modbus { namespace zeek::analyzer::modbus {
ModbusTCP_Analyzer::ModbusTCP_Analyzer(zeek::Connection* c) ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("MODBUS", c) : TCP_ApplicationAnalyzer("MODBUS", c)
{ {
interp = new binpac::ModbusTCP::ModbusTCP_Conn(this); interp = new binpac::ModbusTCP::ModbusTCP_Conn(this);

6
src/analyzer/protocol/modbus/Modbus.h
View file

@ -5,9 +5,9 @@
namespace zeek::analyzer::modbus { namespace zeek::analyzer::modbus {
class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class ModbusTCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit ModbusTCP_Analyzer(zeek::Connection* conn); explicit ModbusTCP_Analyzer(Connection* conn);
~ModbusTCP_Analyzer() override; ~ModbusTCP_Analyzer() override;
void Done() override; void Done() override;
@ -16,7 +16,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ModbusTCP_Analyzer(conn); } { return new ModbusTCP_Analyzer(conn); }
protected: protected:

14
src/analyzer/protocol/mqtt/MQTT.cc
View file

@ -9,8 +9,8 @@
namespace zeek::analyzer::mqtt { namespace zeek::analyzer::mqtt {
MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c) MQTT_Analyzer::MQTT_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c) : analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
{ {
interp = new binpac::MQTT::MQTT_Conn(this); interp = new binpac::MQTT::MQTT_Conn(this);
} }
@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer()
void MQTT_Analyzer::Done() void MQTT_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -30,13 +30,13 @@ void MQTT_Analyzer::Done()
void MQTT_Analyzer::EndpointEOF(bool is_orig) void MQTT_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -46,13 +46,13 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

6
src/analyzer/protocol/mqtt/MQTT.h
View file

@ -9,10 +9,10 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } }
namespace zeek::analyzer::mqtt { namespace zeek::analyzer::mqtt {
class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class MQTT_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
MQTT_Analyzer(zeek::Connection* conn); MQTT_Analyzer(Connection* conn);
~MQTT_Analyzer() override; ~MQTT_Analyzer() override;
void Done() override; void Done() override;
@ -20,7 +20,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new MQTT_Analyzer(conn); } { return new MQTT_Analyzer(conn); }
protected: protected:

14
src/analyzer/protocol/mysql/MySQL.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::mysql { namespace zeek::analyzer::mysql {
MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c) MySQL_Analyzer::MySQL_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c) : analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
{ {
interp = new binpac::MySQL::MySQL_Conn(this); interp = new binpac::MySQL::MySQL_Conn(this);
had_gap = false; had_gap = false;
@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer()
void MySQL_Analyzer::Done() void MySQL_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -29,13 +29,13 @@ void MySQL_Analyzer::Done()
void MySQL_Analyzer::EndpointEOF(bool is_orig) void MySQL_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
if ( TCP()->IsPartial() ) if ( TCP()->IsPartial() )
@ -53,13 +53,13 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/mysql/MySQL.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::mysql { namespace zeek::analyzer::mysql {
class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class MySQL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit MySQL_Analyzer(zeek::Connection* conn); explicit MySQL_Analyzer(Connection* conn);
~MySQL_Analyzer() override; ~MySQL_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new MySQL_Analyzer(conn); } { return new MySQL_Analyzer(conn); }
protected: protected:

38
src/analyzer/protocol/ncp/NCP.cc
View file

@ -25,7 +25,7 @@ using namespace std;
namespace zeek::analyzer::ncp { namespace zeek::analyzer::ncp {
namespace detail { namespace detail {
NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a) NCP_Session::NCP_Session(analyzer::Analyzer* a)
: analyzer(a) : analyzer(a)
{ {
req_frame_type = 0; req_frame_type = 0;
@ -43,7 +43,7 @@ void NCP_Session::Deliver(bool is_orig, int len, const u_char* data)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
analyzer->ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); analyzer->ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
@ -60,24 +60,24 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
} }
} }
zeek::EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply; EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
if ( f ) if ( f )
{ {
if ( frame->is_orig() ) if ( frame->is_orig() )
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(frame->frame_type()), val_mgr->Count(frame->frame_type()),
zeek::val_mgr->Count(frame->body_length()), val_mgr->Count(frame->body_length()),
zeek::val_mgr->Count(req_func) val_mgr->Count(req_func)
); );
else else
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(frame->frame_type()), val_mgr->Count(frame->frame_type()),
zeek::val_mgr->Count(frame->body_length()), val_mgr->Count(frame->body_length()),
zeek::val_mgr->Count(req_frame_type), val_mgr->Count(req_frame_type),
zeek::val_mgr->Count(req_func), val_mgr->Count(req_func),
zeek::val_mgr->Count(frame->reply()->completion_code()) val_mgr->Count(frame->reply()->completion_code())
); );
} }
} }
@ -131,7 +131,7 @@ int FrameBuffer::Deliver(int &len, const u_char* &data)
if ( msg_len > buf_len ) if ( msg_len > buf_len )
{ {
if ( msg_len > zeek::BifConst::NCP::max_frame_size ) if ( msg_len > BifConst::NCP::max_frame_size )
return 1; return 1;
buf_len = msg_len; buf_len = msg_len;
@ -167,8 +167,8 @@ void NCP_FrameBuffer::compute_msg_length()
} // namespace detail } // namespace detail
Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* arg_session) Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* arg_session)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) : analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
{ {
session = arg_session; session = arg_session;
resync = true; resync = true;
@ -181,7 +181,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP(); auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
@ -189,7 +189,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
{ {
resync_set = true; resync_set = true;
resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) != resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED; analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
} }
if ( tcp && tcp->HadGap(orig) ) if ( tcp && tcp->HadGap(orig) )
@ -242,14 +242,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
buffer.Reset(); buffer.Reset();
resync = true; resync = true;
} }
NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn) NCP_Analyzer::NCP_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
{ {
session = new detail::NCP_Session(this); session = new detail::NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session); o_ncp = new Contents_NCP_Analyzer(conn, true, session);

14
src/analyzer/protocol/ncp/NCP.h
View file

@ -31,7 +31,7 @@ namespace detail {
class NCP_Session { class NCP_Session {
public: public:
explicit NCP_Session(zeek::analyzer::Analyzer* analyzer); explicit NCP_Session(analyzer::Analyzer* analyzer);
void Deliver(bool is_orig, int len, const u_char* data); void Deliver(bool is_orig, int len, const u_char* data);
@ -43,7 +43,7 @@ public:
protected: protected:
void DeliverFrame(const binpac::NCP::ncp_frame* frame); void DeliverFrame(const binpac::NCP::ncp_frame* frame);
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
int req_frame_type; int req_frame_type;
int req_func; int req_func;
}; };
@ -85,9 +85,9 @@ protected:
} // namespace detail } // namespace detail
class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer { class Contents_NCP_Analyzer : public analyzer::tcp::TCP_SupportAnalyzer {
public: public:
Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* session); Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* session);
~Contents_NCP_Analyzer() override; ~Contents_NCP_Analyzer() override;
protected: protected:
@ -102,12 +102,12 @@ protected:
bool resync_set; bool resync_set;
}; };
class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class NCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit NCP_Analyzer(zeek::Connection* conn); explicit NCP_Analyzer(Connection* conn);
~NCP_Analyzer() override; ~NCP_Analyzer() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NCP_Analyzer(conn); } { return new NCP_Analyzer(conn); }
protected: protected:

60
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -49,7 +49,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
MAKE_INT16(offset, data);; len -= 2; MAKE_INT16(offset, data);; len -= 2;
} }
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer)
{ {
analyzer = arg_analyzer; analyzer = arg_analyzer;
//smb_session = arg_smb_session; //smb_session = arg_smb_session;
@ -61,9 +61,9 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
if ( netbios_session_message ) if ( netbios_session_message )
analyzer->EnqueueConnEvent(netbios_session_message, analyzer->EnqueueConnEvent(netbios_session_message,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Bool(is_query), val_mgr->Bool(is_query),
zeek::val_mgr->Count(type), val_mgr->Count(type),
zeek::val_mgr->Count(len) val_mgr->Count(len)
); );
switch ( type ) { switch ( type ) {
@ -105,7 +105,7 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
break; break;
default: default:
analyzer->Weird("unknown_netbios_type", zeek::util::fmt("0x%x", type)); analyzer->Weird("unknown_netbios_type", util::fmt("0x%x", type));
break; break;
} }
} }
@ -125,11 +125,11 @@ void NetbiosSSN_Interpreter::ParseBroadcast(const u_char* data, int len,
// FIND THE NUL-TERMINATED NAME STRINGS HERE! // FIND THE NUL-TERMINATED NAME STRINGS HERE!
// Not sure what's in them, so we don't keep them currently. // Not sure what's in them, so we don't keep them currently.
zeek::String* srcname = new zeek::String((char*) data); String* srcname = new String((char*) data);
data += srcname->Len()+1; data += srcname->Len()+1;
len -= srcname->Len(); len -= srcname->Len();
zeek::String* dstname = new zeek::String((char*) data); String* dstname = new String((char*) data);
data += dstname->Len()+1; data += dstname->Len()+1;
len -= dstname->Len(); len -= dstname->Len();
@ -146,7 +146,7 @@ void NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len,
NetbiosSSN_RawMsgHdr hdr(data, len); NetbiosSSN_RawMsgHdr hdr(data, len);
if ( hdr.length > unsigned(len) ) if ( hdr.length > unsigned(len) )
analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)", analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)",
hdr.length, len)); hdr.length, len));
else if ( hdr.length < unsigned(len) ) else if ( hdr.length < unsigned(len) )
@ -164,12 +164,12 @@ void NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len,
NetbiosDGM_RawMsgHdr hdr(data, len); NetbiosDGM_RawMsgHdr hdr(data, len);
if ( unsigned(hdr.length-14) > unsigned(len) ) if ( unsigned(hdr.length-14) > unsigned(len) )
analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)", analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)",
hdr.length, len)); hdr.length, len));
else if ( hdr.length < unsigned(len) ) else if ( hdr.length < unsigned(len) )
{ {
analyzer->Weird("deficit_netbios_hdr_len", zeek::util::fmt("(%d < %d)", analyzer->Weird("deficit_netbios_hdr_len", util::fmt("(%d < %d)",
hdr.length, len)); hdr.length, len));
len = hdr.length; len = hdr.length;
} }
@ -313,7 +313,7 @@ void NetbiosSSN_Interpreter::ParseKeepAlive(const u_char* data, int len,
Event(netbios_session_keepalive, data, len); Event(netbios_session_keepalive, data, len);
} }
void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* data, void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
int len, int is_orig) int len, int is_orig)
{ {
if ( ! event ) if ( ! event )
@ -322,19 +322,19 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da
if ( is_orig >= 0 ) if ( is_orig >= 0 )
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Bool(is_orig), val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false))); make_intrusive<StringVal>(new String(data, len, false)));
else else
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false))); make_intrusive<StringVal>(new String(data, len, false)));
} }
} // namespace detail } // namespace detail
Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig,
detail::NetbiosSSN_Interpreter* arg_interp) detail::NetbiosSSN_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) : analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
{ {
interp = arg_interp; interp = arg_interp;
type = flags = msg_size = 0; type = flags = msg_size = 0;
@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
if ( state == detail::NETBIOS_SSN_TYPE ) if ( state == detail::NETBIOS_SSN_TYPE )
{ {
@ -453,8 +453,8 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
state = detail::NETBIOS_SSN_TYPE; state = detail::NETBIOS_SSN_TYPE;
} }
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn) NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
{ {
//smb_session = new SMB_Session(this); //smb_session = new SMB_Session(this);
interp = new detail::NetbiosSSN_Interpreter(this); interp = new detail::NetbiosSSN_Interpreter(this);
@ -471,7 +471,7 @@ NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
else else
{ {
ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,
zeek::run_state::network_time + netbios_ssn_session_timeout, true, run_state::network_time + netbios_ssn_session_timeout, true,
zeek::detail::TIMER_NB_EXPIRE); zeek::detail::TIMER_NB_EXPIRE);
} }
} }
@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer()
void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout(); interp->Timeout();
if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done()
void NetbiosSSN_Analyzer::EndpointEOF(bool orig) void NetbiosSSN_Analyzer::EndpointEOF(bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
(orig ? orig_netbios : resp_netbios)->Flush(); (orig ? orig_netbios : resp_netbios)->Flush();
} }
void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, void NetbiosSSN_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) analyzer::tcp::TCP_Endpoint* peer, bool gen_event)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
// Question: Why do we flush *both* endpoints upon connection close? // Question: Why do we flush *both* endpoints upon connection close?
// orig_netbios->Flush(); // orig_netbios->Flush();
@ -511,9 +511,9 @@ void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* en
} }
void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
if ( orig ) if ( orig )
interp->ParseMessageUDP(data, len, true); interp->ParseMessageUDP(data, len, true);
@ -526,12 +526,12 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t)
// The - 1.0 in the following is to allow 1 second for the // The - 1.0 in the following is to allow 1 second for the
// common case of a single request followed by a single reply, // common case of a single request followed by a single reply,
// so we don't needlessly set the timer twice in that case. // so we don't needlessly set the timer twice in that case.
if ( zeek::run_state::terminating || if ( run_state::terminating ||
zeek::run_state::network_time - Conn()->LastTime() >= run_state::network_time - Conn()->LastTime() >=
netbios_ssn_session_timeout - 1.0 ) netbios_ssn_session_timeout - 1.0 )
{ {
Event(connection_timeout); Event(connection_timeout);
zeek::sessions->Remove(Conn()); sessions->Remove(Conn());
} }
else else
ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,

22
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -70,7 +70,7 @@ enum NetbiosSSN_State {
class NetbiosSSN_Interpreter { class NetbiosSSN_Interpreter {
public: public:
explicit NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* analyzer); explicit NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer);
void ParseMessage(unsigned int type, unsigned int flags, void ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, bool is_query); const u_char* data, int len, bool is_query);
@ -95,7 +95,7 @@ protected:
void ParseSambaMsg(const u_char* data, int len, bool is_query); void ParseSambaMsg(const u_char* data, int len, bool is_query);
void Event(zeek::EventHandlerPtr event, const u_char* data, int len, void Event(EventHandlerPtr event, const u_char* data, int len,
int is_orig = -1); int is_orig = -1);
// Pass in name/length, returns in xname/xlen the converted // Pass in name/length, returns in xname/xlen the converted
@ -105,16 +105,16 @@ protected:
u_char*& xname, int& xlen); u_char*& xname, int& xlen);
protected: protected:
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
//SMB_Session* smb_session; //SMB_Session* smb_session;
}; };
} // namespace detail } // namespace detail
// ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { class Contents_NetbiosSSN final : public analyzer::tcp::TCP_SupportAnalyzer {
public: public:
Contents_NetbiosSSN(zeek::Connection* conn, bool orig, Contents_NetbiosSSN(Connection* conn, bool orig,
detail::NetbiosSSN_Interpreter* interp); detail::NetbiosSSN_Interpreter* interp);
~Contents_NetbiosSSN() override; ~Contents_NetbiosSSN() override;
@ -139,21 +139,21 @@ protected:
detail::NetbiosSSN_State state; detail::NetbiosSSN_State state;
}; };
class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class NetbiosSSN_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit NetbiosSSN_Analyzer(zeek::Connection* conn); explicit NetbiosSSN_Analyzer(Connection* conn);
~NetbiosSSN_Analyzer() override; ~NetbiosSSN_Analyzer() override;
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NetbiosSSN_Analyzer(conn); } { return new NetbiosSSN_Analyzer(conn); }
protected: protected:
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
void ExpireTimer(double t); void ExpireTimer(double t);

14
src/analyzer/protocol/ntlm/NTLM.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::ntlm { namespace zeek::analyzer::ntlm {
NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c) NTLM_Analyzer::NTLM_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c) : analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
{ {
interp = new binpac::NTLM::NTLM_Conn(this); interp = new binpac::NTLM::NTLM_Conn(this);
} }
@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer()
void NTLM_Analyzer::Done() void NTLM_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -28,13 +28,13 @@ void NTLM_Analyzer::Done()
void NTLM_Analyzer::EndpointEOF(bool is_orig) void NTLM_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -45,13 +45,13 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/ntlm/NTLM.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::ntlm { namespace zeek::analyzer::ntlm {
class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class NTLM_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit NTLM_Analyzer(zeek::Connection* conn); explicit NTLM_Analyzer(Connection* conn);
~NTLM_Analyzer() override; ~NTLM_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTLM_Analyzer(conn); } { return new NTLM_Analyzer(conn); }
protected: protected:

8
src/analyzer/protocol/ntp/NTP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::ntp { namespace zeek::analyzer::ntp {
NTP_Analyzer::NTP_Analyzer(zeek::Connection* c) NTP_Analyzer::NTP_Analyzer(Connection* c)
: zeek::analyzer::Analyzer("NTP", c) : analyzer::Analyzer("NTP", c)
{ {
interp = new binpac::NTP::NTP_Conn(this); interp = new binpac::NTP::NTP_Conn(this);
} }
@ -24,7 +24,7 @@ NTP_Analyzer::~NTP_Analyzer()
} }
void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -34,7 +34,7 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/ntp/NTP.h
View file

@ -9,17 +9,17 @@
namespace zeek::analyzer::ntp { namespace zeek::analyzer::ntp {
class NTP_Analyzer final : public zeek::analyzer::Analyzer { class NTP_Analyzer final : public analyzer::Analyzer {
public: public:
explicit NTP_Analyzer(zeek::Connection* conn); explicit NTP_Analyzer(Connection* conn);
~NTP_Analyzer() override; ~NTP_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTP_Analyzer(conn); } { return new NTP_Analyzer(conn); }
protected: protected:

66
src/analyzer/protocol/pia/PIA.cc
View file

@ -11,7 +11,7 @@
namespace zeek::analyzer::pia { namespace zeek::analyzer::pia {
PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer) PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
: state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet() : state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet()
{ {
} }
@ -37,7 +37,7 @@ void PIA::ClearBuffer(Buffer* buffer)
} }
void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
bool is_orig, const zeek::IP_Hdr* ip) bool is_orig, const IP_Hdr* ip)
{ {
u_char* tmp = nullptr; u_char* tmp = nullptr;
@ -67,14 +67,14 @@ void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
} }
void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig, void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig,
const zeek::IP_Hdr* ip) const IP_Hdr* ip)
{ {
AddToBuffer(buffer, -1, len, data, is_orig, ip); AddToBuffer(buffer, -1, len, data, is_orig, ip);
} }
void PIA::ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer) void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer)
{ {
DBG_LOG(zeek::DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size); DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size);
for ( DataBlock* b = pkt_buffer.head; b; b = b->next ) for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, b->ip, 0); analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, b->ip, 0);
@ -86,7 +86,7 @@ void PIA::PIA_Done()
} }
void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,
const zeek::IP_Hdr* ip, int caplen, bool clear_state) const IP_Hdr* ip, int caplen, bool clear_state)
{ {
if ( pkt_buffer.state == SKIPPING ) if ( pkt_buffer.state == SKIPPING )
return; return;
@ -131,7 +131,7 @@ void PIA::Match(zeek::detail::Rule::PatternType type, const u_char* data, int le
} }
void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bool clear_state, const zeek::IP_Hdr* ip) bool clear_state, const IP_Hdr* ip)
{ {
if ( ! zeek::detail::rule_matcher ) if ( ! zeek::detail::rule_matcher )
return; return;
@ -146,11 +146,11 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bol, eol, clear_state); bol, eol, clear_state);
} }
void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
{ {
if ( pkt_buffer.state == MATCHING_ONLY ) if ( pkt_buffer.state == MATCHING_ONLY )
{ {
DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded"); DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
// FIXME: This is where to check whether an analyzer // FIXME: This is where to check whether an analyzer
// supports partial connections once we get such. // supports partial connections once we get such.
@ -161,7 +161,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tag = GetAnalyzerTag(); tag = GetAnalyzerTag();
const auto& tval = tag.AsVal(); const auto& tval = tag.AsVal();
zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
} }
pkt_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY; pkt_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
@ -171,7 +171,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
if ( Parent()->HasChildAnalyzer(tag) ) if ( Parent()->HasChildAnalyzer(tag) )
return; return;
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a ) if ( ! a )
return; return;
@ -180,9 +180,9 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
ReplayPacketBuffer(a); ReplayPacketBuffer(a);
} }
void PIA_UDP::DeactivateAnalyzer(zeek::analyzer::Tag tag) void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
{ {
zeek::reporter->InternalError("PIA_UDP::Deact not implemented yet"); reporter->InternalError("PIA_UDP::Deact not implemented yet");
} }
//// TCP PIA //// TCP PIA
@ -194,7 +194,7 @@ PIA_TCP::~PIA_TCP()
void PIA_TCP::Init() void PIA_TCP::Init()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init(); analyzer::tcp::TCP_ApplicationAnalyzer::Init();
if ( Parent()->IsAnalyzer("TCP") ) if ( Parent()->IsAnalyzer("TCP") )
{ {
@ -204,14 +204,14 @@ void PIA_TCP::Init()
} }
} }
void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip)
{ {
static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)]; static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)];
static struct ip* ip4 = nullptr; static struct ip* ip4 = nullptr;
static struct tcphdr* tcp4 = nullptr; static struct tcphdr* tcp4 = nullptr;
static zeek::IP_Hdr* ip4_hdr = nullptr; static IP_Hdr* ip4_hdr = nullptr;
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F"));
if ( ! ip ) if ( ! ip )
{ {
@ -227,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
ip4->ip_p = IPPROTO_TCP; ip4->ip_p = IPPROTO_TCP;
// Cast to const so that it doesn't delete it. // Cast to const so that it doesn't delete it.
ip4_hdr = new zeek::IP_Hdr(ip4, false); ip4_hdr = new IP_Hdr(ip4, false);
} }
if ( is_orig ) if ( is_orig )
@ -254,7 +254,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( stream_buffer.state == SKIPPING ) if ( stream_buffer.state == SKIPPING )
return; return;
@ -284,7 +284,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig) void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( stream_buffer.state == BUFFERING ) if ( stream_buffer.state == BUFFERING )
// We use data=nil to mark an undelivered. // We use data=nil to mark an undelivered.
@ -293,11 +293,11 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
// No check for buffer overrun here. I think that's ok. // No check for buffer overrun here. I think that's ok.
} }
void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
{ {
if ( stream_buffer.state == MATCHING_ONLY ) if ( stream_buffer.state == MATCHING_ONLY )
{ {
DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded"); DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
// FIXME: This is where to check whether an analyzer supports // FIXME: This is where to check whether an analyzer supports
// partial connections once we get such. // partial connections once we get such.
@ -308,14 +308,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tag = GetAnalyzerTag(); tag = GetAnalyzerTag();
const auto& tval = tag.AsVal(); const auto& tval = tag.AsVal();
zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval); event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
} }
stream_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY; stream_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
return; return;
} }
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a ) if ( ! a )
return; return;
@ -349,7 +349,7 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
// (4) We hand the two reassemblers to the TCP Analyzer (our parent), // (4) We hand the two reassemblers to the TCP Analyzer (our parent),
// turning reassembly now on for all subsequent data. // turning reassembly now on for all subsequent data.
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode"); DBG_LOG(DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode");
stream_mode = true; stream_mode = true;
// FIXME: The reassembler will query the endpoint for state. Not sure // FIXME: The reassembler will query the endpoint for state. Not sure
@ -386,10 +386,10 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
// worth the effort. // worth the effort.
if ( b->is_orig ) if ( b->is_orig )
reass_orig->DataSent(zeek::run_state::network_time, orig_seq = b->seq, reass_orig->DataSent(run_state::network_time, orig_seq = b->seq,
b->len, b->data, tcp::TCP_Flags(), true); b->len, b->data, tcp::TCP_Flags(), true);
else else
reass_resp->DataSent(zeek::run_state::network_time, resp_seq = b->seq, reass_resp->DataSent(run_state::network_time, resp_seq = b->seq,
b->len, b->data, tcp::TCP_Flags(), true); b->len, b->data, tcp::TCP_Flags(), true);
} }
@ -398,11 +398,11 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
if ( current->data ) if ( current->data )
{ {
if ( current->is_orig ) if ( current->is_orig )
reass_orig->DataSent(zeek::run_state::network_time, reass_orig->DataSent(run_state::network_time,
orig_seq = current->seq, orig_seq = current->seq,
current->len, current->data, analyzer::tcp::TCP_Flags(), true); current->len, current->data, analyzer::tcp::TCP_Flags(), true);
else else
reass_resp->DataSent(zeek::run_state::network_time, reass_resp->DataSent(run_state::network_time,
resp_seq = current->seq, resp_seq = current->seq,
current->len, current->data, analyzer::tcp::TCP_Flags(), true); current->len, current->data, analyzer::tcp::TCP_Flags(), true);
} }
@ -419,14 +419,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tcp->SetReassembler(reass_orig, reass_resp); tcp->SetReassembler(reass_orig, reass_resp);
} }
void PIA_TCP::DeactivateAnalyzer(zeek::analyzer::Tag tag) void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
{ {
zeek::reporter->InternalError("PIA_TCP::Deact not implemented yet"); reporter->InternalError("PIA_TCP::Deact not implemented yet");
} }
void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer) void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer)
{ {
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);
for ( DataBlock* b = stream_buffer.head; b; b = b->next ) for ( DataBlock* b = stream_buffer.head; b; b = b->next )
{ {

56
src/analyzer/protocol/pia/PIA.h
View file

@ -19,37 +19,37 @@ namespace zeek::analyzer::pia {
// PIAs and then each needs its own matching-state. // PIAs and then each needs its own matching-state.
class PIA : public zeek::detail::RuleMatcherState { class PIA : public zeek::detail::RuleMatcherState {
public: public:
explicit PIA(zeek::analyzer::Analyzer* as_analyzer); explicit PIA(analyzer::Analyzer* as_analyzer);
virtual ~PIA(); virtual ~PIA();
// Called when PIA wants to put an Analyzer in charge. rule is the // Called when PIA wants to put an Analyzer in charge. rule is the
// signature that triggered the activitation, if any. // signature that triggered the activitation, if any.
virtual void ActivateAnalyzer(zeek::analyzer::Tag tag, virtual void ActivateAnalyzer(analyzer::Tag tag,
const zeek::detail::Rule* rule = nullptr) = 0; const zeek::detail::Rule* rule = nullptr) = 0;
// Called when PIA wants to remove an Analyzer. // Called when PIA wants to remove an Analyzer.
virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0; virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len, void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state); bool is_orig, bool bol, bool eol, bool clear_state);
void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer); void ReplayPacketBuffer(analyzer::Analyzer* analyzer);
// Children are also derived from Analyzer. Return this object // Children are also derived from Analyzer. Return this object
// as pointer to an Analyzer. // as pointer to an Analyzer.
zeek::analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
protected: protected:
void PIA_Done(); void PIA_Done();
void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen, bool clear_state); uint64_t seq, const IP_Hdr* ip, int caplen, bool clear_state);
enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state; enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
// Buffers one chunk of data. Used both for packet payload (incl. // Buffers one chunk of data. Used both for packet payload (incl.
// sequence numbers for TCP) and chunks of a reassembled stream. // sequence numbers for TCP) and chunks of a reassembled stream.
struct DataBlock { struct DataBlock {
zeek::IP_Hdr* ip; IP_Hdr* ip;
const u_char* data; const u_char* data;
bool is_orig; bool is_orig;
int len; int len;
@ -67,35 +67,35 @@ protected:
}; };
void AddToBuffer(Buffer* buffer, uint64_t seq, int len, void AddToBuffer(Buffer* buffer, uint64_t seq, int len,
const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr); const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr);
void AddToBuffer(Buffer* buffer, int len, void AddToBuffer(Buffer* buffer, int len,
const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr); const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr);
void ClearBuffer(Buffer* buffer); void ClearBuffer(Buffer* buffer);
DataBlock* CurrentPacket() { return &current_packet; } DataBlock* CurrentPacket() { return &current_packet; }
void DoMatch(const u_char* data, int len, bool is_orig, bool bol, void DoMatch(const u_char* data, int len, bool is_orig, bool bol,
bool eol, bool clear_state, const zeek::IP_Hdr* ip = nullptr); bool eol, bool clear_state, const IP_Hdr* ip = nullptr);
void SetConn(zeek::Connection* c) { conn = c; } void SetConn(Connection* c) { conn = c; }
Buffer pkt_buffer; Buffer pkt_buffer;
private: private:
zeek::analyzer::Analyzer* as_analyzer; analyzer::Analyzer* as_analyzer;
zeek::Connection* conn; Connection* conn;
DataBlock current_packet; DataBlock current_packet;
}; };
// PIA for UDP. // PIA for UDP.
class PIA_UDP : public PIA, public zeek::analyzer::Analyzer { class PIA_UDP : public PIA, public analyzer::Analyzer {
public: public:
explicit PIA_UDP(zeek::Connection* conn) explicit PIA_UDP(Connection* conn)
: PIA(this), Analyzer("PIA_UDP", conn) : PIA(this), Analyzer("PIA_UDP", conn)
{ SetConn(conn); } { SetConn(conn); }
~PIA_UDP() override { } ~PIA_UDP() override { }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_UDP(conn); } { return new PIA_UDP(conn); }
protected: protected:
@ -106,22 +106,22 @@ protected:
} }
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override uint64_t seq, const IP_Hdr* ip, int caplen) override
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
} }
void ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) override; void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override; void DeactivateAnalyzer(analyzer::Tag tag) override;
}; };
// PIA for TCP. Accepts both packet and stream input (and reassembles // PIA for TCP. Accepts both packet and stream input (and reassembles
// packets before passing payload on to children). // packets before passing payload on to children).
class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class PIA_TCP : public PIA, public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit PIA_TCP(zeek::Connection* conn) explicit PIA_TCP(Connection* conn)
: PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) : PIA(this), analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
{ stream_mode = false; SetConn(conn); } { stream_mode = false; SetConn(conn); }
~PIA_TCP() override; ~PIA_TCP() override;
@ -136,11 +136,11 @@ public:
// matcher in the case that we already get reassembled input, // matcher in the case that we already get reassembled input,
// and making it part of the general analyzer interface seems // and making it part of the general analyzer interface seems
// to be unnecessary overhead.) // to be unnecessary overhead.)
void FirstPacket(bool is_orig, const zeek::IP_Hdr* ip); void FirstPacket(bool is_orig, const IP_Hdr* ip);
void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer); void ReplayStreamBuffer(analyzer::Analyzer* analyzer);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_TCP(conn); } { return new PIA_TCP(conn); }
protected: protected:
@ -151,7 +151,7 @@ protected:
} }
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override uint64_t seq, const IP_Hdr* ip, int caplen) override
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
@ -160,9 +160,9 @@ protected:
void DeliverStream(int len, const u_char* data, bool is_orig) override; void DeliverStream(int len, const u_char* data, bool is_orig) override;
void Undelivered(uint64_t seq, int len, bool is_orig) override; void Undelivered(uint64_t seq, int len, bool is_orig) override;
void ActivateAnalyzer(zeek::analyzer::Tag tag, void ActivateAnalyzer(analyzer::Tag tag,
const zeek::detail::Rule* rule = nullptr) override; const zeek::detail::Rule* rule = nullptr) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override; void DeactivateAnalyzer(analyzer::Tag tag) override;
private: private:
// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer. // FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.

48
src/analyzer/protocol/pop3/POP3.cc
View file

@ -25,8 +25,8 @@ static const char* pop3_cmd_word[] = {
#define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)") #define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)")
POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) POP3_Analyzer::POP3_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
{ {
masterState = detail::POP3_START; masterState = detail::POP3_START;
subState = detail::POP3_WOK; subState = detail::POP3_WOK;
@ -44,10 +44,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
mail = nullptr; mail = nullptr;
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(cl_orig); AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false);
AddSupportAnalyzer(cl_resp); AddSupportAnalyzer(cl_resp);
} }
@ -57,7 +57,7 @@ POP3_Analyzer::~POP3_Analyzer()
void POP3_Analyzer::Done() void POP3_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail ) if ( mail )
EndData(); EndData();
@ -66,7 +66,7 @@ void POP3_Analyzer::Done()
void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls ) if ( tls )
{ {
@ -77,7 +77,7 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
if ( (TCP() && TCP()->IsPartial()) ) if ( (TCP() && TCP()->IsPartial()) )
return; return;
zeek::String terminated_string(data, len, true); String terminated_string(data, len, true);
if ( orig ) if ( orig )
ProcessRequest(len, (char*) terminated_string.Bytes()); ProcessRequest(len, (char*) terminated_string.Bytes());
@ -91,7 +91,7 @@ static std::string trim_whitespace(const char* in)
char* out = new char[n + 1]; char* out = new char[n + 1];
char* out_p = out; char* out_p = out;
in = zeek::util::skip_whitespace(in); in = util::skip_whitespace(in);
while ( *in ) while ( *in )
{ {
@ -134,8 +134,8 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
{ {
++authLines; ++authLines;
zeek::String encoded(line); String encoded(line);
zeek::String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn()); String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn());
if ( ! decoded ) if ( ! decoded )
{ {
@ -212,7 +212,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
break; break;
default: default:
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "unexpected POP3 authorization state"); this, "unexpected POP3 authorization state");
delete decoded; delete decoded;
return; return;
@ -245,7 +245,7 @@ static std::string commands[] = {
void POP3_Analyzer::NotAllowed(const char* cmd, const char* state) void POP3_Analyzer::NotAllowed(const char* cmd, const char* state)
{ {
POP3Event(pop3_unexpected, true, cmd, POP3Event(pop3_unexpected, true, cmd,
zeek::util::fmt("not allowed in other state than '%s'", state)); util::fmt("not allowed in other state than '%s'", state));
} }
void POP3_Analyzer::ProcessClientCmd() void POP3_Analyzer::ProcessClientCmd()
@ -320,7 +320,7 @@ void POP3_Analyzer::ProcessClientCmd()
state = detail::APOP; state = detail::APOP;
subState = detail::POP3_WOK; subState = detail::POP3_WOK;
char* arg1 = zeek::util::copy_string(message); char* arg1 = util::copy_string(message);
char* e; char* e;
for ( e = arg1; *e && *e != ' ' && *e != '\t'; ++e ) for ( e = arg1; *e && *e != ' ' && *e != '\t'; ++e )
; ;
@ -354,7 +354,7 @@ void POP3_Analyzer::ProcessClientCmd()
{ {
state = detail::AUTH; state = detail::AUTH;
POP3Event(pop3_unexpected, true, cmd, POP3Event(pop3_unexpected, true, cmd,
zeek::util::fmt("unknown AUTH method %s", message)); util::fmt("unknown AUTH method %s", message));
} }
subState = detail::POP3_WOK; subState = detail::POP3_WOK;
@ -571,7 +571,7 @@ void POP3_Analyzer::ProcessClientCmd()
break; break;
default: default:
zeek::reporter->AnalyzerError(this, "unknown POP3 command"); reporter->AnalyzerError(this, "unknown POP3 command");
return; return;
} }
} }
@ -634,7 +634,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
{ {
if ( ! waitingForAuthentication ) if ( ! waitingForAuthentication )
{ {
ProtocolViolation(zeek::util::fmt("unknown server command (%s)", ProtocolViolation(util::fmt("unknown server command (%s)",
(tokens.size() > 0 ? (tokens.size() > 0 ?
tokens[0].c_str() : tokens[0].c_str() :
"???")), "???")),
@ -820,7 +820,7 @@ void POP3_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp); RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
@ -838,13 +838,13 @@ void POP3_Analyzer::AuthSuccessfull()
void POP3_Analyzer::BeginData(bool orig) void POP3_Analyzer::BeginData(bool orig)
{ {
delete mail; delete mail;
mail = new zeek::analyzer::mime::MIME_Mail(this, orig); mail = new analyzer::mime::MIME_Mail(this, orig);
} }
void POP3_Analyzer::EndData() void POP3_Analyzer::EndData()
{ {
if ( ! mail ) if ( ! mail )
zeek::reporter->Warning("unmatched end of data"); reporter->Warning("unmatched end of data");
else else
{ {
mail->Done(); mail->Done();
@ -909,22 +909,22 @@ std::vector<std::string> POP3_Analyzer::TokenizeLine(const std::string& input, c
return tokens; return tokens;
} }
void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig, void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
const char* arg1, const char* arg2) const char* arg1, const char* arg2)
{ {
if ( ! event ) if ( ! event )
return; return;
zeek::Args vl; Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2); vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(is_orig)); vl.emplace_back(val_mgr->Bool(is_orig));
if ( arg1 ) if ( arg1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg1)); vl.emplace_back(make_intrusive<StringVal>(arg1));
if ( arg2 ) if ( arg2 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg2)); vl.emplace_back(make_intrusive<StringVal>(arg2));
EnqueueConnEvent(event, std::move(vl)); EnqueueConnEvent(event, std::move(vl));
} }

14
src/analyzer/protocol/pop3/POP3.h
View file

@ -64,15 +64,15 @@ enum POP3_SubState {
} // namespace detail } // namespace detail
class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class POP3_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit POP3_Analyzer(zeek::Connection* conn); explicit POP3_Analyzer(Connection* conn);
~POP3_Analyzer() override; ~POP3_Analyzer() override;
void Done() override; void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ {
return new POP3_Analyzer(conn); return new POP3_Analyzer(conn);
} }
@ -105,16 +105,16 @@ protected:
std::vector<std::string> TokenizeLine(const std::string& input, char split); std::vector<std::string> TokenizeLine(const std::string& input, char split);
int ParseCmd(std::string cmd); int ParseCmd(std::string cmd);
void AuthSuccessfull(); void AuthSuccessfull();
void POP3Event(zeek::EventHandlerPtr event, bool is_orig, void POP3Event(EventHandlerPtr event, bool is_orig,
const char* arg1 = nullptr, const char* arg2 = nullptr); const char* arg1 = nullptr, const char* arg2 = nullptr);
zeek::analyzer::mime::MIME_Mail* mail; analyzer::mime::MIME_Mail* mail;
std::list<std::string> cmds; std::list<std::string> cmds;
private: private:
bool tls; bool tls;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; analyzer::tcp::ContentLine_Analyzer* cl_resp;
}; };
} // namespace zeek::analyzer::pop3 } // namespace zeek::analyzer::pop3

8
src/analyzer/protocol/radius/RADIUS.cc
View file

@ -8,8 +8,8 @@
namespace zeek::analyzer::radius { namespace zeek::analyzer::radius {
RADIUS_Analyzer::RADIUS_Analyzer(zeek::Connection* c) RADIUS_Analyzer::RADIUS_Analyzer(Connection* c)
: zeek::analyzer::Analyzer("RADIUS", c) : analyzer::Analyzer("RADIUS", c)
{ {
interp = new binpac::RADIUS::RADIUS_Conn(this); interp = new binpac::RADIUS::RADIUS_Conn(this);
} }
@ -25,7 +25,7 @@ void RADIUS_Analyzer::Done()
} }
void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -35,7 +35,7 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/radius/RADIUS.h
View file

@ -10,17 +10,17 @@
namespace zeek::analyzer::radius { namespace zeek::analyzer::radius {
class RADIUS_Analyzer final : public zeek::analyzer::Analyzer { class RADIUS_Analyzer final : public analyzer::Analyzer {
public: public:
explicit RADIUS_Analyzer(zeek::Connection* conn); explicit RADIUS_Analyzer(Connection* conn);
~RADIUS_Analyzer() override; ~RADIUS_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new RADIUS_Analyzer(conn); } { return new RADIUS_Analyzer(conn); }
protected: protected:

20
src/analyzer/protocol/rdp/RDP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::rdp { namespace zeek::analyzer::rdp {
RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) RDP_Analyzer::RDP_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c) : analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c)
{ {
interp = new binpac::RDP::RDP_Conn(this); interp = new binpac::RDP::RDP_Conn(this);
@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer()
void RDP_Analyzer::Done() void RDP_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -30,13 +30,13 @@ void RDP_Analyzer::Done()
void RDP_Analyzer::EndpointEOF(bool is_orig) void RDP_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
if ( TCP()->IsPartial() ) if ( TCP()->IsPartial() )
@ -56,11 +56,11 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
if ( ! pia ) if ( ! pia )
{ {
pia = new zeek::analyzer::pia::PIA_TCP(Conn()); pia = new analyzer::pia::PIA_TCP(Conn());
if ( ! AddChildAnalyzer(pia) ) if ( ! AddChildAnalyzer(pia) )
{ {
zeek::reporter->AnalyzerError(this, reporter->AnalyzerError(this,
"failed to add TCP child analyzer " "failed to add TCP child analyzer "
"to RDP analyzer: already exists"); "to RDP analyzer: already exists");
return; return;
@ -75,7 +75,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
else else
{ {
if ( rdp_native_encrypted_data ) if ( rdp_native_encrypted_data )
zeek::BifEvent::enqueue_rdp_native_encrypted_data( BifEvent::enqueue_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(), interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len); orig, len);
} }
@ -88,14 +88,14 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
} }
void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/rdp/RDP.h
View file

@ -7,10 +7,10 @@
namespace zeek::analyzer::rdp { namespace zeek::analyzer::rdp {
class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class RDP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit RDP_Analyzer(zeek::Connection* conn); explicit RDP_Analyzer(Connection* conn);
~RDP_Analyzer() override; ~RDP_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
@ -19,14 +19,14 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RDP_Analyzer(conn); } { return new RDP_Analyzer(conn); }
protected: protected:
binpac::RDP::RDP_Conn* interp; binpac::RDP::RDP_Conn* interp;
bool had_gap; bool had_gap;
zeek::analyzer::pia::PIA_TCP *pia; analyzer::pia::PIA_TCP *pia;
}; };
} // namespace zeek::analyzer::rdp } // namespace zeek::analyzer::rdp

8
src/analyzer/protocol/rdp/RDPEUDP.cc
View file

@ -5,8 +5,8 @@
namespace zeek::analyzer::rdpeudp { namespace zeek::analyzer::rdpeudp {
RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) RDP_Analyzer::RDP_Analyzer(Connection* c)
: zeek::analyzer::Analyzer("RDPEUDP", c) : analyzer::Analyzer("RDPEUDP", c)
{ {
interp = new binpac::RDPEUDP::RDPEUDP_Conn(this); interp = new binpac::RDPEUDP::RDPEUDP_Conn(this);
} }
@ -22,7 +22,7 @@ void RDP_Analyzer::Done()
} }
void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -32,7 +32,7 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/rdp/RDPEUDP.h
View file

@ -6,16 +6,16 @@
namespace zeek::analyzer::rdpeudp { namespace zeek::analyzer::rdpeudp {
class RDP_Analyzer final : public zeek::analyzer::Analyzer { class RDP_Analyzer final : public analyzer::Analyzer {
public: public:
explicit RDP_Analyzer(zeek::Connection* conn); explicit RDP_Analyzer(Connection* conn);
~RDP_Analyzer() override; ~RDP_Analyzer() override;
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RDP_Analyzer(conn); } { return new RDP_Analyzer(conn); }
protected: protected:

14
src/analyzer/protocol/rfb/RFB.cc
View file

@ -8,8 +8,8 @@
namespace zeek::analyzer::rfb { namespace zeek::analyzer::rfb {
RFB_Analyzer::RFB_Analyzer(zeek::Connection* c) RFB_Analyzer::RFB_Analyzer(Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) : analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c)
{ {
interp = new binpac::RFB::RFB_Conn(this); interp = new binpac::RFB::RFB_Conn(this);
had_gap = false; had_gap = false;
@ -23,7 +23,7 @@ RFB_Analyzer::~RFB_Analyzer()
void RFB_Analyzer::Done() void RFB_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -32,13 +32,13 @@ void RFB_Analyzer::Done()
void RFB_Analyzer::EndpointEOF(bool is_orig) void RFB_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
if ( TCP()->IsPartial() ) if ( TCP()->IsPartial() )
return; return;
@ -63,14 +63,14 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
invalid = true; invalid = true;
} }
} }
void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/rfb/RFB.h
View file

@ -8,10 +8,10 @@
namespace zeek::analyzer::rfb { namespace zeek::analyzer::rfb {
class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class RFB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit RFB_Analyzer(zeek::Connection* conn); explicit RFB_Analyzer(Connection* conn);
~RFB_Analyzer() override; ~RFB_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
@ -20,10 +20,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RFB_Analyzer(conn); } { return new RFB_Analyzer(conn); }
protected: protected:

72
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -19,11 +19,11 @@ namespace detail {
bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
{ {
if ( c->Program() != 100005 ) if ( c->Program() != 100005 )
Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program())); Weird("bad_RPC_program", util::fmt("%d", c->Program()));
uint32_t proc = c->Proc(); uint32_t proc = c->Proc();
// The call arguments, depends on the call type obviously ... // The call arguments, depends on the call type obviously ...
zeek::RecordValPtr callarg; RecordValPtr callarg;
switch ( proc ) { switch ( proc ) {
case BifEnum::MOUNT3::PROC_NULL: case BifEnum::MOUNT3::PROC_NULL:
@ -50,7 +50,7 @@ bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
n = 0; n = 0;
} }
else else
Weird("unknown_MOUNT_request", zeek::util::fmt("%u", proc)); Weird("unknown_MOUNT_request", util::fmt("%u", proc));
// Return 1 so that replies to unprocessed calls will still // Return 1 so that replies to unprocessed calls will still
// be processed, and the return status extracted. // be processed, and the return status extracted.
@ -69,8 +69,8 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
const u_char*& buf, int& n, double start_time, const u_char*& buf, int& n, double start_time,
double last_time, int reply_len) double last_time, int reply_len)
{ {
zeek::EventHandlerPtr event = nullptr; EventHandlerPtr event = nullptr;
zeek::ValPtr reply; ValPtr reply;
BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK; BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK;
bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS ); bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
@ -128,7 +128,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
// Otherwise DeliverRPC would complain about // Otherwise DeliverRPC would complain about
// excess_RPC. // excess_RPC.
n = 0; n = 0;
reply = zeek::BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc()); reply = BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc());
event = mount_proc_not_implemented; event = mount_proc_not_implemented;
} }
else else
@ -167,7 +167,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
return true; return true;
} }
zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c, Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_start_time,
@ -175,43 +175,43 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
{ {
// Returns a new val_list that already has a conn_val, and mount3_info. // Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ... // These are the first parameters for each mount_* event ...
zeek::Args vl; Args vl;
vl.reserve(2 + extra_elements); vl.reserve(2 + extra_elements);
vl.emplace_back(analyzer->ConnVal()); vl.emplace_back(analyzer->ConnVal());
auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto auxgids = make_intrusive<VectorVal>(id::index_vec);
for (size_t i = 0; i < c->AuxGIDs().size(); ++i) for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
{ {
auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i])); auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i]));
} }
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, zeek::BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status)); info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime())); info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime() - c->StartTime())); info->Assign(3, make_intrusive<IntervalVal>(c->LastTime() - c->StartTime()));
info->Assign(4, zeek::val_mgr->Count(c->RPCLen())); info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time)); info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time - rep_start_time)); info->Assign(6, make_intrusive<IntervalVal>(rep_last_time - rep_start_time));
info->Assign(7, zeek::val_mgr->Count(reply_len)); info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, zeek::val_mgr->Count(c->Uid())); info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, zeek::val_mgr->Count(c->Gid())); info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, zeek::val_mgr->Count(c->Stamp())); info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName())); info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info)); vl.emplace_back(std::move(info));
return vl; return vl;
} }
zeek::EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n) EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n)
{ {
BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n); BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t); auto rval = BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t);
return rval; return rval;
} }
zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n) StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
{ {
int fh_n; int fh_n;
const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64); const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
@ -219,10 +219,10 @@ zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
if ( ! fh ) if ( ! fh )
return nullptr; return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(fh, fh_n, false)); return make_intrusive<StringVal>(new String(fh, fh_n, false));
} }
zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n) StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
{ {
int name_len; int name_len;
const u_char* name = extract_XDR_opaque(buf, n, name_len); const u_char* name = extract_XDR_opaque(buf, n, name_len);
@ -230,20 +230,20 @@ zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
if ( ! name ) if ( ! name )
return nullptr; return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_len, false)); return make_intrusive<StringVal>(new String(name, name_len, false));
} }
zeek::RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n) RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n)
{ {
auto dirmntargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::dirmntargs_t); auto dirmntargs = make_intrusive<RecordVal>(BifType::Record::MOUNT3::dirmntargs_t);
dirmntargs->Assign(0, mount3_filename(buf, n)); dirmntargs->Assign(0, mount3_filename(buf, n));
return dirmntargs; return dirmntargs;
} }
zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
BifEnum::MOUNT3::status_t status) BifEnum::MOUNT3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::mnt_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::MOUNT3::mnt_reply_t);
if ( status == BifEnum::MOUNT3::MNT3_OK ) if ( status == BifEnum::MOUNT3::MNT3_OK )
{ {
@ -259,8 +259,8 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
auth_flavors_count = max_auth_flavors; auth_flavors_count = max_auth_flavors;
} }
auto enum_vector = zeek::make_intrusive<zeek::VectorType>(zeek::base_type(zeek::TYPE_ENUM)); auto enum_vector = make_intrusive<VectorType>(base_type(TYPE_ENUM));
auto auth_flavors = zeek::make_intrusive<zeek::VectorVal>(std::move(enum_vector)); auto auth_flavors = make_intrusive<VectorVal>(std::move(enum_vector));
for ( auto i = 0u; i < auth_flavors_count; ++i ) for ( auto i = 0u; i < auth_flavors_count; ++i )
auth_flavors->Assign(auth_flavors->Size(), auth_flavors->Assign(auth_flavors->Size(),
@ -283,7 +283,7 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
} // namespace detail } // namespace detail
MOUNT_Analyzer::MOUNT_Analyzer(zeek::Connection* conn) MOUNT_Analyzer::MOUNT_Analyzer(Connection* conn)
: RPC_Analyzer("MOUNT", conn, new detail::MOUNT_Interp(this)) : RPC_Analyzer("MOUNT", conn, new detail::MOUNT_Interp(this))
{ {
orig_rpc = resp_rpc = nullptr; orig_rpc = resp_rpc = nullptr;

18
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -9,7 +9,7 @@ namespace detail {
class MOUNT_Interp : public RPC_Interpreter { class MOUNT_Interp : public RPC_Interpreter {
public: public:
explicit MOUNT_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } explicit MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected: protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -20,7 +20,7 @@ protected:
// Returns a new arg list that already has a conn_val, rpc_status and // Returns a new arg list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event // mount_status. These are the first parameters for each mount_* event
// ... // ...
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len, int extra_elements); int reply_len, int extra_elements);
@ -30,22 +30,22 @@ protected:
// to 0. However, the methods might still return an allocated Val * ! // to 0. However, the methods might still return an allocated Val * !
// So, you might want to Unref() the Val if buf is 0. Method names // So, you might want to Unref() the Val if buf is 0. Method names
// are based on the type names of RFC 1813. // are based on the type names of RFC 1813.
zeek::EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n); EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n);
zeek::StringValPtr mount3_fh(const u_char*& buf, int& n); StringValPtr mount3_fh(const u_char*& buf, int& n);
zeek::RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n); RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n);
zeek::StringValPtr mount3_filename(const u_char*& buf, int& n); StringValPtr mount3_filename(const u_char*& buf, int& n);
zeek::RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status); RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status);
}; };
} // namespace detail } // namespace detail
class MOUNT_Analyzer : public RPC_Analyzer { class MOUNT_Analyzer : public RPC_Analyzer {
public: public:
explicit MOUNT_Analyzer(zeek::Connection* conn); explicit MOUNT_Analyzer(Connection* conn);
void Init() override; void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new MOUNT_Analyzer(conn); } { return new MOUNT_Analyzer(conn); }
}; };

206
src/analyzer/protocol/rpc/NFS.cc
View file

@ -19,11 +19,11 @@ namespace detail {
bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
{ {
if ( c->Program() != 100003 ) if ( c->Program() != 100003 )
Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program())); Weird("bad_RPC_program", util::fmt("%d", c->Program()));
uint32_t proc = c->Proc(); uint32_t proc = c->Proc();
// The call arguments, depends on the call type obviously ... // The call arguments, depends on the call type obviously ...
zeek::ValPtr callarg; ValPtr callarg;
switch ( proc ) { switch ( proc ) {
case BifEnum::NFS3::PROC_NULL: case BifEnum::NFS3::PROC_NULL:
@ -104,7 +104,7 @@ bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
n = 0; n = 0;
} }
else else
Weird("unknown_NFS_request", zeek::util::fmt("%u", proc)); Weird("unknown_NFS_request", util::fmt("%u", proc));
// Return 1 so that replies to unprocessed calls will still // Return 1 so that replies to unprocessed calls will still
// be processed, and the return status extracted. // be processed, and the return status extracted.
@ -124,8 +124,8 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
const u_char*& buf, int& n, double start_time, const u_char*& buf, int& n, double start_time,
double last_time, int reply_len) double last_time, int reply_len)
{ {
zeek::EventHandlerPtr event = nullptr; EventHandlerPtr event = nullptr;
zeek::ValPtr reply; ValPtr reply;
BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK; BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK;
bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS ); bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
@ -243,7 +243,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
// Otherwise DeliverRPC would complain about // Otherwise DeliverRPC would complain about
// excess_RPC. // excess_RPC.
n = 0; n = 0;
reply = zeek::BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc()); reply = BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc());
event = nfs_proc_not_implemented; event = nfs_proc_not_implemented;
} }
else else
@ -279,7 +279,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
return true; return true;
} }
zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size) StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size)
{ {
int data_n; int data_n;
@ -287,57 +287,57 @@ zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64
const u_char *data = extract_XDR_opaque(buf, n, data_n, 1 << 30, true); const u_char *data = extract_XDR_opaque(buf, n, data_n, 1 << 30, true);
// check whether we have to deliver data to the event // check whether we have to deliver data to the event
if ( ! zeek::BifConst::NFS3::return_data ) if ( ! BifConst::NFS3::return_data )
return nullptr; return nullptr;
if ( zeek::BifConst::NFS3::return_data_first_only && offset != 0 ) if ( BifConst::NFS3::return_data_first_only && offset != 0 )
return nullptr; return nullptr;
// Ok, so we want to return some data // Ok, so we want to return some data
data_n = std::min(data_n, size); data_n = std::min(data_n, size);
data_n = std::min(data_n, int(zeek::BifConst::NFS3::return_data_max)); data_n = std::min(data_n, int(BifConst::NFS3::return_data_max));
if ( data && data_n > 0 ) if ( data && data_n > 0 )
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, data_n, false)); return make_intrusive<StringVal>(new String(data, data_n, false));
return nullptr; return nullptr;
} }
zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len, int extra_elements) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and nfs3_info. // Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ... // These are the first parameters for each nfs_* event ...
zeek::Args vl; Args vl;
vl.reserve(2 + extra_elements); vl.reserve(2 + extra_elements);
vl.emplace_back(analyzer->ConnVal()); vl.emplace_back(analyzer->ConnVal());
auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto auxgids = make_intrusive<VectorVal>(id::index_vec);
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i])); auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i]));
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::info_t); auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status)); info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, zeek::BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status)); info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime())); info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime()-c->StartTime())); info->Assign(3, make_intrusive<IntervalVal>(c->LastTime()-c->StartTime()));
info->Assign(4, zeek::val_mgr->Count(c->RPCLen())); info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time)); info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time-rep_start_time)); info->Assign(6, make_intrusive<IntervalVal>(rep_last_time-rep_start_time));
info->Assign(7, zeek::val_mgr->Count(reply_len)); info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, zeek::val_mgr->Count(c->Uid())); info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, zeek::val_mgr->Count(c->Gid())); info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, zeek::val_mgr->Count(c->Stamp())); info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName())); info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info)); vl.emplace_back(std::move(info));
return vl; return vl;
} }
zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n) StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
{ {
int fh_n; int fh_n;
const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64); const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
@ -345,13 +345,13 @@ zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
if ( ! fh ) if ( ! fh )
return nullptr; return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(fh, fh_n, false)); return make_intrusive<StringVal>(new String(fh, fh_n, false));
} }
zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
{ {
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattr_t); auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::sattr_t);
attrs->Assign(0, nullptr); // mode attrs->Assign(0, nullptr); // mode
int mode_set_it = extract_XDR_uint32(buf, n); int mode_set_it = extract_XDR_uint32(buf, n);
@ -380,9 +380,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
return attrs; return attrs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattr_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::sattr_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -398,9 +398,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifE
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
{ {
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::fattr_t); auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::fattr_t);
attrs->Assign(0, nfs3_ftype(buf, n)); // file type attrs->Assign(0, nfs3_ftype(buf, n)); // file type
attrs->Assign(1, ExtractUint32(buf, n)); // mode attrs->Assign(1, ExtractUint32(buf, n)); // mode
@ -420,23 +420,23 @@ zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
return attrs; return attrs;
} }
zeek::EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n) EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n)
{ {
BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n); BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::time_how_t->GetEnumVal(t); auto rval = BifType::Enum::NFS3::time_how_t->GetEnumVal(t);
return rval; return rval;
} }
zeek::EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n) EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
{ {
BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n); BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::file_type_t->GetEnumVal(t); auto rval = BifType::Enum::NFS3::file_type_t->GetEnumVal(t);
return rval; return rval;
} }
zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
{ {
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::wcc_attr_t); auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::wcc_attr_t);
attrs->Assign(0, ExtractUint64(buf, n)); // size attrs->Assign(0, ExtractUint64(buf, n)); // size
attrs->Assign(1, ExtractTime(buf, n)); // mtime attrs->Assign(1, ExtractTime(buf, n)); // mtime
@ -445,7 +445,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
return attrs; return attrs;
} }
zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n) StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
{ {
int name_len; int name_len;
const u_char* name = extract_XDR_opaque(buf, n, name_len); const u_char* name = extract_XDR_opaque(buf, n, name_len);
@ -453,12 +453,12 @@ zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
if ( ! name ) if ( ! name )
return nullptr; return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_len, false)); return make_intrusive<StringVal>(new String(name, name_len, false));
} }
zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
{ {
auto diropargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::diropargs_t); auto diropargs = make_intrusive<RecordVal>(BifType::Record::NFS3::diropargs_t);
diropargs->Assign(0, nfs3_fh(buf, n)); diropargs->Assign(0, nfs3_fh(buf, n));
diropargs->Assign(1, nfs3_filename(buf, n)); diropargs->Assign(1, nfs3_filename(buf, n));
@ -466,9 +466,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
return diropargs; return diropargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
{ {
auto symlinkdata = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::symlinkdata_t); auto symlinkdata = make_intrusive<RecordVal>(BifType::Record::NFS3::symlinkdata_t);
symlinkdata->Assign(0, nfs3_sattr(buf, n)); symlinkdata->Assign(0, nfs3_sattr(buf, n));
symlinkdata->Assign(1, nfs3_nfspath(buf, n)); symlinkdata->Assign(1, nfs3_nfspath(buf, n));
@ -476,9 +476,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
return symlinkdata; return symlinkdata;
} }
zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
{ {
auto renameopargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::renameopargs_t); auto renameopargs = make_intrusive<RecordVal>(BifType::Record::NFS3::renameopargs_t);
renameopargs->Assign(0, nfs3_fh(buf, n)); renameopargs->Assign(0, nfs3_fh(buf, n));
renameopargs->Assign(1, nfs3_filename(buf, n)); renameopargs->Assign(1, nfs3_filename(buf, n));
@ -488,7 +488,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
return renameopargs; return renameopargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
{ {
int have_attrs = extract_XDR_uint32(buf, n); int have_attrs = extract_XDR_uint32(buf, n);
@ -498,7 +498,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
return nullptr; return nullptr;
} }
zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n) StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
{ {
int have_fh = extract_XDR_uint32(buf, n); int have_fh = extract_XDR_uint32(buf, n);
@ -508,7 +508,7 @@ zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
return nullptr; return nullptr;
} }
zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
{ {
int have_attrs = extract_XDR_uint32(buf, n); int have_attrs = extract_XDR_uint32(buf, n);
@ -517,16 +517,16 @@ zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
return nullptr; return nullptr;
} }
zeek::EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n) EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n)
{ {
BifEnum::NFS3::stable_how_t stable = (BifEnum::NFS3::stable_how_t)extract_XDR_uint32(buf, n); BifEnum::NFS3::stable_how_t stable = (BifEnum::NFS3::stable_how_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable); auto rval = BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable);
return rval; return rval;
} }
zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::lookup_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::lookup_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -543,9 +543,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, Bif
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
{ {
auto readargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readargs_t); auto readargs = make_intrusive<RecordVal>(BifType::Record::NFS3::readargs_t);
readargs->Assign(0, nfs3_fh(buf, n)); readargs->Assign(0, nfs3_fh(buf, n));
readargs->Assign(1, ExtractUint64(buf, n)); // offset readargs->Assign(1, ExtractUint64(buf, n)); // offset
@ -554,10 +554,10 @@ zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
return readargs; return readargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status,
bro_uint_t offset) bro_uint_t offset)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::read_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::read_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK) if (status == BifEnum::NFS3::NFS3ERR_OK)
{ {
@ -565,7 +565,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn
rep->Assign(0, nfs3_post_op_attr(buf, n)); rep->Assign(0, nfs3_post_op_attr(buf, n));
bytes_read = extract_XDR_uint32(buf, n); bytes_read = extract_XDR_uint32(buf, n);
rep->Assign(1, zeek::val_mgr->Count(bytes_read)); rep->Assign(1, val_mgr->Count(bytes_read));
rep->Assign(2, ExtractBool(buf, n)); rep->Assign(2, ExtractBool(buf, n));
rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read)); rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
} }
@ -577,9 +577,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readlink_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readlink_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK) if (status == BifEnum::NFS3::NFS3ERR_OK)
{ {
@ -594,9 +594,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, B
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::link_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::link_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -610,9 +610,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEn
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
{ {
auto symlinkargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::symlinkargs_t); auto symlinkargs = make_intrusive<RecordVal>(BifType::Record::NFS3::symlinkargs_t);
symlinkargs->Assign(0, nfs3_diropargs(buf, n)); symlinkargs->Assign(0, nfs3_diropargs(buf, n));
symlinkargs->Assign(1, nfs3_symlinkdata(buf, n)); symlinkargs->Assign(1, nfs3_symlinkdata(buf, n));
@ -620,9 +620,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
return symlinkargs; return symlinkargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
{ {
auto sattrargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattrargs_t); auto sattrargs = make_intrusive<RecordVal>(BifType::Record::NFS3::sattrargs_t);
sattrargs->Assign(0, nfs3_fh(buf, n)); sattrargs->Assign(0, nfs3_fh(buf, n));
sattrargs->Assign(1, nfs3_sattr(buf, n)); sattrargs->Assign(1, nfs3_sattr(buf, n));
@ -630,9 +630,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
return sattrargs; return sattrargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
{ {
auto linkargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::linkargs_t); auto linkargs = make_intrusive<RecordVal>(BifType::Record::NFS3::linkargs_t);
linkargs->Assign(0, nfs3_fh(buf, n)); linkargs->Assign(0, nfs3_fh(buf, n));
linkargs->Assign(1, nfs3_diropargs(buf, n)); linkargs->Assign(1, nfs3_diropargs(buf, n));
@ -640,17 +640,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
return linkargs; return linkargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
{ {
uint32_t bytes; uint32_t bytes;
uint64_t offset; uint64_t offset;
auto writeargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::writeargs_t); auto writeargs = make_intrusive<RecordVal>(BifType::Record::NFS3::writeargs_t);
writeargs->Assign(0, nfs3_fh(buf, n)); writeargs->Assign(0, nfs3_fh(buf, n));
offset = extract_XDR_uint64(buf, n); offset = extract_XDR_uint64(buf, n);
writeargs->Assign(1, zeek::val_mgr->Count(offset)); // offset writeargs->Assign(1, val_mgr->Count(offset)); // offset
bytes = extract_XDR_uint32(buf, n); bytes = extract_XDR_uint32(buf, n);
writeargs->Assign(2, zeek::val_mgr->Count(bytes)); // size writeargs->Assign(2, val_mgr->Count(bytes)); // size
writeargs->Assign(3, nfs3_stable_how(buf, n)); writeargs->Assign(3, nfs3_stable_how(buf, n));
writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes)); writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
@ -658,9 +658,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
return writeargs; return writeargs;
} }
zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::write_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::write_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -683,9 +683,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifE
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status) RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::newobj_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::newobj_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK) if (status == BifEnum::NFS3::NFS3ERR_OK)
{ {
@ -707,9 +707,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, Bif
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::delobj_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::delobj_reply_t);
// wcc_data // wcc_data
rep->Assign(0, nfs3_pre_op_attr(buf, n)); rep->Assign(0, nfs3_pre_op_attr(buf, n));
@ -718,9 +718,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::renameobj_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::renameobj_reply_t);
// wcc_data // wcc_data
rep->Assign(0, nfs3_pre_op_attr(buf, n)); rep->Assign(0, nfs3_pre_op_attr(buf, n));
@ -731,11 +731,11 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
return rep; return rep;
} }
zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n) RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
{ {
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdirargs_t); auto args = make_intrusive<RecordVal>(BifType::Record::NFS3::readdirargs_t);
args->Assign(0, zeek::val_mgr->Bool(isplus)); args->Assign(0, val_mgr->Bool(isplus));
args->Assign(1, nfs3_fh(buf, n)); args->Assign(1, nfs3_fh(buf, n));
args->Assign(2, ExtractUint64(buf,n)); // cookie args->Assign(2, ExtractUint64(buf,n)); // cookie
args->Assign(3, ExtractUint64(buf,n)); // cookieverf args->Assign(3, ExtractUint64(buf,n)); // cookieverf
@ -747,17 +747,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf,
return args; return args;
} }
zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf, RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
int&n, BifEnum::NFS3::status_t status) int&n, BifEnum::NFS3::status_t status)
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdir_reply_t); auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readdir_reply_t);
rep->Assign(0, zeek::val_mgr->Bool(isplus)); rep->Assign(0, val_mgr->Bool(isplus));
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
unsigned pos; unsigned pos;
auto entries = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::NFS3::direntry_vec_t); auto entries = make_intrusive<VectorVal>(BifType::Vector::NFS3::direntry_vec_t);
rep->Assign(1, nfs3_post_op_attr(buf,n)); // dir_attr rep->Assign(1, nfs3_post_op_attr(buf,n)); // dir_attr
rep->Assign(2, ExtractUint64(buf,n)); // cookieverf rep->Assign(2, ExtractUint64(buf,n)); // cookieverf
@ -766,7 +766,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
while ( extract_XDR_uint32(buf,n) ) while ( extract_XDR_uint32(buf,n) )
{ {
auto entry = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::direntry_t); auto entry = make_intrusive<RecordVal>(BifType::Record::NFS3::direntry_t);
entry->Assign(0, ExtractUint64(buf,n)); // fileid entry->Assign(0, ExtractUint64(buf,n)); // fileid
entry->Assign(1, nfs3_filename(buf,n)); // fname entry->Assign(1, nfs3_filename(buf,n)); // fname
entry->Assign(2, ExtractUint64(buf,n)); // cookie entry->Assign(2, ExtractUint64(buf,n)); // cookie
@ -792,34 +792,34 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
return rep; return rep;
} }
zeek::ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n) ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
{ {
return zeek::val_mgr->Count(extract_XDR_uint32(buf, n)); return val_mgr->Count(extract_XDR_uint32(buf, n));
} }
zeek::ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n) ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
{ {
return zeek::val_mgr->Count(extract_XDR_uint64(buf, n)); return val_mgr->Count(extract_XDR_uint64(buf, n));
} }
zeek::ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n) ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n)
{ {
return zeek::make_intrusive<zeek::TimeVal>(extract_XDR_time(buf, n)); return make_intrusive<TimeVal>(extract_XDR_time(buf, n));
} }
zeek::ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n) ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
{ {
return zeek::make_intrusive<zeek::IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0); return make_intrusive<IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0);
} }
zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n)
{ {
return zeek::val_mgr->Bool(extract_XDR_uint32(buf, n)); return val_mgr->Bool(extract_XDR_uint32(buf, n));
} }
} // namespace detail } // namespace detail
NFS_Analyzer::NFS_Analyzer(zeek::Connection* conn) NFS_Analyzer::NFS_Analyzer(Connection* conn)
: RPC_Analyzer("NFS", conn, new detail::NFS_Interp(this)) : RPC_Analyzer("NFS", conn, new detail::NFS_Interp(this))
{ {
orig_rpc = resp_rpc = nullptr; orig_rpc = resp_rpc = nullptr;

82
src/analyzer/protocol/rpc/NFS.h
View file

@ -10,7 +10,7 @@ namespace detail {
class NFS_Interp : public RPC_Interpreter { class NFS_Interp : public RPC_Interpreter {
public: public:
explicit NFS_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } explicit NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected: protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -21,7 +21,7 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event // nfs_status. These are the first parameters for each nfs_* event
// ... // ...
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len, int extra_elements); int reply_len, int extra_elements);
@ -31,63 +31,63 @@ protected:
// to 0. However, the methods might still return an allocated Val * ! // to 0. However, the methods might still return an allocated Val * !
// So, you might want to Unref() the Val if buf is 0. Method names // So, you might want to Unref() the Val if buf is 0. Method names
// are based on the type names of RFC 1813. // are based on the type names of RFC 1813.
zeek::StringValPtr nfs3_fh(const u_char*& buf, int& n); StringValPtr nfs3_fh(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_fattr(const u_char*& buf, int& n); RecordValPtr nfs3_fattr(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_sattr(const u_char*& buf, int& n); RecordValPtr nfs3_sattr(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_ftype(const u_char*& buf, int& n); EnumValPtr nfs3_ftype(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_time_how(const u_char*& buf, int& n); EnumValPtr nfs3_time_how(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n); RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_diropargs(const u_char*&buf, int &n); RecordValPtr nfs3_diropargs(const u_char*&buf, int &n);
zeek::RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n); RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n); RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n);
zeek::StringValPtr nfs3_filename(const u_char*& buf, int& n); StringValPtr nfs3_filename(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_linkargs(const u_char*& buf, int& n); RecordValPtr nfs3_linkargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n); RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n); RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n);
zeek::StringValPtr nfs3_nfspath(const u_char*& buf, int& n) StringValPtr nfs3_nfspath(const u_char*& buf, int& n)
{ {
return nfs3_filename(buf,n); return nfs3_filename(buf,n);
} }
zeek::RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr
zeek::RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr
zeek::RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_readargs(const u_char*& buf, int& n); RecordValPtr nfs3_readargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset); RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
zeek::RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_writeargs(const u_char*& buf, int& n); RecordValPtr nfs3_writeargs(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_stable_how(const u_char*& buf, int& n); EnumValPtr nfs3_stable_how(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n); RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n); RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n);
zeek::StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n); StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n); RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
zeek::RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status); RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
// Consumes the file data in the RPC message. Depending on NFS::return_data* consts // Consumes the file data in the RPC message. Depending on NFS::return_data* consts
// in bro.init returns NULL or the data as string val: // in bro.init returns NULL or the data as string val:
// * offset is the offset of the read/write call // * offset is the offset of the read/write call
// * size is the amount of bytes read (or requested to be written), // * size is the amount of bytes read (or requested to be written),
zeek::StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size); StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
zeek::ValPtr ExtractUint32(const u_char*& buf, int& n); ValPtr ExtractUint32(const u_char*& buf, int& n);
zeek::ValPtr ExtractUint64(const u_char*& buf, int& n); ValPtr ExtractUint64(const u_char*& buf, int& n);
zeek::ValPtr ExtractTime(const u_char*& buf, int& n); ValPtr ExtractTime(const u_char*& buf, int& n);
zeek::ValPtr ExtractInterval(const u_char*& buf, int& n); ValPtr ExtractInterval(const u_char*& buf, int& n);
zeek::ValPtr ExtractBool(const u_char*& buf, int& n); ValPtr ExtractBool(const u_char*& buf, int& n);
}; };
} // namespace detail } // namespace detail
class NFS_Analyzer : public RPC_Analyzer { class NFS_Analyzer : public RPC_Analyzer {
public: public:
explicit NFS_Analyzer(zeek::Connection* conn); explicit NFS_Analyzer(Connection* conn);
void Init() override; void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NFS_Analyzer(conn); } { return new NFS_Analyzer(conn); }
}; };

68
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -79,8 +79,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
double start_time, double last_time, double start_time, double last_time,
int reply_len) int reply_len)
{ {
zeek::EventHandlerPtr event; EventHandlerPtr event;
zeek::ValPtr reply; ValPtr reply;
int success = (status == BifEnum::RPC_SUCCESS); int success = (status == BifEnum::RPC_SUCCESS);
switch ( c->Proc() ) { switch ( c->Proc() ) {
@ -95,7 +95,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf ) if ( ! buf )
return false; return false;
reply = zeek::val_mgr->Bool(status); reply = val_mgr->Bool(status);
event = pm_request_set; event = pm_request_set;
} }
else else
@ -110,7 +110,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf ) if ( ! buf )
return false; return false;
reply = zeek::val_mgr->Bool(status); reply = val_mgr->Bool(status);
event = pm_request_unset; event = pm_request_unset;
} }
else else
@ -125,9 +125,9 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf ) if ( ! buf )
return false; return false;
zeek::RecordVal* rv = c->RequestVal()->AsRecordVal(); RecordVal* rv = c->RequestVal()->AsRecordVal();
const auto& is_tcp = rv->GetField(2); const auto& is_tcp = rv->GetField(2);
reply = zeek::val_mgr->Port(CheckPort(port), is_tcp->IsOne() ? reply = val_mgr->Port(CheckPort(port), is_tcp->IsOne() ?
TRANSPORT_TCP : TRANSPORT_UDP); TRANSPORT_TCP : TRANSPORT_UDP);
event = pm_request_getport; event = pm_request_getport;
} }
@ -139,8 +139,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
event = success ? pm_request_dump : pm_attempt_dump; event = success ? pm_request_dump : pm_attempt_dump;
if ( success ) if ( success )
{ {
static auto pm_mappings = zeek::id::find_type<zeek::TableType>("pm_mappings"); static auto pm_mappings = id::find_type<TableType>("pm_mappings");
auto mappings = zeek::make_intrusive<zeek::TableVal>(pm_mappings); auto mappings = make_intrusive<TableVal>(pm_mappings);
uint32_t nmap = 0; uint32_t nmap = 0;
// Each call in the loop test pulls the next "opted" // Each call in the loop test pulls the next "opted"
@ -151,7 +151,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! m ) if ( ! m )
break; break;
auto index = zeek::val_mgr->Count(++nmap); auto index = val_mgr->Count(++nmap);
mappings->Assign(std::move(index), std::move(m)); mappings->Assign(std::move(index), std::move(m));
} }
@ -175,7 +175,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! opaque_reply ) if ( ! opaque_reply )
return false; return false;
reply = zeek::val_mgr->Port(CheckPort(port), TRANSPORT_UDP); reply = val_mgr->Port(CheckPort(port), TRANSPORT_UDP);
event = pm_request_callit; event = pm_request_callit;
} }
else else
@ -190,17 +190,17 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
return true; return true;
} }
zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
{ {
static auto pm_mapping = zeek::id::find_type<zeek::RecordType>("pm_mapping"); static auto pm_mapping = id::find_type<RecordType>("pm_mapping");
auto mapping = zeek::make_intrusive<zeek::RecordVal>(pm_mapping); auto mapping = make_intrusive<RecordVal>(pm_mapping);
mapping->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32_t port = extract_XDR_uint32(buf, len); uint32_t port = extract_XDR_uint32(buf, len);
mapping->Assign(2, zeek::val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP)); mapping->Assign(2, val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
if ( ! buf ) if ( ! buf )
return nullptr; return nullptr;
@ -208,16 +208,16 @@ zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
return mapping; return mapping;
} }
zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
{ {
static auto pm_port_request = zeek::id::find_type<zeek::RecordType>("pm_port_request"); static auto pm_port_request = id::find_type<RecordType>("pm_port_request");
auto pr = zeek::make_intrusive<zeek::RecordVal>(pm_port_request); auto pr = make_intrusive<RecordVal>(pm_port_request);
pr->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
pr->Assign(2, zeek::val_mgr->Bool(is_tcp)); pr->Assign(2, val_mgr->Bool(is_tcp));
(void) extract_XDR_uint32(buf, len); // consume the bogus port (void) extract_XDR_uint32(buf, len); // consume the bogus port
if ( ! buf ) if ( ! buf )
@ -226,18 +226,18 @@ zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
return pr; return pr;
} }
zeek::ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len) ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
{ {
static auto pm_callit_request = zeek::id::find_type<zeek::RecordType>("pm_callit_request"); static auto pm_callit_request = id::find_type<RecordType>("pm_callit_request");
auto c = zeek::make_intrusive<zeek::RecordVal>(pm_callit_request); auto c = make_intrusive<RecordVal>(pm_callit_request);
c->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(2, zeek::val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len)));
int arg_n; int arg_n;
(void) extract_XDR_opaque(buf, len, arg_n); (void) extract_XDR_opaque(buf, len, arg_n);
c->Assign(3, zeek::val_mgr->Count(arg_n)); c->Assign(3, val_mgr->Count(arg_n));
if ( ! buf ) if ( ! buf )
return nullptr; return nullptr;
@ -253,7 +253,7 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
{ {
analyzer->EnqueueConnEvent(pm_bad_port, analyzer->EnqueueConnEvent(pm_bad_port,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(port) val_mgr->Count(port)
); );
} }
@ -263,12 +263,12 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
return port; return port;
} }
void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply) void PortmapperInterp::Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply)
{ {
if ( ! f ) if ( ! f )
return; return;
zeek::Args vl; Args vl;
vl.emplace_back(analyzer->ConnVal()); vl.emplace_back(analyzer->ConnVal());
@ -281,7 +281,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE
} }
else else
{ {
vl.emplace_back(zeek::BifType::Enum::rpc_status->GetEnumVal(status)); vl.emplace_back(BifType::Enum::rpc_status->GetEnumVal(status));
if ( request ) if ( request )
vl.emplace_back(std::move(request)); vl.emplace_back(std::move(request));
@ -292,7 +292,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE
} // namespace detail } // namespace detail
Portmapper_Analyzer::Portmapper_Analyzer(zeek::Connection* conn) Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
: RPC_Analyzer("PORTMAPPER", conn, new detail::PortmapperInterp(this)) : RPC_Analyzer("PORTMAPPER", conn, new detail::PortmapperInterp(this))
{ {
orig_rpc = resp_rpc = nullptr; orig_rpc = resp_rpc = nullptr;

14
src/analyzer/protocol/rpc/Portmap.h
View file

@ -9,7 +9,7 @@ namespace detail {
class PortmapperInterp : public RPC_Interpreter { class PortmapperInterp : public RPC_Interpreter {
public: public:
explicit PortmapperInterp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } explicit PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected: protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override; bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -18,22 +18,22 @@ protected:
double last_time, int reply_len) override; double last_time, int reply_len) override;
uint32_t CheckPort(uint32_t port); uint32_t CheckPort(uint32_t port);
void Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply); void Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply);
zeek::ValPtr ExtractMapping(const u_char*& buf, int& len); ValPtr ExtractMapping(const u_char*& buf, int& len);
zeek::ValPtr ExtractPortRequest(const u_char*& buf, int& len); ValPtr ExtractPortRequest(const u_char*& buf, int& len);
zeek::ValPtr ExtractCallItRequest(const u_char*& buf, int& len); ValPtr ExtractCallItRequest(const u_char*& buf, int& len);
}; };
} // namespace detail } // namespace detail
class Portmapper_Analyzer : public RPC_Analyzer { class Portmapper_Analyzer : public RPC_Analyzer {
public: public:
explicit Portmapper_Analyzer(zeek::Connection* conn); explicit Portmapper_Analyzer(Connection* conn);
~Portmapper_Analyzer() override; ~Portmapper_Analyzer() override;
void Init() override; void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Portmapper_Analyzer(conn); } { return new Portmapper_Analyzer(conn); }
}; };

86
src/analyzer/protocol/rpc/RPC.cc
View file

@ -108,7 +108,7 @@ bool RPC_CallInfo::CompareRexmit(const u_char* buf, int n) const
} }
RPC_Interpreter::RPC_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer)
{ {
analyzer = arg_analyzer; analyzer = arg_analyzer;
} }
@ -308,7 +308,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int rpclen,
else if ( n < 0 ) else if ( n < 0 )
{ {
zeek::reporter->AnalyzerError(analyzer, "RPC underflow"); reporter->AnalyzerError(analyzer, "RPC underflow");
return 0; return 0;
} }
@ -327,7 +327,7 @@ void RPC_Interpreter::Timeout()
const u_char* buf = nullptr; const u_char* buf = nullptr;
int n = 0; int n = 0;
if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, zeek::run_state::network_time, zeek::run_state::network_time, 0) ) if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, run_state::network_time, run_state::network_time, 0) )
Weird("bad_RPC"); Weird("bad_RPC");
} }
} }
@ -338,13 +338,13 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
if ( rpc_dialogue ) if ( rpc_dialogue )
analyzer->EnqueueConnEvent(rpc_dialogue, analyzer->EnqueueConnEvent(rpc_dialogue,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(c->Program()), val_mgr->Count(c->Program()),
zeek::val_mgr->Count(c->Version()), val_mgr->Count(c->Version()),
zeek::val_mgr->Count(c->Proc()), val_mgr->Count(c->Proc()),
zeek::BifType::Enum::rpc_status->GetEnumVal(status), BifType::Enum::rpc_status->GetEnumVal(status),
zeek::make_intrusive<zeek::TimeVal>(c->StartTime()), make_intrusive<TimeVal>(c->StartTime()),
zeek::val_mgr->Count(c->CallLen()), val_mgr->Count(c->CallLen()),
zeek::val_mgr->Count(reply_len) val_mgr->Count(reply_len)
); );
} }
@ -353,11 +353,11 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
if ( rpc_call ) if ( rpc_call )
analyzer->EnqueueConnEvent(rpc_call, analyzer->EnqueueConnEvent(rpc_call,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(c->XID()), val_mgr->Count(c->XID()),
zeek::val_mgr->Count(c->Program()), val_mgr->Count(c->Program()),
zeek::val_mgr->Count(c->Version()), val_mgr->Count(c->Version()),
zeek::val_mgr->Count(c->Proc()), val_mgr->Count(c->Proc()),
zeek::val_mgr->Count(c->CallLen()) val_mgr->Count(c->CallLen())
); );
} }
@ -366,9 +366,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
if ( rpc_reply ) if ( rpc_reply )
analyzer->EnqueueConnEvent(rpc_reply, analyzer->EnqueueConnEvent(rpc_reply,
analyzer->ConnVal(), analyzer->ConnVal(),
zeek::val_mgr->Count(xid), val_mgr->Count(xid),
zeek::BifType::Enum::rpc_status->GetEnumVal(status), BifType::Enum::rpc_status->GetEnumVal(status),
zeek::val_mgr->Count(reply_len) val_mgr->Count(reply_len)
); );
} }
@ -414,9 +414,9 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len)
} // namespace detail } // namespace detail
Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, Contents_RPC::Contents_RPC(Connection* conn, bool orig,
detail::RPC_Interpreter* arg_interp) detail::RPC_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) : analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
{ {
interp = arg_interp; interp = arg_interp;
state = WAIT_FOR_MESSAGE; state = WAIT_FOR_MESSAGE;
@ -428,7 +428,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
void Contents_RPC::Init() void Contents_RPC::Init()
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::Init(); analyzer::tcp::TCP_SupportAnalyzer::Init();
} }
Contents_RPC::~Contents_RPC() Contents_RPC::~Contents_RPC()
@ -437,7 +437,7 @@ Contents_RPC::~Contents_RPC()
void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig) void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
NeedResync(); NeedResync();
} }
@ -456,12 +456,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
// is fully established we are in sync (since it's the first chunk // is fully established we are in sync (since it's the first chunk
// of data after the SYN if its not established we need to // of data after the SYN if its not established we need to
// resync. // resync.
zeek::analyzer::tcp::TCP_Analyzer* tcp = analyzer::tcp::TCP_Analyzer* tcp =
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP(); static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp); assert(tcp);
if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED ) analyzer::tcp::TCP_ENDPOINT_ESTABLISHED )
{ {
NeedResync(); NeedResync();
} }
@ -515,7 +515,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
if ( resync_toskip != 0 ) if ( resync_toskip != 0 )
{ {
// Should never happen. // Should never happen.
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "RPC resync: skipping over data failed"); this, "RPC resync: skipping over data failed");
return false; return false;
} }
@ -534,8 +534,8 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
// TCP keep-alive retransmissions. // TCP keep-alive retransmissions.
DEBUG_MSG("%.6f RPC resync: " DEBUG_MSG("%.6f RPC resync: "
"discard small pieces: %d\n", "discard small pieces: %d\n",
zeek::run_state::network_time, len); run_state::network_time, len);
Conn()->Weird("RPC_resync", zeek::util::fmt("discard %d bytes\n", len)); Conn()->Weird("RPC_resync", util::fmt("discard %d bytes\n", len));
} }
NeedResync(); NeedResync();
@ -623,7 +623,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
uint32_t marker; uint32_t marker;
bool last_frag; bool last_frag;
@ -634,7 +634,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
while (len > 0) while (len > 0)
{ {
last_time = zeek::run_state::network_time; last_time = run_state::network_time;
switch (state) { switch (state) {
case WAIT_FOR_MESSAGE: case WAIT_FOR_MESSAGE:
@ -649,7 +649,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
msg_buf.Init(MAX_RPC_LEN, 0); msg_buf.Init(MAX_RPC_LEN, 0);
last_frag = false; last_frag = false;
state = WAIT_FOR_MARKER; state = WAIT_FOR_MARKER;
start_time = zeek::run_state::network_time; start_time = run_state::network_time;
// no break. fall through // no break. fall through
case WAIT_FOR_MARKER: case WAIT_FOR_MARKER:
@ -667,7 +667,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
if ( ! dummy_p ) if ( ! dummy_p )
{ {
zeek::reporter->AnalyzerError( reporter->AnalyzerError(
this, "inconsistent RPC record marker extraction"); this, "inconsistent RPC record marker extraction");
return; return;
} }
@ -675,10 +675,10 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
last_frag = (marker & 0x80000000) != 0; last_frag = (marker & 0x80000000) != 0;
marker &= 0x7fffffff; marker &= 0x7fffffff;
//printf("%.6f %d marker= %u <> last_frag= %d <> expected=%llu <> processed= %llu <> len = %d\n", //printf("%.6f %d marker= %u <> last_frag= %d <> expected=%llu <> processed= %llu <> len = %d\n",
// zeek::run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len); // run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len);
if ( ! msg_buf.AddToExpected(marker) ) if ( ! msg_buf.AddToExpected(marker) )
Conn()->Weird("RPC_message_too_long", zeek::util::fmt("%" PRId64, msg_buf.GetExpected())); Conn()->Weird("RPC_message_too_long", util::fmt("%" PRId64, msg_buf.GetExpected()));
if ( last_frag ) if ( last_frag )
state = WAIT_FOR_LAST_DATA; state = WAIT_FOR_LAST_DATA;
@ -722,14 +722,14 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
} // end while } // end while
} }
RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn, RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn,
detail::RPC_Interpreter* arg_interp) detail::RPC_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), : analyzer::tcp::TCP_ApplicationAnalyzer(name, conn),
interp(arg_interp), orig_rpc(), resp_rpc() interp(arg_interp), orig_rpc(), resp_rpc()
{ {
if ( Conn()->ConnTransport() == TRANSPORT_UDP ) if ( Conn()->ConnTransport() == TRANSPORT_UDP )
ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer, ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer,
zeek::run_state::network_time + zeek::detail::rpc_timeout, true, run_state::network_time + zeek::detail::rpc_timeout, true,
zeek::detail::TIMER_RPC_EXPIRE); zeek::detail::TIMER_RPC_EXPIRE);
} }
@ -739,26 +739,26 @@ RPC_Analyzer::~RPC_Analyzer()
} }
void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
len = std::min(len, caplen); len = std::min(len, caplen);
if ( orig ) if ( orig )
{ {
if ( ! interp->DeliverRPC(data, len, len, true, zeek::run_state::network_time, zeek::run_state::network_time) ) if ( ! interp->DeliverRPC(data, len, len, true, run_state::network_time, run_state::network_time) )
Weird("bad_RPC"); Weird("bad_RPC");
} }
else else
{ {
if ( ! interp->DeliverRPC(data, len, len, false, zeek::run_state::network_time, zeek::run_state::network_time) ) if ( ! interp->DeliverRPC(data, len, len, false, run_state::network_time, run_state::network_time) )
Weird("bad_RPC"); Weird("bad_RPC");
} }
} }
void RPC_Analyzer::Done() void RPC_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout(); interp->Timeout();
} }
@ -766,7 +766,7 @@ void RPC_Analyzer::Done()
void RPC_Analyzer::ExpireTimer(double /* t */) void RPC_Analyzer::ExpireTimer(double /* t */)
{ {
Event(connection_timeout); Event(connection_timeout);
zeek::sessions->Remove(Conn()); sessions->Remove(Conn());
} }
} // namespace zeek::analyzer::rpc } // namespace zeek::analyzer::rpc

22
src/analyzer/protocol/rpc/RPC.h
View file

@ -53,9 +53,9 @@ public:
double last_time, int rpc_len); double last_time, int rpc_len);
~RPC_CallInfo(); ~RPC_CallInfo();
void AddVal(zeek::ValPtr arg_v) { v = std::move(arg_v); } void AddVal(ValPtr arg_v) { v = std::move(arg_v); }
const zeek::ValPtr& RequestVal() const { return v; } const ValPtr& RequestVal() const { return v; }
zeek::ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; } ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; }
bool CompareRexmit(const u_char* buf, int n) const; bool CompareRexmit(const u_char* buf, int n) const;
@ -96,12 +96,12 @@ protected:
int header_len; // size of data before the arguments int header_len; // size of data before the arguments
bool valid_call; // whether call was well-formed bool valid_call; // whether call was well-formed
zeek::ValPtr v; // single (perhaps compound) value corresponding to call ValPtr v; // single (perhaps compound) value corresponding to call
}; };
class RPC_Interpreter { class RPC_Interpreter {
public: public:
explicit RPC_Interpreter(zeek::analyzer::Analyzer* analyzer); explicit RPC_Interpreter(analyzer::Analyzer* analyzer);
virtual ~RPC_Interpreter(); virtual ~RPC_Interpreter();
// Delivers the given RPC. Returns true if "len" bytes were // Delivers the given RPC. Returns true if "len" bytes were
@ -124,7 +124,7 @@ protected:
void Weird(const char* name, const char* addl = ""); void Weird(const char* name, const char* addl = "");
std::map<uint32_t, RPC_CallInfo*> calls; std::map<uint32_t, RPC_CallInfo*> calls;
zeek::analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
}; };
@ -187,9 +187,9 @@ protected:
} // namespace detail } // namespace detail
/* Support Analyzer for reassembling RPC-over-TCP messages */ /* Support Analyzer for reassembling RPC-over-TCP messages */
class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { class Contents_RPC final : public analyzer::tcp::TCP_SupportAnalyzer {
public: public:
Contents_RPC(zeek::Connection* conn, bool orig, detail::RPC_Interpreter* interp); Contents_RPC(Connection* conn, bool orig, detail::RPC_Interpreter* interp);
~Contents_RPC() override; ~Contents_RPC() override;
protected: protected:
@ -233,9 +233,9 @@ protected:
int resync_toskip; int resync_toskip;
}; };
class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class RPC_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
RPC_Analyzer(const char* name, zeek::Connection* conn, RPC_Analyzer(const char* name, Connection* conn,
detail::RPC_Interpreter* arg_interp); detail::RPC_Interpreter* arg_interp);
~RPC_Analyzer() override; ~RPC_Analyzer() override;
@ -243,7 +243,7 @@ public:
protected: protected:
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
void ExpireTimer(double t); void ExpireTimer(double t);

8
src/analyzer/protocol/sip/SIP.cc
View file

@ -4,8 +4,8 @@
namespace zeek::analyzer::sip { namespace zeek::analyzer::sip {
SIP_Analyzer::SIP_Analyzer(zeek::Connection* c) SIP_Analyzer::SIP_Analyzer(Connection* c)
: zeek::analyzer::Analyzer("SIP", c) : analyzer::Analyzer("SIP", c)
{ {
interp = new binpac::SIP::SIP_Conn(this); interp = new binpac::SIP::SIP_Conn(this);
} }
@ -21,7 +21,7 @@ void SIP_Analyzer::Done()
} }
void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
bool real_orig = true; bool real_orig = true;
if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' ) if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )
@ -39,7 +39,7 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/sip/SIP.h
View file

@ -7,18 +7,18 @@
namespace zeek::analyzer::sip{ namespace zeek::analyzer::sip{
class SIP_Analyzer final : public zeek::analyzer::Analyzer { class SIP_Analyzer final : public analyzer::Analyzer {
public: public:
explicit SIP_Analyzer(zeek::Connection* conn); explicit SIP_Analyzer(Connection* conn);
~SIP_Analyzer() override; ~SIP_Analyzer() override;
// Overridden from Analyzer // Overridden from Analyzer
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SIP_Analyzer(conn); } { return new SIP_Analyzer(conn); }
protected: protected:

14
src/analyzer/protocol/sip/SIP_TCP.cc
View file

@ -9,8 +9,8 @@
namespace zeek::analyzer::sip_tcp { namespace zeek::analyzer::sip_tcp {
SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn) SIP_Analyzer::SIP_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
{ {
interp = new binpac::SIP_TCP::SIP_Conn(this); interp = new binpac::SIP_TCP::SIP_Conn(this);
had_gap = false; had_gap = false;
@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer()
void SIP_Analyzer::Done() void SIP_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -31,13 +31,13 @@ void SIP_Analyzer::Done()
void SIP_Analyzer::EndpointEOF(bool is_orig) void SIP_Analyzer::EndpointEOF(bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }
void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
if ( TCP()->IsPartial() ) if ( TCP()->IsPartial() )
@ -55,13 +55,13 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }
void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true; had_gap = true;
interp->NewGap(orig, len); interp->NewGap(orig, len);
} }

8
src/analyzer/protocol/sip/SIP_TCP.h
View file

@ -11,19 +11,19 @@
namespace zeek::analyzer::sip_tcp { namespace zeek::analyzer::sip_tcp {
class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class SIP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit SIP_Analyzer(zeek::Connection* conn); explicit SIP_Analyzer(Connection* conn);
~SIP_Analyzer() override; ~SIP_Analyzer() override;
void Done() override; void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. // Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SIP_Analyzer(conn); } { return new SIP_Analyzer(conn); }
protected: protected:

6
src/analyzer/protocol/smb/SMB.cc
View file

@ -6,8 +6,8 @@ namespace zeek::analyzer::smb {
// being seen. // being seen.
#define SMB_MAX_LEN (1<<18) #define SMB_MAX_LEN (1<<18)
SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn) SMB_Analyzer::SMB_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn)
{ {
chunks=0; chunks=0;
interp = new binpac::SMB::SMB_Conn(this); interp = new binpac::SMB::SMB_Conn(this);
@ -81,7 +81,7 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
NeedResync(); NeedResync();
} }
} }

6
src/analyzer/protocol/smb/SMB.h
View file

@ -5,9 +5,9 @@
namespace zeek::analyzer::smb { namespace zeek::analyzer::smb {
class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class SMB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit SMB_Analyzer(zeek::Connection* conn); explicit SMB_Analyzer(Connection* conn);
~SMB_Analyzer() override; ~SMB_Analyzer() override;
void Done() override; void Done() override;
@ -18,7 +18,7 @@ public:
bool HasSMBHeader(int len, const u_char* data); bool HasSMBHeader(int len, const u_char* data);
void NeedResync(); void NeedResync();
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SMB_Analyzer(conn); } { return new SMB_Analyzer(conn); }
protected: protected:

62
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -26,8 +26,8 @@ static const char* unknown_cmd = "(UNKNOWN)";
namespace zeek::analyzer::smtp { namespace zeek::analyzer::smtp {
SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn) : analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn)
{ {
expect_sender = false; expect_sender = false;
expect_recver = true; expect_recver = true;
@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
line_after_gap = nullptr; line_after_gap = nullptr;
mail = nullptr; mail = nullptr;
UpdateState(first_cmd, 0, true); UpdateState(first_cmd, 0, true);
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
cl_orig->SetIsNULSensitive(true); cl_orig->SetIsNULSensitive(true);
cl_orig->SetSkipPartial(true); cl_orig->SetSkipPartial(true);
AddSupportAnalyzer(cl_orig); AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false);
cl_resp->SetIsNULSensitive(true); cl_resp->SetIsNULSensitive(true);
cl_resp->SetSkipPartial(true); cl_resp->SetSkipPartial(true);
AddSupportAnalyzer(cl_resp); AddSupportAnalyzer(cl_resp);
@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
void SMTP_Analyzer::ConnectionFinished(bool half_finished) void SMTP_Analyzer::ConnectionFinished(bool half_finished)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
if ( ! half_finished && mail ) if ( ! half_finished && mail )
EndData(); EndData();
@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer()
void SMTP_Analyzer::Done() void SMTP_Analyzer::Done()
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail ) if ( mail )
EndData(); EndData();
@ -80,12 +80,12 @@ void SMTP_Analyzer::Done()
void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( len <= 0 ) if ( len <= 0 )
return; return;
const char* buf = zeek::util::fmt("seq = %" PRIu64", len = %d", seq, len); const char* buf = util::fmt("seq = %" PRIu64", len = %d", seq, len);
int buf_len = strlen(buf); int buf_len = strlen(buf);
Unexpected(is_orig, "content gap", buf_len, buf); Unexpected(is_orig, "content gap", buf_len, buf);
@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
// If an TLS transaction has been initiated, forward to child and abort. // If an TLS transaction has been initiated, forward to child and abort.
if ( state == detail::SMTP_IN_TLS ) if ( state == detail::SMTP_IN_TLS )
@ -183,7 +183,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
delete line_after_gap; delete line_after_gap;
line_after_gap = line_after_gap =
new zeek::String((const u_char *) line, length, true); new String((const u_char *) line, length, true);
} }
else if ( state == detail::SMTP_IN_DATA && line[0] == '.' && length == 1 ) else if ( state == detail::SMTP_IN_DATA && line[0] == '.' && length == 1 )
@ -221,8 +221,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
{ {
EnqueueConnEvent(smtp_data, EnqueueConnEvent(smtp_data,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(data_len, line) make_intrusive<StringVal>(data_len, line)
); );
} }
} }
@ -240,8 +240,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
expect_sender = false; expect_sender = false;
expect_recver = true; expect_recver = true;
zeek::util::get_word(length, line, cmd_len, cmd); util::get_word(length, line, cmd_len, cmd);
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line); line = util::skip_whitespace(line + cmd_len, end_of_line);
cmd_code = ParseCmd(cmd_len, cmd); cmd_code = ParseCmd(cmd_len, cmd);
if ( cmd_code == -1 ) if ( cmd_code == -1 )
@ -299,7 +299,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
{ {
reply_code = -1; reply_code = -1;
Unexpected(is_sender, "reply code out of range", length, line); Unexpected(is_sender, "reply code out of range", length, line);
ProtocolViolation(zeek::util::fmt("reply code %d out of range", ProtocolViolation(util::fmt("reply code %d out of range",
reply_code), line, length); reply_code), line, length);
} }
@ -319,12 +319,12 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( reply_code >= 0 && length > 3 && line[3] == '-' ) if ( reply_code >= 0 && length > 3 && line[3] == '-' )
{ // A continued reply. { // A continued reply.
pending_reply = reply_code; pending_reply = reply_code;
line = zeek::util::skip_whitespace(line+4, end_of_line); line = util::skip_whitespace(line+4, end_of_line);
} }
else else
{ // This is the end of the reply. { // This is the end of the reply.
line = zeek::util::skip_whitespace(line+3, end_of_line); line = util::skip_whitespace(line+3, end_of_line);
pending_reply = 0; pending_reply = 0;
expect_sender = true; expect_sender = true;
@ -351,11 +351,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
EnqueueConnEvent(smtp_reply, EnqueueConnEvent(smtp_reply,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig), val_mgr->Bool(orig),
zeek::val_mgr->Count(reply_code), val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(cmd), make_intrusive<StringVal>(cmd),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
zeek::val_mgr->Bool((pending_reply > 0)) val_mgr->Bool((pending_reply > 0))
); );
} }
} }
@ -366,7 +366,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
const char* ext; const char* ext;
int ext_len; int ext_len;
zeek::util::get_word(end_of_line - line, line, ext_len, ext); util::get_word(end_of_line - line, line, ext_len, ext);
ProcessExtension(ext_len, ext); ProcessExtension(ext_len, ext);
} }
} }
@ -405,7 +405,7 @@ void SMTP_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig); RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp); RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
@ -855,14 +855,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
if ( smtp_request ) if ( smtp_request )
{ {
auto cmd_arg = zeek::make_intrusive<zeek::StringVal>(cmd_len, cmd); auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
cmd_arg->ToUpper(); cmd_arg->ToUpper();
EnqueueConnEvent(smtp_request, EnqueueConnEvent(smtp_request,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(orig_is_sender), val_mgr->Bool(orig_is_sender),
std::move(cmd_arg), std::move(cmd_arg),
zeek::make_intrusive<zeek::StringVal>(arg_len, arg) make_intrusive<StringVal>(arg_len, arg)
); );
} }
} }
@ -881,9 +881,9 @@ void SMTP_Analyzer::Unexpected(bool is_sender, const char* msg,
EnqueueConnEvent(smtp_unexpected, EnqueueConnEvent(smtp_unexpected,
ConnVal(), ConnVal(),
zeek::val_mgr->Bool(is_orig), val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(msg), make_intrusive<StringVal>(msg),
zeek::make_intrusive<zeek::StringVal>(detail_len, detail) make_intrusive<StringVal>(detail_len, detail)
); );
} }
} }
@ -928,7 +928,7 @@ void SMTP_Analyzer::BeginData(bool orig)
delete mail; delete mail;
} }
mail = new zeek::analyzer::mime::MIME_Mail(this, orig); mail = new analyzer::mime::MIME_Mail(this, orig);
} }
void SMTP_Analyzer::EndData() void SMTP_Analyzer::EndData()

14
src/analyzer/protocol/smtp/SMTP.h
View file

@ -37,9 +37,9 @@ enum SMTP_State {
} // namespace detail } // namespace detail
class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { class SMTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public: public:
explicit SMTP_Analyzer(zeek::Connection* conn); explicit SMTP_Analyzer(Connection* conn);
~SMTP_Analyzer() override; ~SMTP_Analyzer() override;
void Done() override; void Done() override;
@ -49,7 +49,7 @@ public:
void SkipData() { skip_data = 1; } // skip delivery of data lines void SkipData() { skip_data = 1; } // skip delivery of data lines
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ {
return new SMTP_Analyzer(conn); return new SMTP_Analyzer(conn);
} }
@ -86,14 +86,14 @@ protected:
int pending_reply; // code assoc. w/ multi-line reply, or 0 int pending_reply; // code assoc. w/ multi-line reply, or 0
std::list<int> pending_cmd_q; // to support pipelining std::list<int> pending_cmd_q; // to support pipelining
bool skip_data; // whether to skip message body bool skip_data; // whether to skip message body
zeek::String* line_after_gap; // last line before the first reply String* line_after_gap; // last line before the first reply
// after a gap // after a gap
zeek::analyzer::mime::MIME_Mail* mail; analyzer::mime::MIME_Mail* mail;
private: private:
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; analyzer::tcp::ContentLine_Analyzer* cl_resp;
}; };
} // namespace zeek::analyzer::smtp } // namespace zeek::analyzer::smtp

6
src/analyzer/protocol/snmp/SNMP.cc
View file

@ -8,7 +8,7 @@
namespace zeek::analyzer::snmp { namespace zeek::analyzer::snmp {
SNMP_Analyzer::SNMP_Analyzer(zeek::Connection* conn) SNMP_Analyzer::SNMP_Analyzer(Connection* conn)
: Analyzer("SNMP", conn) : Analyzer("SNMP", conn)
{ {
interp = new binpac::SNMP::SNMP_Conn(this); interp = new binpac::SNMP::SNMP_Conn(this);
@ -26,7 +26,7 @@ void SNMP_Analyzer::Done()
} }
void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) uint64_t seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -36,7 +36,7 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
} }
} }

8
src/analyzer/protocol/snmp/SNMP.h
View file

@ -6,18 +6,18 @@
namespace zeek::analyzer::snmp { namespace zeek::analyzer::snmp {
class SNMP_Analyzer final : public zeek::analyzer::Analyzer { class SNMP_Analyzer final : public analyzer::Analyzer {
public: public:
explicit SNMP_Analyzer(zeek::Connection* conn); explicit SNMP_Analyzer(Connection* conn);
virtual ~SNMP_Analyzer(); virtual ~SNMP_Analyzer();
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen); uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new SNMP_Analyzer(conn); } { return new SNMP_Analyzer(conn); }
protected: protected:

Some files were not shown because too many files have changed in this diff Show more