Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Plugins: Clean up explicit uses of namespaces in places where they're not necessary.

Browse source 
This commit covers all of the plugin classes.
This commit is contained in:
Tim Wojtulewicz 2020-08-21 09:45:16 -07:00
parent fe0c22c789
commit 70c2397f69
169 changed files with 3139 additions and 3141 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/analyzer/protocol/arp/ARP.cc
View file

@ -76,7 +76,7 @@ ARP_Analyzer::~ARP_Analyzer()
#endif
void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt)
void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
{
const u_char *data = pkt->data;
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
@ -180,7 +180,7 @@ void ARP_Analyzer::NextPacket(double t, const zeek::Packet* pkt)
}
}
void ARP_Analyzer::Describe(zeek::ODesc* d) const
void ARP_Analyzer::Describe(ODesc* d) const
{
d->Add("<ARP analyzer>");
d->NL();
@ -191,20 +191,20 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
if ( ! bad_arp )
return;
zeek::event_mgr.Enqueue(bad_arp,
ToAddrVal(ar_spa(hdr)),
ToEthAddrStr((const u_char*) ar_sha(hdr)),
ToAddrVal(ar_tpa(hdr)),
ToEthAddrStr((const u_char*) ar_tha(hdr)),
zeek::make_intrusive<zeek::StringVal>(msg));
event_mgr.Enqueue(bad_arp,
ToAddrVal(ar_spa(hdr)),
ToEthAddrStr((const u_char*) ar_sha(hdr)),
ToAddrVal(ar_tpa(hdr)),
ToEthAddrStr((const u_char*) ar_tha(hdr)),
make_intrusive<StringVal>(msg));
}
void ARP_Analyzer::Corrupted(const char* msg)
{
zeek::reporter->Weird(msg);
reporter->Weird(msg);
}
void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
void ARP_Analyzer::RREvent(EventHandlerPtr e,
const u_char* src, const u_char *dst,
const char* spa, const char* sha,
const char* tpa, const char* tha)
@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
if ( ! e )
return;
zeek::event_mgr.Enqueue(e,
event_mgr.Enqueue(e,
ToEthAddrStr(src),
ToEthAddrStr(dst),
ToAddrVal(spa),
@ -221,24 +221,24 @@ void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
ToEthAddrStr((const u_char*) tha));
}
zeek::AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
{ return ToAddrVal(addr).release(); }
zeek::AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr)
AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr)
{
// ### For now, we only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*) addr);
return make_intrusive<AddrVal>(*(const uint32_t*) addr);
}
zeek::StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr)
StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr)
{ return ToEthAddrStr(addr).release(); }
zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr)
StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr)
{
char buf[1024];
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf);
return make_intrusive<StringVal>(buf);
}
} // namespace zeek::analyzer::arp

16
src/analyzer/protocol/arp/ARP.h
View file

@ -32,27 +32,27 @@ extern "C" {
namespace zeek::analyzer::arp {
class ARP_Analyzer : public zeek::Obj {
class ARP_Analyzer : public Obj {
public:
ARP_Analyzer();
~ARP_Analyzer() override;
void NextPacket(double t, const zeek::Packet* pkt);
void NextPacket(double t, const Packet* pkt);
void Describe(zeek::ODesc* d) const override;
void RREvent(zeek::EventHandlerPtr e, const u_char* src, const u_char* dst,
void Describe(ODesc* d) const override;
void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const char* spa, const char* sha,
const char* tpa, const char* tha);
protected:
[[deprecated("Remove in v4.1. Use ToAddrVal().")]]
zeek::AddrVal* ConstructAddrVal(const void* addr);
AddrVal* ConstructAddrVal(const void* addr);
[[deprecated("Remove in v4.1. Use ToEthAddrStr().")]]
zeek::StringVal* EthAddrToStr(const u_char* addr);
StringVal* EthAddrToStr(const u_char* addr);
zeek::AddrValPtr ToAddrVal(const void* addr);
zeek::StringValPtr ToEthAddrStr(const u_char* addr);
AddrValPtr ToAddrVal(const void* addr);
StringValPtr ToEthAddrStr(const u_char* addr);
void BadARP(const struct arp_pkthdr* hdr, const char* string);
void Corrupted(const char* string);
};

6
src/analyzer/protocol/ayiya/AYIYA.cc
View file

@ -4,7 +4,7 @@
namespace zeek::analyzer::ayiya {
AYIYA_Analyzer::AYIYA_Analyzer(zeek::Connection* conn)
AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
: Analyzer("AYIYA", conn)
{
interp = new binpac::AYIYA::AYIYA_Conn(this);
@ -21,7 +21,7 @@ void AYIYA_Analyzer::Done()
Event(udp_session_done);
}
void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -31,7 +31,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/ayiya/AYIYA.h
View file

@ -4,16 +4,16 @@
namespace zeek::analyzer::ayiya {
class AYIYA_Analyzer final : public zeek::analyzer::Analyzer {
class AYIYA_Analyzer final : public analyzer::Analyzer {
public:
explicit AYIYA_Analyzer(zeek::Connection* conn);
explicit AYIYA_Analyzer(Connection* conn);
virtual ~AYIYA_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new AYIYA_Analyzer(conn); }
protected:

18
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::bittorrent {
BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
{
interp = new binpac::BitTorrent::BitTorrent_Conn(this);
stop_orig = stop_resp = false;
@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
void BitTorrent_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp;
bool& this_stop = orig ? stop_orig : stop_resp;
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -59,7 +59,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
Parent()->RemoveChildAnalyzer(this);
else
{
DeliverWeird(zeek::util::fmt("Stopping BitTorrent analysis: protocol violation (%s)",
DeliverWeird(util::fmt("Stopping BitTorrent analysis: protocol violation (%s)",
e.c_msg()), orig);
this_stop = true;
if ( stop_orig && stop_resp )
@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// TODO: Code commented out for now. I think that shoving data that
// is definitely wrong into the parser seems like a really bad idea.
@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
@ -121,8 +121,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg));
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg));
}
} // namespace zeek::analyzer::bittorrent

6
src/analyzer/protocol/bittorrent/BitTorrent.h
View file

@ -8,9 +8,9 @@
namespace zeek::analyzer::bittorrent {
class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class BitTorrent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit BitTorrent_Analyzer(zeek::Connection* conn);
explicit BitTorrent_Analyzer(Connection* conn);
~BitTorrent_Analyzer() override;
void Done() override;
@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrent_Analyzer(conn); }
protected:

94
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -15,27 +15,27 @@
namespace zeek::analyzer::bittorrent {
static zeek::TableTypePtr bt_tracker_headers;
static zeek::RecordTypePtr bittorrent_peer;
static zeek::TableTypePtr bittorrent_peer_set;
static zeek::RecordTypePtr bittorrent_benc_value;
static zeek::TableTypePtr bittorrent_benc_dir;
static TableTypePtr bt_tracker_headers;
static RecordTypePtr bittorrent_peer;
static TableTypePtr bittorrent_peer_set;
static RecordTypePtr bittorrent_benc_value;
static TableTypePtr bittorrent_benc_dir;
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
{
if ( ! bt_tracker_headers )
{
bt_tracker_headers =
zeek::id::find_type<zeek::TableType>("bt_tracker_headers");
id::find_type<TableType>("bt_tracker_headers");
bittorrent_peer =
zeek::id::find_type<zeek::RecordType>("bittorrent_peer");
id::find_type<RecordType>("bittorrent_peer");
bittorrent_peer_set =
zeek::id::find_type<zeek::TableType>("bittorrent_peer_set");
id::find_type<TableType>("bittorrent_peer_set");
bittorrent_benc_value =
zeek::id::find_type<zeek::RecordType>("bittorrent_benc_value");
id::find_type<RecordType>("bittorrent_benc_value");
bittorrent_benc_dir =
zeek::id::find_type<zeek::TableType>("bittorrent_benc_dir");
id::find_type<TableType>("bittorrent_benc_dir");
}
keep_alive = false;
@ -45,7 +45,7 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
req_buf_pos = req_buf;
req_buf_len = 0;
req_val_uri = nullptr;
req_val_headers = new zeek::TableVal(bt_tracker_headers);
req_val_headers = new TableVal(bt_tracker_headers);
res_state = detail::BTT_RES_STATUS;
res_allow_blank_line = false;
@ -53,9 +53,9 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
res_buf_pos = res_buf;
res_buf_len = 0;
res_status = 0;
res_val_headers = new zeek::TableVal(bt_tracker_headers);
res_val_peers = new zeek::TableVal(bittorrent_peer_set);
res_val_benc = new zeek::TableVal(bittorrent_benc_dir);
res_val_headers = new TableVal(bt_tracker_headers);
res_val_peers = new TableVal(bittorrent_peer_set);
res_val_benc = new TableVal(bittorrent_benc_dir);
InitBencParser();
@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
void BitTorrentTracker_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
}
void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -136,7 +136,7 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
req_buf_len -= (req_buf_pos - req_buf);
memmove(req_buf, req_buf_pos, req_buf_len);
req_buf_pos = req_buf;
req_val_headers = new zeek::TableVal(bt_tracker_headers);
req_val_headers = new TableVal(bt_tracker_headers);
}
}
}
@ -198,9 +198,9 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
res_buf_pos = res_buf;
res_status = 0;
res_val_headers = new zeek::TableVal(bt_tracker_headers);
res_val_peers = new zeek::TableVal(bittorrent_peer_set);
res_val_benc = new zeek::TableVal(bittorrent_benc_dir);
res_val_headers = new TableVal(bt_tracker_headers);
res_val_peers = new TableVal(bittorrent_peer_set);
res_val_benc = new TableVal(bittorrent_benc_dir);
InitBencParser();
}
@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
}
void BitTorrentTracker_Analyzer::InitBencParser(void)
@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg)
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg)
);
}
@ -322,7 +322,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
case detail::BTT_REQ_DONE:
if ( *line )
{
auto msg = zeek::util::fmt("Got post request data: %s\n", line);
auto msg = util::fmt("Got post request data: %s\n", line);
Weird("bittorrent_tracker_data_post_request", msg);
DeliverWeird(msg, true);
}
@ -338,7 +338,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
void BitTorrentTracker_Analyzer::RequestGet(char* uri)
{
req_val_uri = new zeek::StringVal(uri);
req_val_uri = new StringVal(uri);
}
void BitTorrentTracker_Analyzer::EmitRequest(void)
@ -348,8 +348,8 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
if ( bt_tracker_request )
EnqueueConnEvent(bt_tracker_request,
ConnVal(),
zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_uri},
zeek::IntrusivePtr{zeek::AdoptRef{}, req_val_headers}
IntrusivePtr{AdoptRef{}, req_val_uri},
IntrusivePtr{AdoptRef{}, req_val_headers}
);
req_val_uri = nullptr;
@ -403,8 +403,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
EnqueueConnEvent(
bt_tracker_response_not_ok,
ConnVal(),
zeek::val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers}
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers}
);
res_val_headers = nullptr;
res_buf_pos = res_buf + res_buf_len;
@ -456,8 +456,8 @@ void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value,
}
#ifdef BTTRACKER_STORE_HEADERS
zeek::StringVal* name_ = new zeek::StringVal(name);
zeek::StringVal* value_ = new zeek::StringVal(value);
auto* name_ = new StringVal(name);
auto* value_ = new StringVal(value);
(is_request ? req_val_headers : res_val_headers)->Assign(name_, value_);
Unref(name_);
@ -479,17 +479,17 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
uint32_t ad = extract_uint32((u_char*) value);
uint16_t pt = ntohs((value[4] << 8) | value[5]);
auto peer = zeek::make_intrusive<zeek::RecordVal>(bittorrent_peer);
peer->Assign(0, zeek::make_intrusive<zeek::AddrVal>(ad));
peer->Assign(1, zeek::val_mgr->Port(pt, TRANSPORT_TCP));
auto peer = make_intrusive<RecordVal>(bittorrent_peer);
peer->Assign(0, make_intrusive<AddrVal>(ad));
peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(std::move(peer), nullptr);
}
}
else
{
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name);
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value);
benc_value->Assign(type, zeek::make_intrusive<zeek::StringVal>(value_len, value));
auto name_ = make_intrusive<StringVal>(name_len, name);
auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
benc_value->Assign(type, make_intrusive<StringVal>(value_len, value));
res_val_benc->Assign(std::move(name_), std::move(benc_value));
}
}
@ -497,10 +497,10 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
detail::BTT_BencTypes type, bro_int_t value)
{
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value);
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name);
auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
auto name_ = make_intrusive<StringVal>(name_len, name);
benc_value->Assign(type, zeek::val_mgr->Int(value));
benc_value->Assign(type, val_mgr->Int(value));
res_val_benc->Assign(std::move(name_), std::move(benc_value));
}
@ -785,10 +785,10 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response,
ConnVal(),
zeek::val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_peers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_benc}
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers},
IntrusivePtr{AdoptRef{}, res_val_peers},
IntrusivePtr{AdoptRef{}, res_val_benc}
);
res_val_headers = nullptr;

16
src/analyzer/protocol/bittorrent/BitTorrentTracker.h
View file

@ -47,9 +47,9 @@ enum BTT_BencStates {
} // namespace detail
class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class BitTorrentTracker_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit BitTorrentTracker_Analyzer(zeek::Connection* conn);
explicit BitTorrentTracker_Analyzer(Connection* conn);
~BitTorrentTracker_Analyzer() override;
void Done() override;
@ -57,7 +57,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrentTracker_Analyzer(conn); }
protected:
@ -96,8 +96,8 @@ protected:
char req_buf[BTTRACKER_BUF];
char* req_buf_pos;
unsigned int req_buf_len;
zeek::StringVal* req_val_uri;
zeek::TableVal* req_val_headers;
StringVal* req_val_uri;
TableVal* req_val_headers;
// Response.
detail::BTT_States res_state;
@ -106,9 +106,9 @@ protected:
char* res_buf_pos;
unsigned int res_buf_len;
bro_uint_t res_status;
zeek::TableVal* res_val_headers;
zeek::TableVal* res_val_peers;
zeek::TableVal* res_val_benc;
TableVal* res_val_headers;
TableVal* res_val_peers;
TableVal* res_val_benc;
std::vector<char> benc_stack;
std::vector<unsigned int> benc_count;

38
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -13,7 +13,7 @@
namespace zeek::analyzer::conn_size {
ConnSize_Analyzer::ConnSize_Analyzer(zeek::Connection* c)
ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
: Analyzer("CONNSIZE", c),
orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts(),
orig_bytes_thresh(), resp_bytes_thresh(), orig_pkts_thresh(), resp_pkts_thresh(), duration_thresh()
@ -46,15 +46,15 @@ void ConnSize_Analyzer::Done()
Analyzer::Done();
}
void ConnSize_Analyzer::ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig)
void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig)
{
if ( ! f )
return;
EnqueueConnEvent(f,
ConnVal(),
zeek::val_mgr->Count(threshold),
zeek::val_mgr->Bool(is_orig)
val_mgr->Count(threshold),
val_mgr->Bool(is_orig)
);
}
@ -91,19 +91,19 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( duration_thresh != 0 )
{
if ( ( zeek::run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
if ( ( run_state::network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{
EnqueueConnEvent(conn_duration_threshold_crossed,
ConnVal(),
zeek::make_intrusive<zeek::IntervalVal>(duration_thresh),
zeek::val_mgr->Bool(is_orig)
make_intrusive<IntervalVal>(duration_thresh),
val_mgr->Bool(is_orig)
);
duration_thresh = 0;
}
}
}
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
@ -168,26 +168,26 @@ void ConnSize_Analyzer::SetDurationThreshold(double duration)
CheckThresholds(true);
}
void ConnSize_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
{
// RecordType *connection_type is decleared in NetVar.h
zeek::RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal();
zeek::RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal();
RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal();
RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal();
// endpoint is the RecordType from NetVar.h
int pktidx = zeek::id::endpoint->FieldOffset("num_pkts");
int bytesidx = zeek::id::endpoint->FieldOffset("num_bytes_ip");
int pktidx = id::endpoint->FieldOffset("num_pkts");
int bytesidx = id::endpoint->FieldOffset("num_bytes_ip");
if ( pktidx < 0 )
zeek::reporter->InternalError("'endpoint' record missing 'num_pkts' field");
reporter->InternalError("'endpoint' record missing 'num_pkts' field");
if ( bytesidx < 0 )
zeek::reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, zeek::val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, zeek::val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, zeek::val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, zeek::val_mgr->Count(resp_bytes));
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val);
}

12
src/analyzer/protocol/conn-size/ConnSize.h
View file

@ -8,16 +8,16 @@
namespace zeek::analyzer::conn_size {
class ConnSize_Analyzer : public zeek::analyzer::Analyzer {
class ConnSize_Analyzer : public analyzer::Analyzer {
public:
explicit ConnSize_Analyzer(zeek::Connection* c);
explicit ConnSize_Analyzer(Connection* c);
~ConnSize_Analyzer() override;
void Init() override;
void Done() override;
// from Analyzer.h
void UpdateConnVal(zeek::RecordVal *conn_val) override;
void UpdateConnVal(RecordVal *conn_val) override;
void FlipRoles() override;
void SetByteAndPacketThreshold(uint64_t threshold, bool bytes, bool orig);
@ -26,15 +26,15 @@ public:
void SetDurationThreshold(double duration);
double GetDurationThreshold() { return duration_thresh; };
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ConnSize_Analyzer(conn); }
protected:
void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
void CheckThresholds(bool is_orig);
void ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig);
void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig);
uint64_t orig_bytes;
uint64_t resp_bytes;

6
src/analyzer/protocol/dce-rpc/DCE_RPC.cc
View file

@ -11,8 +11,8 @@ using namespace std;
namespace zeek::analyzer::dce_rpc {
DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
{
had_gap = false;
interp = new binpac::DCE_RPC::DCE_RPC_Conn(this);
@ -61,7 +61,7 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

6
src/analyzer/protocol/dce-rpc/DCE_RPC.h
View file

@ -11,9 +11,9 @@
namespace zeek::analyzer::dce_rpc {
class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class DCE_RPC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DCE_RPC_Analyzer(zeek::Connection* conn);
explicit DCE_RPC_Analyzer(Connection* conn);
~DCE_RPC_Analyzer() override;
void Done() override;
@ -24,7 +24,7 @@ public:
bool SetFileID(uint64_t fid_in)
{ interp->set_file_id(fid_in); return true; }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DCE_RPC_Analyzer(conn); }
protected:

6
src/analyzer/protocol/dhcp/DHCP.cc
View file

@ -5,7 +5,7 @@
namespace zeek::analyzer::dhcp {
DHCP_Analyzer::DHCP_Analyzer(zeek::Connection* conn)
DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
: Analyzer("DHCP", conn)
{
interp = new binpac::DHCP::DHCP_Conn(this);
@ -22,7 +22,7 @@ void DHCP_Analyzer::Done()
}
void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -32,7 +32,7 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/dhcp/DHCP.h
View file

@ -6,16 +6,16 @@
namespace zeek::analyzer::dhcp {
class DHCP_Analyzer final : public zeek::analyzer::Analyzer {
class DHCP_Analyzer final : public analyzer::Analyzer {
public:
explicit DHCP_Analyzer(zeek::Connection* conn);
explicit DHCP_Analyzer(Connection* conn);
~DHCP_Analyzer() override;
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DHCP_Analyzer(conn); }
protected:

26
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -113,7 +113,7 @@ namespace detail {
bool DNP3_Base::crc_table_initialized = false;
unsigned int DNP3_Base::crc_table[256];
DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer)
DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
interp = new binpac::DNP3::DNP3_Conn(analyzer);
@ -235,14 +235,14 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data,
if ( *len < 0 )
{
zeek::reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len);
reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len);
return -1;
}
if ( target_len < endp->buffer_len )
{
zeek::reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d",
target_len, endp->buffer_len);
reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d",
target_len, endp->buffer_len);
return -1;
}
@ -250,8 +250,8 @@ int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data,
if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE )
{
zeek::reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d",
endp->buffer_len, to_copy);
reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d",
endp->buffer_len, to_copy);
return -1;
}
@ -296,9 +296,9 @@ bool DNP3_Base::ParseAppLayer(Endpoint* endp)
if ( data + n >= endp->buffer + endp->buffer_len )
{
zeek::reporter->AnalyzerError(analyzer,
"dnp3 app layer parsing overflow %d - %d",
endp->buffer_len, n);
reporter->AnalyzerError(analyzer,
"dnp3 app layer parsing overflow %d - %d",
endp->buffer_len, n);
return false;
}
@ -350,7 +350,7 @@ bool DNP3_Base::CheckCRC(int len, const u_char* data, const u_char* crc16, const
if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 )
return true;
analyzer->Weird(zeek::util::fmt("dnp3_corrupt_%s_checksum", where));
analyzer->Weird(util::fmt("dnp3_corrupt_%s_checksum", where));
return false;
}
@ -386,7 +386,7 @@ unsigned int DNP3_Base::CalcCRC(int len, const u_char* data)
}
} // namespace detail
DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(zeek::Connection* c)
DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(Connection* c)
: DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c)
{
}
@ -432,7 +432,7 @@ void DNP3_TCP_Analyzer::EndpointEOF(bool is_orig)
Interpreter()->FlowEOF(is_orig);
}
DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(zeek::Connection* c)
DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c)
: DNP3_Base(this), Analyzer("DNP3_UDP", c)
{
}
@ -441,7 +441,7 @@ DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer()
{
}
void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

18
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -12,7 +12,7 @@ namespace detail {
class DNP3_Base {
public:
explicit DNP3_Base(zeek::analyzer::Analyzer* analyzer);
explicit DNP3_Base(analyzer::Analyzer* analyzer);
virtual ~DNP3_Base();
binpac::DNP3::DNP3_Conn* Interpreter() { return interp; }
@ -56,7 +56,7 @@ protected:
static bool crc_table_initialized;
static unsigned int crc_table[256];
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
binpac::DNP3::DNP3_Conn* interp;
Endpoint orig_state;
@ -65,9 +65,9 @@ protected:
} // namespace detail
class DNP3_TCP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class DNP3_TCP_Analyzer : public detail::DNP3_Base, public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DNP3_TCP_Analyzer(zeek::Connection* conn);
explicit DNP3_TCP_Analyzer(Connection* conn);
~DNP3_TCP_Analyzer() override;
void Done() override;
@ -75,19 +75,19 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static Analyzer* Instantiate(zeek::Connection* conn)
static Analyzer* Instantiate(Connection* conn)
{ return new DNP3_TCP_Analyzer(conn); }
};
class DNP3_UDP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::Analyzer {
class DNP3_UDP_Analyzer : public detail::DNP3_Base, public analyzer::Analyzer {
public:
explicit DNP3_UDP_Analyzer(zeek::Connection* conn);
explicit DNP3_UDP_Analyzer(Connection* conn);
~DNP3_UDP_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNP3_UDP_Analyzer(conn); }
};

420
src/analyzer/protocol/dns/DNS.cc
View file

@ -21,7 +21,7 @@ namespace zeek::analyzer::dns {
namespace detail {
DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
first_message = true;
@ -52,9 +52,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message )
analyzer->EnqueueConnEvent(dns_message,
analyzer->ConnVal(),
zeek::val_mgr->Bool(is_query),
val_mgr->Bool(is_query),
msg.BuildHdrVal(),
zeek::val_mgr->Count(len)
val_mgr->Count(len)
);
// There is a great deal of non-DNS traffic that runs on port 53.
@ -91,9 +91,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int skip_addl = zeek::detail::dns_skip_all_addl;
if ( msg.ancount > 0 )
{ // We did an answer, so can potentially skip auth/addl.
static auto dns_skip_auth = zeek::id::find_val<zeek::TableVal>("dns_skip_auth");
static auto dns_skip_addl = zeek::id::find_val<zeek::TableVal>("dns_skip_addl");
auto server = zeek::make_intrusive<zeek::AddrVal>(analyzer->Conn()->RespAddr());
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
auto server = make_intrusive<AddrVal>(analyzer->Conn()->RespAddr());
skip_auth = skip_auth || msg.nscount == 0 ||
dns_skip_auth->FindOrDefault(server);
@ -183,7 +183,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg,
return false;
}
zeek::EventHandlerPtr dns_event = nullptr;
EventHandlerPtr dns_event = nullptr;
if ( msg->QR == 0 )
dns_event = dns_request;
@ -198,14 +198,14 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg,
if ( dns_event && ! msg->skip_event )
{
zeek::String* original_name = new zeek::String(name, name_end - name, true);
String* original_name = new String(name, name_end - name, true);
// Downcase the Name to normalize it
for ( u_char* np = name; np < name_end; ++np )
if ( isupper(*np) )
*np = tolower(*np);
zeek::String* question_name = new zeek::String(name, name_end - name, true);
String* question_name = new String(name, name_end - name, true);
SendReplyOrRejectEvent(msg, dns_event, data, len, question_name, original_name);
}
@ -240,7 +240,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
// Note that the exact meaning of some of these fields will be
// re-interpreted by other, more adventurous RR types.
msg->query_name = zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true));
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
msg->atype = detail::RR_Type(ExtractShort(data, len));
msg->aclass = ExtractShort(data, len);
msg->ttl = ExtractLong(data, len);
@ -352,7 +352,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
msg->BuildAnswerVal()
);
analyzer->Weird("DNS_RR_unknown_type", zeek::util::fmt("%d", msg->atype));
analyzer->Weird("DNS_RR_unknown_type", util::fmt("%d", msg->atype));
data += rdlength;
len -= rdlength;
status = true;
@ -538,7 +538,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg,
analyzer->Weird("DNS_RR_length_mismatch");
}
zeek::EventHandlerPtr reply_event;
EventHandlerPtr reply_event;
switch ( msg->atype ) {
case detail::TYPE_NS:
reply_event = dns_NS_reply;
@ -564,7 +564,7 @@ bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true))
make_intrusive<StringVal>(new String(name, name_end - name, true))
);
return true;
@ -604,15 +604,15 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event )
{
static auto dns_soa = zeek::id::find_type<zeek::RecordType>("dns_soa");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_soa);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::String(mname, mname_end - mname, true)));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String(rname, rname_end - rname, true)));
r->Assign(2, zeek::val_mgr->Count(serial));
r->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(refresh), Seconds));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(retry), Seconds));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(expire), Seconds));
r->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(double(minimum), Seconds));
static auto dns_soa = id::find_type<RecordType>("dns_soa");
auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new String(mname, mname_end - mname, true)));
r->Assign(1, make_intrusive<StringVal>(new String(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->Count(serial));
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->EnqueueConnEvent(dns_SOA_reply,
analyzer->ConnVal(),
@ -648,8 +648,8 @@ bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)),
zeek::val_mgr->Count(preference)
make_intrusive<StringVal>(new String(name, name_end - name, true)),
val_mgr->Count(preference)
);
return true;
@ -689,10 +689,10 @@ bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)),
zeek::val_mgr->Count(priority),
zeek::val_mgr->Count(weight),
zeek::val_mgr->Count(port)
make_intrusive<StringVal>(new String(name, name_end - name, true)),
val_mgr->Count(priority),
val_mgr->Count(weight),
val_mgr->Count(port)
);
return true;
@ -740,9 +740,9 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
// IPv6 address, depending on FAMILY, which MUST be truncated to the
// number of bits indicated by the SOURCE PREFIX-LENGTH field,
// padding with 0 bits to pad to the end of the last octet needed.
if ( ecs_family == zeek::L3_IPV4 )
if ( ecs_family == L3_IPV4 )
{
opt.ecs_family = zeek::make_intrusive<zeek::StringVal>("v4");
opt.ecs_family = make_intrusive<StringVal>("v4");
uint32_t addr = 0;
for (uint16_t shift_factor = 3; option_len > 0; option_len--)
{
@ -751,11 +751,11 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
shift_factor--;
}
addr = htonl(addr);
opt.ecs_addr = zeek::make_intrusive<zeek::AddrVal>(addr);
opt.ecs_addr = make_intrusive<AddrVal>(addr);
}
else if ( ecs_family == zeek::L3_IPV6 )
else if ( ecs_family == L3_IPV6 )
{
opt.ecs_family = zeek::make_intrusive<zeek::StringVal>("v6");
opt.ecs_family = make_intrusive<StringVal>("v6");
uint32_t addr[4] = { 0 };
for (uint16_t i = 0, shift_factor = 15; option_len > 0; option_len--)
{
@ -769,7 +769,7 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
{
addr[i] = htonl(addr[i]);
}
opt.ecs_addr = zeek::make_intrusive<zeek::AddrVal>(addr);
opt.ecs_addr = make_intrusive<AddrVal>(addr);
}
else
{
@ -872,23 +872,23 @@ bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
}
void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len,
zeek::String** p)
String** p)
{
uint16_t dlen = ExtractShort(data, len);
dlen = min(len, static_cast<int>(dlen));
if ( p )
*p = new zeek::String(data, dlen, false);
*p = new String(data, dlen, false);
data += dlen;
len -= dlen;
}
zeek::String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l)
String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l)
{
l = max(l, 0);
int dlen = min(len, l); // Len in bytes of the algorithm use
auto rval = new zeek::String(data, dlen, false);
auto rval = new String(data, dlen, false);
data += dlen;
len -= dlen;
@ -912,7 +912,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg,
uint32_t sign_time_sec = ExtractLong(data, len);
unsigned int sign_time_msec = ExtractShort(data, len);
unsigned int fudge = ExtractShort(data, len);
zeek::String* request_MAC;
String* request_MAC;
ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr);
unsigned int orig_id = ExtractShort(data, len);
unsigned int rr_error = ExtractShort(data, len);
@ -922,7 +922,7 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg,
{
detail::TSIG_DATA tsig;
tsig.alg_name =
new zeek::String(alg_name, alg_name_end - alg_name, true);
new String(alg_name, alg_name_end - alg_name, true);
tsig.sig = request_MAC;
tsig.time_s = sign_time_sec;
tsig.time_ms = sign_time_msec;
@ -976,11 +976,11 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
int sig_len = rdlength - ((data - data_start) + 18);
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo);
zeek::String* sign = ExtractStream(data, len, sig_len);
String* sign = ExtractStream(data, len, sig_len);
switch ( dsa ) {
case detail::RSA_MD5:
analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", algo));
analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", util::fmt("%d", algo));
break;
case detail::Diffie_Hellman:
break;
@ -1005,16 +1005,16 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
case detail::ECDSA_curveP384withSHA384:
break;
case detail::Indirect:
analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", algo));
analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo));
break;
case detail::PrivateDNS:
analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", algo));
analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", util::fmt("%d", algo));
break;
case detail::PrivateOID:
analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", algo));
analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", util::fmt("%d", algo));
break;
default:
analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", zeek::util::fmt("%d", algo));
analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", util::fmt("%d", algo));
break;
}
@ -1028,7 +1028,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
rrsig.sig_exp = sign_exp;
rrsig.sig_incep = sign_incp;
rrsig.key_tag = key_tag;
rrsig.signer_name = new zeek::String(name, name_end - name, true);
rrsig.signer_name = new String(name, name_end - name, true);
rrsig.signature = sign;
analyzer->EnqueueConnEvent(dns_RRSIG,
@ -1063,24 +1063,24 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
unsigned int dalgorithm = proto_algo & 0xff;
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm);
//Evaluating the size of remaining bytes for Public Key
zeek::String* key = ExtractStream(data, len, rdlength - 4);
String* key = ExtractStream(data, len, rdlength - 4);
// flags bit 7: zone key
// flags bit 8: revoked
// flags bit 15: Secure Entry Point, key signing key
if ( (dflags & 0xfe7e) != 0 )
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", zeek::util::fmt("%d", dflags));
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", util::fmt("%d", dflags));
// flags bit 7, 8, and 15 all set
if ( (dflags & 0x0181) == 0x0181 )
analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", zeek::util::fmt("%d", dflags));
analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", util::fmt("%d", dflags));
if ( dprotocol != 3 )
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", zeek::util::fmt("%d", dprotocol));
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", util::fmt("%d", dprotocol));
switch ( dsa ) {
case detail::RSA_MD5:
analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm));
analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break;
case detail::Diffie_Hellman:
break;
@ -1105,16 +1105,16 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
case detail::ECDSA_curveP384withSHA384:
break;
case detail::Indirect:
analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm));
analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break;
case detail::PrivateDNS:
analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm));
analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break;
case detail::PrivateOID:
analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm));
analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break;
default:
analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", zeek::util::fmt("%d", dalgorithm));
analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", util::fmt("%d", dalgorithm));
break;
}
@ -1158,7 +1158,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start);
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
while ( typebitmaps_len > 0 && len > 0 )
{
@ -1168,12 +1168,12 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
if ( bmlen == 0 )
{
analyzer->Weird("DNSSEC_NSEC_bitmapLen0", zeek::util::fmt("%d", win_blck));
analyzer->Weird("DNSSEC_NSEC_bitmapLen0", util::fmt("%d", win_blck));
break;
}
zeek::String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), zeek::make_intrusive<zeek::StringVal>(bitmap));
String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), make_intrusive<StringVal>(bitmap));
typebitmaps_len = typebitmaps_len - (2 + bmlen);
}
@ -1182,7 +1182,7 @@ bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true)),
make_intrusive<StringVal>(new String(name, name_end - name, true)),
std::move(char_strings)
);
@ -1233,7 +1233,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
int typebitmaps_len = rdlength - (data - data_start);
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
while ( typebitmaps_len > 0 && len > 0 )
{
@ -1243,12 +1243,12 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
if ( bmlen == 0 )
{
analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", zeek::util::fmt("%d", win_blck));
analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", util::fmt("%d", win_blck));
break;
}
zeek::String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), zeek::make_intrusive<zeek::StringVal>(bitmap));
String* bitmap = ExtractStream(data, len, bmlen);
char_strings->Assign(char_strings->Size(), make_intrusive<StringVal>(bitmap));
typebitmaps_len = typebitmaps_len - (2 + bmlen);
}
@ -1295,7 +1295,7 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff;
unsigned int ds_dtype = ds_algo_dtype & 0xff;
detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype);
zeek::String* ds_digest = ExtractStream(data, len, rdlength - 4);
String* ds_digest = ExtractStream(data, len, rdlength - 4);
switch ( ds_digest_type ) {
case detail::SHA1:
@ -1307,10 +1307,10 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
case detail::SHA384:
break;
case detail::reserved:
analyzer->Weird("DNSSEC_DS_ResrevedDigestType", zeek::util::fmt("%d", ds_dtype));
analyzer->Weird("DNSSEC_DS_ResrevedDigestType", util::fmt("%d", ds_dtype));
break;
default:
analyzer->Weird("DNSSEC_DS_unknown_DigestType", zeek::util::fmt("%d", ds_dtype));
analyzer->Weird("DNSSEC_DS_unknown_DigestType", util::fmt("%d", ds_dtype));
break;
}
@ -1349,7 +1349,7 @@ bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::AddrVal>(htonl(addr))
make_intrusive<AddrVal>(htonl(addr))
);
return true;
@ -1374,7 +1374,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg,
}
}
zeek::EventHandlerPtr event;
EventHandlerPtr event;
if ( msg->atype == detail::TYPE_AAAA )
event = dns_AAAA_reply;
else
@ -1385,7 +1385,7 @@ bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::AddrVal>(addr)
make_intrusive<AddrVal>(addr)
);
return true;
@ -1409,8 +1409,8 @@ bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg,
return true;
}
static zeek::StringValPtr
extract_char_string(zeek::analyzer::Analyzer* analyzer,
static StringValPtr
extract_char_string(analyzer::Analyzer* analyzer,
const u_char*& data, int& len, int& rdlen)
{
if ( rdlen <= 0 )
@ -1428,7 +1428,7 @@ extract_char_string(zeek::analyzer::Analyzer* analyzer,
return nullptr;
}
auto rval = zeek::make_intrusive<zeek::StringVal>(str_size, reinterpret_cast<const char*>(data));
auto rval = make_intrusive<StringVal>(str_size, reinterpret_cast<const char*>(data));
rdlen -= str_size;
len -= str_size;
@ -1448,8 +1448,8 @@ bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg,
return true;
}
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
zeek::StringValPtr char_string;
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
StringValPtr char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), std::move(char_string));
@ -1476,8 +1476,8 @@ bool DNS_Interpreter::ParseRR_SPF(detail::DNS_MsgInfo* msg,
return true;
}
auto char_strings = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
zeek::StringValPtr char_string;
auto char_strings = make_intrusive<VectorVal>(id::string_vec);
StringValPtr char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), std::move(char_string));
@ -1513,11 +1513,11 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
analyzer->Weird("DNS_CAA_char_str_past_rdlen");
return false;
}
zeek::String* tag = new zeek::String(data, tagLen, true);
String* tag = new String(data, tagLen, true);
len -= tagLen;
data += tagLen;
rdlength -= tagLen;
zeek::String* value = new zeek::String(data, rdlength, false);
String* value = new String(data, rdlength, false);
len -= value->Len();
data += value->Len();
@ -1528,9 +1528,9 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
analyzer->ConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
zeek::val_mgr->Count(flags),
zeek::make_intrusive<zeek::StringVal>(tag),
zeek::make_intrusive<zeek::StringVal>(value)
val_mgr->Count(flags),
make_intrusive<StringVal>(tag),
make_intrusive<StringVal>(value)
);
else
{
@ -1543,10 +1543,10 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg,
zeek::EventHandlerPtr event,
EventHandlerPtr event,
const u_char*& data, int& len,
zeek::String* question_name,
zeek::String* original_name)
String* question_name,
String* original_name)
{
detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len);
@ -1556,10 +1556,10 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg,
analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(),
msg->BuildHdrVal(),
zeek::make_intrusive<zeek::StringVal>(question_name),
zeek::val_mgr->Count(qtype),
zeek::val_mgr->Count(qclass),
zeek::make_intrusive<zeek::StringVal>(original_name)
make_intrusive<StringVal>(question_name),
val_mgr->Count(qtype),
val_mgr->Count(qclass),
make_intrusive<StringVal>(original_name)
);
}
@ -1594,57 +1594,57 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
skip_event = 0;
}
zeek::RecordValPtr DNS_MsgInfo::BuildHdrVal()
RecordValPtr DNS_MsgInfo::BuildHdrVal()
{
static auto dns_msg = zeek::id::find_type<zeek::RecordType>("dns_msg");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_msg);
static auto dns_msg = id::find_type<RecordType>("dns_msg");
auto r = make_intrusive<RecordVal>(dns_msg);
r->Assign(0, zeek::val_mgr->Count(id));
r->Assign(1, zeek::val_mgr->Count(opcode));
r->Assign(2, zeek::val_mgr->Count(rcode));
r->Assign(3, zeek::val_mgr->Bool(QR));
r->Assign(4, zeek::val_mgr->Bool(AA));
r->Assign(5, zeek::val_mgr->Bool(TC));
r->Assign(6, zeek::val_mgr->Bool(RD));
r->Assign(7, zeek::val_mgr->Bool(RA));
r->Assign(8, zeek::val_mgr->Count(Z));
r->Assign(9, zeek::val_mgr->Count(qdcount));
r->Assign(10, zeek::val_mgr->Count(ancount));
r->Assign(11, zeek::val_mgr->Count(nscount));
r->Assign(12, zeek::val_mgr->Count(arcount));
r->Assign(0, val_mgr->Count(id));
r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, val_mgr->Count(Z));
r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, val_mgr->Count(arcount));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildAnswerVal()
RecordValPtr DNS_MsgInfo::BuildAnswerVal()
{
static auto dns_answer = zeek::id::find_type<zeek::RecordType>("dns_answer");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_answer);
static auto dns_answer = id::find_type<RecordType>("dns_answer");
auto r = make_intrusive<RecordVal>(dns_answer);
r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
r->Assign(2, zeek::val_mgr->Count(atype));
r->Assign(3, zeek::val_mgr->Count(aclass));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds));
r->Assign(2, val_mgr->Count(atype));
r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
{
// We have to treat the additional record type in EDNS differently
// than a regular resource record.
static auto dns_edns_additional = zeek::id::find_type<zeek::RecordType>("dns_edns_additional");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_additional);
static auto dns_edns_additional = id::find_type<RecordType>("dns_edns_additional");
auto r = make_intrusive<RecordVal>(dns_edns_additional);
r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS
r->Assign(2, zeek::val_mgr->Count(atype));
r->Assign(2, val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, zeek::val_mgr->Count(aclass));
r->Assign(3, val_mgr->Count(aclass));
// Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------]
@ -1657,150 +1657,150 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, zeek::val_mgr->Count(return_error));
r->Assign(5, zeek::val_mgr->Count(version));
r->Assign(6, zeek::val_mgr->Count(z));
r->Assign(7, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds));
r->Assign(8, zeek::val_mgr->Count(is_query));
r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, val_mgr->Count(version));
r->Assign(6, val_mgr->Count(z));
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt)
RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt)
{
static auto dns_edns_ecs = zeek::id::find_type<zeek::RecordType>("dns_edns_ecs");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_ecs);
static auto dns_edns_ecs = id::find_type<RecordType>("dns_edns_ecs");
auto r = make_intrusive<RecordVal>(dns_edns_ecs);
r->Assign(0, opt->ecs_family);
r->Assign(1, zeek::val_mgr->Count(opt->ecs_src_pfx_len));
r->Assign(2, zeek::val_mgr->Count(opt->ecs_scp_pfx_len));
r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len));
r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len));
r->Assign(3, opt->ecs_addr);
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt)
RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt)
{
static auto dns_edns_tcp_keepalive = zeek::id::find_type<zeek::RecordType>("dns_edns_tcp_keepalive");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_tcp_keepalive);
static auto dns_edns_tcp_keepalive = id::find_type<RecordType>("dns_edns_tcp_keepalive");
auto r = make_intrusive<RecordVal>(dns_edns_tcp_keepalive);
r->Assign(0, zeek::val_mgr->Bool(opt->keepalive_timeout_omitted));
r->Assign(1, zeek::val_mgr->Count(opt->keepalive_timeout));
r->Assign(0, val_mgr->Bool(opt->keepalive_timeout_omitted));
r->Assign(1, val_mgr->Count(opt->keepalive_timeout));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
{
static auto dns_edns_cookie = zeek::id::find_type<zeek::RecordType>("dns_edns_cookie");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_cookie);
static auto dns_edns_cookie = id::find_type<RecordType>("dns_edns_cookie");
auto r = make_intrusive<RecordVal>(dns_edns_cookie);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(opt->client_cookie));
r->Assign(0, make_intrusive<StringVal>(opt->client_cookie));
if (opt->server_cookie != nullptr) {
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(opt->server_cookie));
r->Assign(1, make_intrusive<StringVal>(opt->server_cookie));
}
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
{
static auto dns_tsig_additional = zeek::id::find_type<zeek::RecordType>("dns_tsig_additional");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_tsig_additional);
static auto dns_tsig_additional = id::find_type<RecordType>("dns_tsig_additional");
auto r = make_intrusive<RecordVal>(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0;
// r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
// r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::make_intrusive<zeek::StringVal>(tsig->alg_name));
r->Assign(3, zeek::make_intrusive<zeek::StringVal>(tsig->sig));
r->Assign(4, zeek::make_intrusive<zeek::TimeVal>(rtime));
r->Assign(5, zeek::make_intrusive<zeek::TimeVal>(double(tsig->fudge)));
r->Assign(6, zeek::val_mgr->Count(tsig->orig_id));
r->Assign(7, zeek::val_mgr->Count(tsig->rr_error));
r->Assign(8, zeek::val_mgr->Count(is_query));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, make_intrusive<TimeVal>(rtime));
r->Assign(5, make_intrusive<TimeVal>(double(tsig->fudge)));
r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
{
static auto dns_rrsig_rr = zeek::id::find_type<zeek::RecordType>("dns_rrsig_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_rrsig_rr);
static auto dns_rrsig_rr = id::find_type<RecordType>("dns_rrsig_rr");
auto r = make_intrusive<RecordVal>(dns_rrsig_rr);
r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(rrsig->type_covered));
r->Assign(3, zeek::val_mgr->Count(rrsig->algorithm));
r->Assign(4, zeek::val_mgr->Count(rrsig->labels));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_exp)));
r->Assign(7, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_incep)));
r->Assign(8, zeek::val_mgr->Count(rrsig->key_tag));
r->Assign(9, zeek::make_intrusive<zeek::StringVal>(rrsig->signer_name));
r->Assign(10, zeek::make_intrusive<zeek::StringVal>(rrsig->signature));
r->Assign(11, zeek::val_mgr->Count(is_query));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, make_intrusive<TimeVal>(double(rrsig->sig_exp)));
r->Assign(7, make_intrusive<TimeVal>(double(rrsig->sig_incep)));
r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, val_mgr->Count(is_query));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
{
static auto dns_dnskey_rr = zeek::id::find_type<zeek::RecordType>("dns_dnskey_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_dnskey_rr);
static auto dns_dnskey_rr = id::find_type<RecordType>("dns_dnskey_rr");
auto r = make_intrusive<RecordVal>(dns_dnskey_rr);
r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(dnskey->dflags));
r->Assign(3, zeek::val_mgr->Count(dnskey->dprotocol));
r->Assign(4, zeek::val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(dnskey->public_key));
r->Assign(6, zeek::val_mgr->Count(is_query));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->Count(is_query));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
{
static auto dns_nsec3_rr = zeek::id::find_type<zeek::RecordType>("dns_nsec3_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_nsec3_rr);
static auto dns_nsec3_rr = id::find_type<RecordType>("dns_nsec3_rr");
auto r = make_intrusive<RecordVal>(dns_nsec3_rr);
r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, zeek::val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, zeek::val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, zeek::val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_salt));
r->Assign(7, zeek::val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_hash));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(9, std::move(nsec3->bitmaps));
r->Assign(10, zeek::val_mgr->Count(is_query));
r->Assign(10, val_mgr->Count(is_query));
return r;
}
zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
{
static auto dns_ds_rr = zeek::id::find_type<zeek::RecordType>("dns_ds_rr");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_ds_rr);
static auto dns_ds_rr = id::find_type<RecordType>("dns_ds_rr");
auto r = make_intrusive<RecordVal>(dns_ds_rr);
r->Assign(0, query_name);
r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::val_mgr->Count(ds->key_tag));
r->Assign(3, zeek::val_mgr->Count(ds->algorithm));
r->Assign(4, zeek::val_mgr->Count(ds->digest_type));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(ds->digest_val));
r->Assign(6, zeek::val_mgr->Count(is_query));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, val_mgr->Count(is_query));
return r;
}
} // namespace detail
Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig,
Contents_DNS::Contents_DNS(Connection* conn, bool orig,
detail::DNS_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{
interp = arg_interp;
@ -1856,13 +1856,13 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
if ( buf_len < msg_size )
{
buf_len = msg_size;
msg_buf = (u_char*) zeek::util::safe_realloc((void*) msg_buf, buf_len);
msg_buf = (u_char*) util::safe_realloc((void*) msg_buf, buf_len);
}
}
else
{
buf_len = msg_size;
msg_buf = (u_char*) zeek::util::safe_malloc(buf_len);
msg_buf = (u_char*) util::safe_malloc(buf_len);
}
++data;
@ -1892,8 +1892,8 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
state = detail::DNS_LEN_HI;
}
DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
DNS_Analyzer::DNS_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
{
interp = new detail::DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = nullptr;
@ -1908,7 +1908,7 @@ DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
else
{
ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
zeek::run_state::network_time + zeek::detail::dns_session_timeout, true,
run_state::network_time + zeek::detail::dns_session_timeout, true,
zeek::detail::TIMER_DNS_EXPIRE);
}
}
@ -1924,7 +1924,7 @@ void DNS_Analyzer::Init()
void DNS_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( Conn()->ConnTransport() == TRANSPORT_UDP )
Event(udp_session_done);
@ -1933,18 +1933,18 @@ void DNS_Analyzer::Done()
}
void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->ParseMessage(data, len, orig ? 1 : 0);
}
void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer,
void DNS_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer,
bool gen_event)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
assert(contents_dns_orig && contents_dns_resp);
contents_dns_orig->Flush();
@ -1956,10 +1956,10 @@ void DNS_Analyzer::ExpireTimer(double t)
// The - 1.0 in the following is to allow 1 second for the
// common case of a single request followed by a single reply,
// so we don't needlessly set the timer twice in that case.
if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || zeek::run_state::terminating )
if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || run_state::terminating )
{
Event(connection_timeout);
zeek::sessions->Remove(Conn());
sessions->Remove(Conn());
}
else
ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,

76
src/analyzer/protocol/dns/DNS.h
View file

@ -152,10 +152,10 @@ struct EDNS_ADDITIONAL { // size
};
struct EDNS_ECS {
zeek::StringValPtr ecs_family; ///< EDNS client subnet address family
StringValPtr ecs_family; ///< EDNS client subnet address family
uint16_t ecs_src_pfx_len; ///< EDNS client subnet source prefix length
uint16_t ecs_scp_pfx_len; ///< EDNS client subnet scope prefix length
zeek::IntrusivePtr<zeek::AddrVal> ecs_addr; ///< EDNS client subnet address
IntrusivePtr<AddrVal> ecs_addr; ///< EDNS client subnet address
};
struct EDNS_TCP_KEEPALIVE {
@ -169,10 +169,10 @@ struct EDNS_COOKIE {
};
struct TSIG_DATA {
zeek::String* alg_name;
String* alg_name;
unsigned long time_s;
unsigned short time_ms;
zeek::String* sig;
String* sig;
unsigned short fudge;
unsigned short orig_id;
unsigned short rr_error;
@ -186,15 +186,15 @@ struct RRSIG_DATA {
unsigned long sig_exp; // 32
unsigned long sig_incep; // 32
unsigned short key_tag; //16
zeek::String* signer_name;
zeek::String* signature;
String* signer_name;
String* signature;
};
struct DNSKEY_DATA {
unsigned short dflags; // 16 : ExtractShort(data, len)
unsigned short dalgorithm; // 8
unsigned short dprotocol; // 8
zeek::String* public_key; // Variable lenght Public Key
String* public_key; // Variable lenght Public Key
};
struct NSEC3_DATA {
@ -202,34 +202,34 @@ struct NSEC3_DATA {
unsigned short nsec_hash_algo;
unsigned short nsec_iter;
unsigned short nsec_salt_len;
zeek::String* nsec_salt;
String* nsec_salt;
unsigned short nsec_hlen;
zeek::String* nsec_hash;
zeek::VectorValPtr bitmaps;
String* nsec_hash;
VectorValPtr bitmaps;
};
struct DS_DATA {
unsigned short key_tag; // 16 : ExtractShort(data, len)
unsigned short algorithm; // 8
unsigned short digest_type; // 8
zeek::String* digest_val; // Variable lenght Digest of DNSKEY RR
String* digest_val; // Variable lenght Digest of DNSKEY RR
};
class DNS_MsgInfo {
public:
DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
zeek::RecordValPtr BuildHdrVal();
zeek::RecordValPtr BuildAnswerVal();
zeek::RecordValPtr BuildEDNS_Val();
zeek::RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*);
zeek::RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*);
zeek::RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*);
zeek::RecordValPtr BuildTSIG_Val(struct TSIG_DATA*);
zeek::RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*);
zeek::RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*);
zeek::RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*);
zeek::RecordValPtr BuildDS_Val(struct DS_DATA*);
RecordValPtr BuildHdrVal();
RecordValPtr BuildAnswerVal();
RecordValPtr BuildEDNS_Val();
RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*);
RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*);
RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*);
RecordValPtr BuildTSIG_Val(struct TSIG_DATA*);
RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*);
RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*);
RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*);
RecordValPtr BuildDS_Val(struct DS_DATA*);
int id;
int opcode; ///< query type, see DNS_Opcode
@ -246,7 +246,7 @@ public:
int arcount; ///< number of additional RRs
int is_query; ///< whether it came from the session initiator
zeek::StringValPtr query_name;
StringValPtr query_name;
RR_Type atype;
int aclass; ///< normally = 1, inet
uint32_t ttl;
@ -261,7 +261,7 @@ public:
class DNS_Interpreter {
public:
explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer);
explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
void ParseMessage(const u_char* data, int len, int is_query);
@ -292,9 +292,9 @@ protected:
uint16_t ExtractShort(const u_char*& data, int& len);
uint32_t ExtractLong(const u_char*& data, int& len);
void ExtractOctets(const u_char*& data, int& len, zeek::String** p);
void ExtractOctets(const u_char*& data, int& len, String** p);
zeek::String* ExtractStream(const u_char*& data, int& len, int sig_len);
String* ExtractStream(const u_char*& data, int& len, int sig_len);
bool ParseRR_Name(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
@ -352,12 +352,12 @@ protected:
bool ParseRR_DS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event,
void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
const u_char*& data, int& len,
zeek::String* question_name,
zeek::String* original_name);
String* question_name,
String* original_name);
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
bool first_message;
};
@ -371,9 +371,9 @@ enum TCP_DNS_state {
// Support analyzer which chunks the TCP stream into "packets".
// ### This should be merged with TCP_Contents_RPC.
class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
class Contents_DNS final : public analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_DNS(zeek::Connection* c, bool orig, detail::DNS_Interpreter* interp);
Contents_DNS(Connection* c, bool orig, detail::DNS_Interpreter* interp);
~Contents_DNS() override;
void Flush(); ///< process any partially-received data
@ -394,21 +394,21 @@ protected:
};
// Works for both TCP and UDP.
class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class DNS_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DNS_Analyzer(zeek::Connection* conn);
explicit DNS_Analyzer(Connection* conn);
~DNS_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
void Init() override;
void Done() override;
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void ExpireTimer(double t);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNS_Analyzer(conn); }
protected:

40
src/analyzer/protocol/file/File.cc
View file

@ -11,7 +11,7 @@
namespace zeek::analyzer::file {
File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
File_Analyzer::File_Analyzer(const char* name, Connection* conn)
: TCP_ApplicationAnalyzer(name, conn)
{
buffer_len = 0;
@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
int n = std::min(len, BUFFER_SIZE - buffer_len);
@ -33,11 +33,11 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
if ( orig )
file_id_orig = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_orig);
file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_orig);
else
file_id_resp = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_resp);
file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
orig, file_id_resp);
}
void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
@ -45,35 +45,35 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
if ( orig )
file_id_orig = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_orig);
file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_orig);
else
file_id_resp = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_resp);
file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
file_id_resp);
}
void File_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( buffer_len && buffer_len != BUFFER_SIZE )
Identify();
if ( ! file_id_orig.empty() )
zeek::file_mgr->EndOfFile(file_id_orig);
file_mgr->EndOfFile(file_id_orig);
else
zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
if ( ! file_id_resp.empty() )
zeek::file_mgr->EndOfFile(file_id_resp);
file_mgr->EndOfFile(file_id_resp);
else
zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
}
void File_Analyzer::Identify()
{
zeek::detail::RuleMatcher::MIME_Matches matches;
zeek::file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
detail::RuleMatcher::MIME_Matches matches;
file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
&matches);
std::string match = matches.empty() ? "<unknown>"
: *(matches.begin()->second.begin());
@ -82,9 +82,9 @@ void File_Analyzer::Identify()
EnqueueConnEvent(
file_transferred,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(buffer_len, buffer),
zeek::make_intrusive<zeek::StringVal>("<unknown>"),
zeek::make_intrusive<zeek::StringVal>(match)
make_intrusive<StringVal>(buffer_len, buffer),
make_intrusive<StringVal>("<unknown>"),
make_intrusive<StringVal>(match)
);
}

14
src/analyzer/protocol/file/File.h
View file

@ -8,9 +8,9 @@
namespace zeek::analyzer::file {
class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class File_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
File_Analyzer(const char* name, zeek::Connection* conn);
File_Analyzer(const char* name, Connection* conn);
void Done() override;
@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
// static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
// static analyzer::Analyzer* Instantiate(Connection* conn)
// { return new File_Analyzer(conn); }
protected:
@ -33,21 +33,21 @@ protected:
class IRC_Data : public File_Analyzer {
public:
explicit IRC_Data(zeek::Connection* conn)
explicit IRC_Data(Connection* conn)
: File_Analyzer("IRC_Data", conn)
{ }
static Analyzer* Instantiate(zeek::Connection* conn)
static Analyzer* Instantiate(Connection* conn)
{ return new IRC_Data(conn); }
};
class FTP_Data : public File_Analyzer {
public:
explicit FTP_Data(zeek::Connection* conn)
explicit FTP_Data(Connection* conn)
: File_Analyzer("FTP_Data", conn)
{ }
static Analyzer* Instantiate(zeek::Connection* conn)
static Analyzer* Instantiate(Connection* conn)
{ return new FTP_Data(conn); }
};

26
src/analyzer/protocol/finger/Finger.cc
View file

@ -13,25 +13,25 @@
namespace zeek::analyzer::finger {
Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
Finger_Analyzer::Finger_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
{
did_deliver = 0;
content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig->SetIsNULSensitive(true);
content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
content_line_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(content_line_orig);
AddSupportAnalyzer(content_line_resp);
}
void Finger_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() )
if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
(TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text
Weird("partial_finger_request");
}
@ -50,12 +50,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_request )
return;
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
// Check for /W.
int long_cnt = (line + 2 <= end_of_line && line[0] == '/' && toupper(line[1]) == 'W');
if ( long_cnt )
line = zeek::util::skip_whitespace(line+2, end_of_line);
line = util::skip_whitespace(line+2, end_of_line);
assert(line <= end_of_line);
size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on.
@ -69,9 +69,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request )
EnqueueConnEvent(finger_request,
ConnVal(),
zeek::val_mgr->Bool(long_cnt),
zeek::make_intrusive<zeek::StringVal>(at - line, line),
zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host)
val_mgr->Bool(long_cnt),
make_intrusive<StringVal>(at - line, line),
make_intrusive<StringVal>(end_of_line - host, host)
);
Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line,
@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
EnqueueConnEvent(finger_reply,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line)
make_intrusive<StringVal>(end_of_line - line, line)
);
}
}

10
src/analyzer/protocol/finger/Finger.h
View file

@ -7,21 +7,21 @@
namespace zeek::analyzer::finger {
class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class Finger_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Finger_Analyzer(zeek::Connection* conn);
explicit Finger_Analyzer(Connection* conn);
~Finger_Analyzer() override {}
void Done() override;
// Line-based input.
void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Finger_Analyzer(conn); }
protected:
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
analyzer::tcp::ContentLine_Analyzer* content_line_orig;
analyzer::tcp::ContentLine_Analyzer* content_line_resp;
int did_deliver;
};

68
src/analyzer/protocol/ftp/FTP.cc
View file

@ -17,18 +17,18 @@
namespace zeek::analyzer::ftp {
FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
FTP_Analyzer::FTP_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
{
pending_reply = 0;
nvt_orig = new zeek::analyzer::login::NVT_Analyzer(conn, true);
nvt_orig = new analyzer::login::NVT_Analyzer(conn, true);
nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetCRLFAsEOL(LF_as_EOL);
nvt_orig->SetIsNULSensitive(LF_as_EOL);
nvt_resp = new zeek::analyzer::login::NVT_Analyzer(conn, false);
nvt_resp = new analyzer::login::NVT_Analyzer(conn, false);
nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetCRLFAsEOL(LF_as_EOL);
@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
void FTP_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( nvt_orig->HasPartialLine() &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
(TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text
Weird("partial_ftp_request");
}
@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line)
void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
return;
@ -75,31 +75,31 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it.
return;
zeek::Args vl;
Args vl;
zeek::EventHandlerPtr f;
EventHandlerPtr f;
if ( orig )
{
int cmd_len;
const char* cmd;
zeek::StringVal* cmd_str;
StringVal* cmd_str;
line = zeek::util::skip_whitespace(line, end_of_line);
zeek::util::get_word(end_of_line - line, line, cmd_len, cmd);
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line);
line = util::skip_whitespace(line, end_of_line);
util::get_word(end_of_line - line, line, cmd_len, cmd);
line = util::skip_whitespace(line + cmd_len, end_of_line);
if ( cmd_len == 0 )
{
// Weird("FTP command missing", end_of_line - orig_line, orig_line);
cmd_str = new zeek::StringVal("<missing>");
cmd_str = new StringVal("<missing>");
}
else
cmd_str = (new zeek::StringVal(cmd_len, cmd))->ToUpper();
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = {
ConnVal(),
zeek::IntrusivePtr{zeek::AdoptRef{}, cmd_str},
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, cmd_str},
make_intrusive<StringVal>(end_of_line - line, line),
};
f = ftp_request;
@ -109,7 +109,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
"AUTH", cmd_len) == 0 )
auth_requested = std::string(line, end_of_line - line);
if ( zeek::detail::rule_matcher )
if ( detail::rule_matcher )
Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd,
end_of_line - cmd, true, true, true, true);
}
@ -125,7 +125,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
length > 3 && line[3] == ' ' )
{
// This is the end of the reply.
line = zeek::util::skip_whitespace(line + 3, end_of_line);
line = util::skip_whitespace(line + 3, end_of_line);
pending_reply = 0;
cont_resp = 0;
}
@ -140,7 +140,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
if ( reply_code > 0 && length > 3 && line[3] == '-' )
{ // a continued reply
pending_reply = reply_code;
line = zeek::util::skip_whitespace(line + 4, end_of_line);
line = util::skip_whitespace(line + 4, end_of_line);
cont_resp = 1;
}
else
@ -152,7 +152,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
(const char*) data, length);
if ( line < end_of_line )
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
else
line = end_of_line;
@ -166,7 +166,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Server wants to proceed with an ADAT exchange and we
// know how to analyze the GSI mechanism, so attach analyzer
// to look for that.
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
{
ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true));
@ -177,9 +177,9 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
vl = {
ConnVal(),
zeek::val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
zeek::val_mgr->Bool(cont_resp)
val_mgr->Count(reply_code),
make_intrusive<StringVal>(end_of_line - line, line),
val_mgr->Bool(cont_resp)
};
f = ftp_reply;
@ -204,20 +204,20 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
const char* line = (const char*) data;
const char* end_of_line = line + len;
zeek::String* decoded_adat = nullptr;
String* decoded_adat = nullptr;
if ( orig )
{
int cmd_len;
const char* cmd;
line = zeek::util::skip_whitespace(line, end_of_line);
zeek::util::get_word(len, line, cmd_len, cmd);
line = util::skip_whitespace(line, end_of_line);
util::get_word(len, line, cmd_len, cmd);
if ( strncmp(cmd, "ADAT", cmd_len) == 0 )
{
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line);
zeek::StringVal encoded(end_of_line - line, line);
decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn());
line = util::skip_whitespace(line + cmd_len, end_of_line);
StringVal encoded(end_of_line - line, line);
decoded_adat = detail::decode_base64(encoded.AsString(), nullptr, Conn());
if ( first_token )
{
@ -286,12 +286,12 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
if ( len > 3 && line[0] == '-' )
line++;
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
if ( end_of_line - line >= 5 && strncmp(line, "ADAT=", 5) == 0 )
{
line += 5;
zeek::StringVal encoded(end_of_line - line, line);
StringVal encoded(end_of_line - line, line);
decoded_adat = zeek::detail::decode_base64(encoded.AsString(), nullptr, Conn());
}

14
src/analyzer/protocol/ftp/FTP.h
View file

@ -8,21 +8,21 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login);
namespace zeek::analyzer::ftp {
class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class FTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit FTP_Analyzer(zeek::Connection* conn);
explicit FTP_Analyzer(Connection* conn);
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{
return new FTP_Analyzer(conn);
}
protected:
zeek::analyzer::login::NVT_Analyzer* nvt_orig;
zeek::analyzer::login::NVT_Analyzer* nvt_resp;
analyzer::login::NVT_Analyzer* nvt_orig;
analyzer::login::NVT_Analyzer* nvt_resp;
uint32_t pending_reply; // code associated with multi-line reply, or 0
std::string auth_requested; // AUTH method requested
};
@ -34,9 +34,9 @@ protected:
* analyzer just decodes the tokens and passes them on to the parent, which must
* be an SSL analyzer instance.
*/
class FTP_ADAT_Analyzer final : public zeek::analyzer::SupportAnalyzer {
class FTP_ADAT_Analyzer final : public analyzer::SupportAnalyzer {
public:
FTP_ADAT_Analyzer(zeek::Connection* conn, bool arg_orig)
FTP_ADAT_Analyzer(Connection* conn, bool arg_orig)
: SupportAnalyzer("FTP_ADAT", conn, arg_orig),
first_token(true) { }

42
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -36,8 +36,8 @@ GnutellaMsgState::GnutellaMsgState()
} // namespace detail
Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
{
state = 0;
new_state = 0;
@ -57,7 +57,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
void Gnutella_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
@ -76,9 +76,9 @@ void Gnutella_Analyzer::Done()
if ( ! p->msg_sent && p->msg_pos )
EnqueueConnEvent(gnutella_partial_binary_msg,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(p->msg),
zeek::val_mgr->Bool((i == 0)),
zeek::val_mgr->Count(p->msg_pos));
make_intrusive<StringVal>(p->msg),
val_mgr->Bool((i == 0)),
val_mgr->Count(p->msg_pos));
else if ( ! p->msg_sent && p->payload_left )
SendEvents(p, (i == 0));
@ -122,16 +122,16 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, ConnVal());
zeek::analyzer::Analyzer* a = zeek::analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
if ( a && Parent()->AddChildAnalyzer(a) )
{
if ( Parent()->IsAnalyzer("TCP") )
{
// Replay buffered data.
zeek::analyzer::pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
analyzer::pia::PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia )
static_cast<zeek::analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
static_cast<analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
}
Parent()->RemoveChildAnalyzer(this);
@ -180,8 +180,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(ms->headers.data()));
val_mgr->Bool(orig),
make_intrusive<StringVal>(ms->headers.data()));
ms->headers = "";
state |= new_state;
@ -217,15 +217,15 @@ void Gnutella_Analyzer::SendEvents(detail::GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg,
ConnVal(),
zeek::val_mgr->Bool(is_orig),
zeek::val_mgr->Count(p->msg_type),
zeek::val_mgr->Count(p->msg_ttl),
zeek::val_mgr->Count(p->msg_hops),
zeek::val_mgr->Count(p->msg_len),
zeek::make_intrusive<zeek::StringVal>(p->payload),
zeek::val_mgr->Count(p->payload_len),
zeek::val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
zeek::val_mgr->Bool((p->payload_left == 0)));
val_mgr->Bool(is_orig),
val_mgr->Count(p->msg_type),
val_mgr->Count(p->msg_ttl),
val_mgr->Count(p->msg_hops),
val_mgr->Count(p->msg_len),
make_intrusive<StringVal>(p->payload),
val_mgr->Count(p->payload_len),
val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
val_mgr->Bool((p->payload_left == 0)));
}
@ -304,7 +304,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
ms = orig ? orig_msg_state : resp_msg_state;
ms->current_offset = 0;

6
src/analyzer/protocol/gnutella/Gnutella.h
View file

@ -36,15 +36,15 @@ public:
} // namespace detail
class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class Gnutella_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Gnutella_Analyzer(zeek::Connection* conn);
explicit Gnutella_Analyzer(Connection* conn);
~Gnutella_Analyzer() override;
void Done () override;
void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Gnutella_Analyzer(conn); }
private:

14
src/analyzer/protocol/gssapi/GSSAPI.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::gssapi {
GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
GSSAPI_Analyzer::GSSAPI_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
{
interp = new binpac::GSSAPI::GSSAPI_Conn(this);
}
@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer()
void GSSAPI_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done()
void GSSAPI_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -45,13 +45,13 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/gssapi/GSSAPI.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::gssapi {
class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class GSSAPI_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit GSSAPI_Analyzer(zeek::Connection* conn);
explicit GSSAPI_Analyzer(Connection* conn);
~GSSAPI_Analyzer() override;
// Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GSSAPI_Analyzer(conn); }
protected:

6
src/analyzer/protocol/gtpv1/GTPv1.cc
View file

@ -6,7 +6,7 @@
namespace zeek::analyzer::gtpv1 {
GTPv1_Analyzer::GTPv1_Analyzer(zeek::Connection* conn)
GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
: Analyzer("GTPV1", conn)
{
interp = new binpac::GTPv1::GTPv1_Conn(this);
@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done()
Event(udp_session_done);
}
void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
try
@ -32,7 +32,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/gtpv1/GTPv1.h
View file

@ -4,16 +4,16 @@
namespace zeek::analyzer::gtpv1 {
class GTPv1_Analyzer final : public zeek::analyzer::Analyzer {
class GTPv1_Analyzer final : public analyzer::Analyzer {
public:
explicit GTPv1_Analyzer(zeek::Connection* conn);
explicit GTPv1_Analyzer(Connection* conn);
virtual ~GTPv1_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GTPv1_Analyzer(conn); }
protected:

366
src/analyzer/protocol/http/HTTP.cc
View file

File diff suppressed because it is too large Load diff

70
src/analyzer/protocol/http/HTTP.h
View file

@ -27,9 +27,9 @@ class HTTP_Entity;
class HTTP_Message;
class HTTP_Analyzer;
class HTTP_Entity final : public zeek::analyzer::mime::MIME_Entity {
class HTTP_Entity final : public analyzer::mime::MIME_Entity {
public:
HTTP_Entity(HTTP_Message* msg, zeek::analyzer::mime::MIME_Entity* parent_entity,
HTTP_Entity(HTTP_Message* msg, analyzer::mime::MIME_Entity* parent_entity,
int expect_body);
~HTTP_Entity() override
{
@ -58,7 +58,7 @@ protected:
int64_t body_length;
int64_t header_length;
enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
zeek::analyzer::zip::ZIP_Analyzer* zip;
analyzer::zip::ZIP_Analyzer* zip;
bool deliver_body;
bool is_partial_content;
uint64_t offset;
@ -66,7 +66,7 @@ protected:
bool send_size; // whether to send size indication to FAF
std::string precomputed_file_id;
zeek::analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
void DeliverBody(int len, const char* data, bool trailing_CRLF);
void DeliverBodyClear(int len, const char* data, bool trailing_CRLF);
@ -75,7 +75,7 @@ protected:
void SetPlainDelivery(int64_t length);
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override;
void SubmitHeader(analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders() override;
};
@ -96,11 +96,11 @@ enum {
// HTTP_Message::EndEntity -> Message::Done
// HTTP_MessageDone -> {Request,Reply}Made
class HTTP_Message final : public zeek::analyzer::mime::MIME_Message {
class HTTP_Message final : public analyzer::mime::MIME_Message {
friend class HTTP_Entity;
public:
HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl,
HTTP_Message(HTTP_Analyzer* analyzer, analyzer::tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length);
~HTTP_Message() override;
void Done(bool interrupted, const char* msg);
@ -108,16 +108,16 @@ public:
bool Undelivered(int64_t len);
void BeginEntity(zeek::analyzer::mime::MIME_Entity* /* entity */) override;
void EndEntity(zeek::analyzer::mime::MIME_Entity* entity) override;
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) override;
void BeginEntity(analyzer::mime::MIME_Entity* /* entity */) override;
void EndEntity(analyzer::mime::MIME_Entity* entity) override;
void SubmitHeader(analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders(analyzer::mime::MIME_HeaderList& /* hlist */) override;
void SubmitData(int len, const char* buf) override;
bool RequestBuffer(int* plen, char** pbuf) override;
void SubmitAllData();
void SubmitEvent(int event_type, const char* detail) override;
void SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */);
void SubmitTrailingHeaders(analyzer::mime::MIME_HeaderList& /* hlist */);
void SetPlainDelivery(int64_t length);
void SkipEntityData();
@ -129,7 +129,7 @@ public:
protected:
HTTP_Analyzer* analyzer;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line;
analyzer::tcp::ContentLine_Analyzer* content_line;
bool is_orig;
char* entity_data_buffer;
@ -145,18 +145,18 @@ protected:
HTTP_Entity* current_entity;
zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg);
RecordValPtr BuildMessageStat(bool interrupted, const char* msg);
};
class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class HTTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
HTTP_Analyzer(zeek::Connection* conn);
HTTP_Analyzer(Connection* conn);
void HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h);
void HTTP_EntityData(bool is_orig, zeek::String* entity_data);
void HTTP_Header(bool is_orig, analyzer::mime::MIME_Header* h);
void HTTP_EntityData(bool is_orig, String* entity_data);
void HTTP_MessageDone(bool is_orig, HTTP_Message* message);
void HTTP_Event(const char* category, const char* detail);
void HTTP_Event(const char* category, zeek::StringValPtr detail);
void HTTP_Event(const char* category, StringValPtr detail);
void SkipEntityData(bool is_orig);
@ -168,7 +168,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer
void EndpointEOF(bool is_orig) override;
void ConnectionFinished(bool half_finished) override;
void ConnectionReset() override;
@ -195,7 +195,7 @@ public:
int GetRequestOngoing() { return request_ongoing; };
int GetReplyOngoing() { return reply_ongoing; };
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new HTTP_Analyzer(conn); }
static bool Available()
@ -210,7 +210,7 @@ protected:
int HTTP_RequestLine(const char* line, const char* end_of_line);
int HTTP_ReplyLine(const char* line, const char* end_of_line);
void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
void InitHTTPMessage(analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
int expect_body, int64_t init_header_length);
const char* PrefixMatch(const char* line, const char* end_of_line,
@ -230,14 +230,14 @@ protected:
void RequestMade(bool interrupted, const char* msg);
void ReplyMade(bool interrupted, const char* msg);
void RequestClash(zeek::Val* clash_val);
void RequestClash(Val* clash_val);
const zeek::String* UnansweredRequestMethod();
const String* UnansweredRequestMethod();
int HTTP_ReplyCode(const char* code_str);
int ExpectReplyMessageBody();
zeek::StringValPtr TruncateURI(const zeek::StringValPtr& uri);
StringValPtr TruncateURI(const StringValPtr& uri);
int request_state, reply_state;
int num_requests, num_replies;
@ -248,7 +248,7 @@ protected:
int request_ongoing, reply_ongoing;
bool connect_request;
zeek::analyzer::pia::PIA_TCP *pia;
analyzer::pia::PIA_TCP *pia;
// set to true after a connection was upgraded
bool upgraded;
// set to true when encountering an "connection" header in a reply.
@ -257,22 +257,22 @@ protected:
// in a reply.
std::string upgrade_protocol;
zeek::StringValPtr request_method;
StringValPtr request_method;
// request_URI is in the original form (may contain '%<hex><hex>'
// sequences).
zeek::StringValPtr request_URI;
StringValPtr request_URI;
// unescaped_URI does not contain escaped sequences.
zeek::StringValPtr unescaped_URI;
StringValPtr unescaped_URI;
std::queue<zeek::StringValPtr> unanswered_requests;
std::queue<StringValPtr> unanswered_requests;
int reply_code;
zeek::StringValPtr reply_reason_phrase;
StringValPtr reply_reason_phrase;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
analyzer::tcp::ContentLine_Analyzer* content_line_orig;
analyzer::tcp::ContentLine_Analyzer* content_line_resp;
HTTP_Message* request_message;
HTTP_Message* reply_message;
@ -281,8 +281,8 @@ protected:
extern bool is_reserved_URI_char(unsigned char ch);
extern bool is_unreserved_URI_char(unsigned char ch);
extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end,
zeek::analyzer::Analyzer* analyzer);
extern String* unescape_URI(const u_char* line, const u_char* line_end,
analyzer::Analyzer* analyzer);
} // namespace zeek::analyzer::http

290
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -20,7 +20,7 @@
namespace zeek::analyzer::icmp {
ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c)
ICMP_Analyzer::ICMP_Analyzer(Connection* c)
: TransportLayerAnalyzer("ICMP", c),
icmp_conn_val(), type(), code(), request_len(-1), reply_len(-1)
{
@ -35,7 +35,7 @@ void ICMP_Analyzer::Done()
}
void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
assert(ip);
@ -64,7 +64,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
break;
default:
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
return;
}
@ -76,7 +76,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
}
}
Conn()->SetLastTime(zeek::run_state::current_timestamp);
Conn()->SetLastTime(run_state::current_timestamp);
if ( zeek::detail::rule_matcher )
{
@ -99,12 +99,12 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
len_stat += len;
if ( ip->NextProto() == IPPROTO_ICMP )
NextICMP4(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip);
NextICMP4(run_state::current_timestamp, icmpp, len, caplen, data, ip);
else if ( ip->NextProto() == IPPROTO_ICMPV6 )
NextICMP6(zeek::run_state::current_timestamp, icmpp, len, caplen, data, ip);
NextICMP6(run_state::current_timestamp, icmpp, len, caplen, data, ip);
else
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "expected ICMP as IP packet's protocol, got %d", ip->NextProto());
return;
}
@ -119,7 +119,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
}
void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr )
const u_char*& data, const IP_Hdr* ip_hdr )
{
switch ( icmpp->icmp_type )
{
@ -140,7 +140,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c
}
void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr )
const u_char*& data, const IP_Hdr* ip_hdr )
{
switch ( icmpp->icmp_type )
{
@ -199,7 +199,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
int icmpv6, const u_char* data,
const zeek::IP_Hdr* ip_hdr)
const IP_Hdr* ip_hdr)
{
if ( icmp_sent )
EnqueueConnEvent(icmp_sent,
@ -210,51 +210,51 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
if ( icmp_sent_payload )
{
zeek::String* payload = new zeek::String(data, std::min(len, caplen), false);
String* payload = new String(data, std::min(len, caplen), false);
EnqueueConnEvent(icmp_sent_payload,
ConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
BuildInfo(icmpp, len, icmpv6, ip_hdr),
zeek::make_intrusive<zeek::StringVal>(payload)
make_intrusive<StringVal>(payload)
);
}
}
zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const zeek::IP_Hdr* ip_hdr)
RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const IP_Hdr* ip_hdr)
{
if ( ! icmp_conn_val )
{
static auto icmp_conn = zeek::id::find_type<zeek::RecordType>("icmp_conn");
icmp_conn_val = zeek::make_intrusive<zeek::RecordVal>(icmp_conn);
static auto icmp_conn = id::find_type<RecordType>("icmp_conn");
icmp_conn_val = make_intrusive<RecordVal>(icmp_conn);
icmp_conn_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, zeek::make_intrusive<zeek::AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, zeek::val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, zeek::val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, zeek::val_mgr->Count(len));
icmp_conn_val->Assign(5, zeek::val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, zeek::val_mgr->Bool(icmpv6));
icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->Count(len));
icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
}
return icmp_conn_val;
}
zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const zeek::IP_Hdr* ip_hdr)
RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr)
{
static auto icmp_info = zeek::id::find_type<zeek::RecordType>("icmp_info");
auto rval = zeek::make_intrusive<zeek::RecordVal>(icmp_info);
rval->Assign(0, zeek::val_mgr->Bool(icmpv6));
rval->Assign(1, zeek::val_mgr->Count(icmpp->icmp_type));
rval->Assign(2, zeek::val_mgr->Count(icmpp->icmp_code));
rval->Assign(3, zeek::val_mgr->Count(len));
rval->Assign(4, zeek::val_mgr->Count(ip_hdr->TTL()));
static auto icmp_info = id::find_type<RecordType>("icmp_info");
auto rval = make_intrusive<RecordVal>(icmp_info);
rval->Assign(0, val_mgr->Bool(icmpv6));
rval->Assign(1, val_mgr->Count(icmpp->icmp_type));
rval->Assign(2, val_mgr->Count(icmpp->icmp_code));
rval->Assign(3, val_mgr->Count(len));
rval->Assign(4, val_mgr->Count(ip_hdr->TTL()));
return rval;
}
TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
{
const u_char* transport_hdr;
uint32_t ip_hdr_len = ip_hdr->HdrLen();
@ -319,17 +319,17 @@ TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uin
return proto;
}
zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
{
const zeek::IP_Hdr ip_hdr_data((const struct ip*) data, false);
const zeek::IP_Hdr* ip_hdr = &ip_hdr_data;
const IP_Hdr ip_hdr_data((const struct ip*) data, false);
const IP_Hdr* ip_hdr = &ip_hdr_data;
uint32_t ip_hdr_len = ip_hdr->HdrLen();
uint32_t ip_len, frag_offset;
TransportProto proto = TRANSPORT_UNKNOWN;
int DF, MF, bad_hdr_len, bad_checksum;
zeek::IPAddr src_addr, dst_addr;
IPAddr src_addr, dst_addr;
uint32_t src_port, dst_port;
if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) )
@ -345,7 +345,7 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da
{
bad_hdr_len = 0;
ip_len = ip_hdr->TotalLen();
bad_checksum = ! zeek::run_state::current_pkt->l3_checksummed &&
bad_checksum = ! run_state::current_pkt->l3_checksummed &&
(ones_complement_checksum((void*) ip_hdr->IP4_Hdr(), ip_hdr_len, 0) != 0xffff);
src_addr = ip_hdr->SrcAddr();
@ -366,34 +366,34 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da
}
}
static auto icmp_context = zeek::id::find_type<zeek::RecordType>("icmp_context");
auto iprec = zeek::make_intrusive<zeek::RecordVal>(icmp_context);
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
static auto icmp_context = id::find_type<RecordType>("icmp_context");
auto iprec = make_intrusive<RecordVal>(icmp_context);
auto id_val = make_intrusive<RecordVal>(id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr));
id_val->Assign(1, zeek::val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr));
id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto));
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val));
iprec->Assign(1, zeek::val_mgr->Count(ip_len));
iprec->Assign(2, zeek::val_mgr->Count(proto));
iprec->Assign(3, zeek::val_mgr->Count(frag_offset));
iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, zeek::val_mgr->Bool(bad_checksum));
iprec->Assign(6, zeek::val_mgr->Bool(MF));
iprec->Assign(7, zeek::val_mgr->Bool(DF));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
{
int DF = 0, MF = 0, bad_hdr_len = 0;
TransportProto proto = TRANSPORT_UNKNOWN;
zeek::IPAddr src_addr;
zeek::IPAddr dst_addr;
IPAddr src_addr;
IPAddr dst_addr;
uint32_t ip_len, frag_offset = 0;
uint32_t src_port, dst_port;
@ -405,8 +405,8 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
}
else
{
const zeek::IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
const zeek::IP_Hdr* ip_hdr = &ip_hdr_data;
const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
const IP_Hdr* ip_hdr = &ip_hdr_data;
ip_len = ip_hdr->TotalLen();
src_addr = ip_hdr->SrcAddr();
@ -426,24 +426,24 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
}
}
static auto icmp_context = zeek::id::find_type<zeek::RecordType>("icmp_context");
auto iprec = zeek::make_intrusive<zeek::RecordVal>(icmp_context);
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
static auto icmp_context = id::find_type<RecordType>("icmp_context");
auto iprec = make_intrusive<RecordVal>(icmp_context);
auto id_val = make_intrusive<RecordVal>(id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr));
id_val->Assign(1, zeek::val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr));
id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto));
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val));
iprec->Assign(1, zeek::val_mgr->Count(ip_len));
iprec->Assign(2, zeek::val_mgr->Count(proto));
iprec->Assign(3, zeek::val_mgr->Count(frag_offset));
iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, zeek::val_mgr->False());
iprec->Assign(6, zeek::val_mgr->Bool(MF));
iprec->Assign(7, zeek::val_mgr->Bool(DF));
iprec->Assign(5, val_mgr->False());
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
@ -453,7 +453,7 @@ bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
return false;
}
void ICMP_Analyzer::Describe(zeek::ODesc* d) const
void ICMP_Analyzer::Describe(ODesc* d) const
{
d->Add(Conn()->StartTime());
d->Add("(");
@ -472,7 +472,7 @@ void ICMP_Analyzer::Describe(zeek::ODesc* d) const
d->Add(Conn()->RespAddr());
}
void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
{
const auto& orig_endp = conn_val->GetField("orig");
const auto& resp_endp = conn_val->GetField("resp");
@ -484,7 +484,7 @@ void ICMP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
Analyzer::UpdateConnVal(conn_val);
}
void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig)
void ICMP_Analyzer::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{
Conn()->EnableStatusUpdateTimer();
@ -493,30 +493,30 @@ void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig
if ( size < 0 )
{
endp->Assign(0, zeek::val_mgr->Count(0));
endp->Assign(1, zeek::val_mgr->Count(int(ICMP_INACTIVE)));
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
}
else
{
endp->Assign(0, zeek::val_mgr->Count(size));
endp->Assign(1, zeek::val_mgr->Count(int(ICMP_ACTIVE)));
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
}
}
unsigned int ICMP_Analyzer::MemoryAllocation() const
{
return Analyzer::MemoryAllocation()
+ padded_sizeof(*this) - padded_sizeof(zeek::Connection)
+ padded_sizeof(*this) - padded_sizeof(Connection)
+ (icmp_conn_val ? icmp_conn_val->MemoryAllocation() : 0);
}
void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
// For handling all Echo related ICMP messages
zeek::EventHandlerPtr f = nullptr;
EventHandlerPtr f = nullptr;
if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST)
@ -531,23 +531,23 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
int iid = ntohs(icmpp->icmp_hun.ih_idseq.icd_id);
int iseq = ntohs(icmpp->icmp_hun.ih_idseq.icd_seq);
zeek::String* payload = new zeek::String(data, caplen, false);
String* payload = new String(data, caplen, false);
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
zeek::val_mgr->Count(iid),
zeek::val_mgr->Count(iseq),
zeek::make_intrusive<zeek::StringVal>(payload)
val_mgr->Count(iid),
val_mgr->Count(iseq),
make_intrusive<StringVal>(payload)
);
}
void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = icmp_router_advertisement;
EventHandlerPtr f = icmp_router_advertisement;
if ( ! f )
return;
@ -566,33 +566,33 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
zeek::val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
zeek::val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
zeek::make_intrusive<zeek::IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(reachable), Milliseconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(retrans), Milliseconds),
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
);
}
void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = icmp_neighbor_advertisement;
EventHandlerPtr f = icmp_neighbor_advertisement;
if ( ! f )
return;
zeek::IPAddr tgtaddr;
IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
tgtaddr = IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr);
@ -600,27 +600,27 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
);
}
void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = icmp_neighbor_solicitation;
EventHandlerPtr f = icmp_neighbor_solicitation;
if ( ! f )
return;
zeek::IPAddr tgtaddr;
IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
tgtaddr = IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr);
@ -628,27 +628,27 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
);
}
void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = icmp_redirect;
EventHandlerPtr f = icmp_redirect;
if ( ! f )
return;
zeek::IPAddr tgtaddr, dstaddr;
IPAddr tgtaddr, dstaddr;
if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
tgtaddr = IPAddr(*((const in6_addr*)data));
if ( caplen >= 2 * (int)sizeof(in6_addr) )
dstaddr = zeek::IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
int opt_offset = 2 * sizeof(in6_addr);
@ -656,17 +656,17 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
zeek::make_intrusive<zeek::AddrVal>(dstaddr),
make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
);
}
void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = icmp_router_solicitation;
EventHandlerPtr f = icmp_router_solicitation;
if ( ! f )
return;
@ -681,9 +681,9 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = nullptr;
EventHandlerPtr f = nullptr;
switch ( icmpp->icmp_type )
{
@ -701,16 +701,16 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
ConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr),
BuildInfo(icmpp, len, 0, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data)
);
}
void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
zeek::EventHandlerPtr f = nullptr;
EventHandlerPtr f = nullptr;
switch ( icmpp->icmp_type )
{
@ -740,18 +740,18 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data)
);
}
zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
{
static auto icmp6_nd_option_type = zeek::id::find_type<zeek::RecordType>("icmp6_nd_option");
static auto icmp6_nd_prefix_info_type = zeek::id::find_type<zeek::RecordType>("icmp6_nd_prefix_info");
static auto icmp6_nd_option_type = id::find_type<RecordType>("icmp6_nd_option");
static auto icmp6_nd_prefix_info_type = id::find_type<RecordType>("icmp6_nd_prefix_info");
auto vv = zeek::make_intrusive<zeek::VectorVal>(
zeek::id::find_type<zeek::VectorType>("icmp6_nd_options"));
auto vv = make_intrusive<VectorVal>(
id::find_type<VectorType>("icmp6_nd_options"));
while ( caplen > 0 )
{
@ -771,9 +771,9 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
break;
}
auto rv = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_option_type);
rv->Assign(0, zeek::val_mgr->Count(type));
rv->Assign(1, zeek::val_mgr->Count(length));
auto rv = make_intrusive<RecordVal>(icmp6_nd_option_type);
rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2;
@ -791,8 +791,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
{
if ( caplen >= length )
{
zeek::String* link_addr = new zeek::String(data, length, false);
rv->Assign(2, zeek::make_intrusive<zeek::StringVal>(link_addr));
String* link_addr = new String(data, length, false);
rv->Assign(2, make_intrusive<StringVal>(link_addr));
}
else
set_payload_field = true;
@ -805,19 +805,19 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
{
if ( caplen >= 30 )
{
auto info = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type);
auto info = make_intrusive<RecordVal>(icmp6_nd_prefix_info_type);
uint8_t prefix_len = *((const uint8_t*)(data));
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, zeek::val_mgr->Count(prefix_len));
info->Assign(1, zeek::val_mgr->Bool(L_flag));
info->Assign(2, zeek::val_mgr->Bool(A_flag));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(prefix)));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info));
}
@ -845,7 +845,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, zeek::val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else
set_payload_field = true;
@ -861,8 +861,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
if ( set_payload_field )
{
zeek::String* payload = new zeek::String(data, std::min((int)length, caplen), false);
rv->Assign(6, zeek::make_intrusive<zeek::StringVal>(payload));
String* payload = new String(data, std::min((int)length, caplen), false);
rv->Assign(6, make_intrusive<StringVal>(payload));
}
data += length;

58
src/analyzer/protocol/icmp/ICMP.h
View file

@ -8,7 +8,7 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek);
namespace zeek {
using VectorValPtr = zeek::IntrusivePtr<VectorVal>;
using VectorValPtr = IntrusivePtr<VectorVal>;
}
namespace zeek::analyzer::icmp {
@ -20,77 +20,77 @@ enum ICMP_EndpointState {
// We do not have an PIA for ICMP (yet) and therefore derive from
// RuleMatcherState to perform our own matching.
class ICMP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer {
class ICMP_Analyzer final : public analyzer::TransportLayerAnalyzer {
public:
explicit ICMP_Analyzer(zeek::Connection* conn);
explicit ICMP_Analyzer(Connection* conn);
void UpdateConnVal(zeek::RecordVal *conn_val) override;
void UpdateConnVal(RecordVal *conn_val) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ICMP_Analyzer(conn); }
protected:
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
bool IsReuse(double t, const u_char* pkt) override;
unsigned int MemoryAllocation() const override;
void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
const u_char* data, const zeek::IP_Hdr* ip_hdr);
const u_char* data, const IP_Hdr* ip_hdr);
void Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Describe(zeek::ODesc* d) const;
void Describe(ODesc* d) const;
zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const zeek::IP_Hdr* ip_hdr);
RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const IP_Hdr* ip_hdr);
zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const zeek::IP_Hdr* ip_hdr);
RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr);
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr );
const u_char*& data, const IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP4Context(int len, const u_char*& data);
RecordValPtr ExtractICMP4Context(int len, const u_char*& data);
void Context4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr);
const u_char*& data, const IP_Hdr* ip_hdr);
TransportProto GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port,
TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port,
uint32_t* dst_port);
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr );
const u_char*& data, const IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP6Context(int len, const u_char*& data);
RecordValPtr ExtractICMP6Context(int len, const u_char*& data);
void Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const zeek::IP_Hdr* ip_hdr);
const u_char*& data, const IP_Hdr* ip_hdr);
// RFC 4861 Neighbor Discover message options
zeek::VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data);
VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data);
zeek::RecordValPtr icmp_conn_val;
RecordValPtr icmp_conn_val;
int type;
int code;
int request_len, reply_len;
zeek::detail::RuleMatcherState matcher_state;
detail::RuleMatcherState matcher_state;
private:
void UpdateEndpointVal(const zeek::ValPtr& endp, bool is_orig);
void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
};
// Returns the counterpart type to the given type (e.g., the counterpart

78
src/analyzer/protocol/ident/Ident.cc
View file

@ -13,13 +13,13 @@
namespace zeek::analyzer::ident {
Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
Ident_Analyzer::Ident_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
{
did_bad_reply = did_deliver = false;
orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
resp_ident = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident->SetIsNULSensitive(true);
resp_ident->SetIsNULSensitive(true);
@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
void Ident_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() )
if ( (! did_deliver || orig_ident->HasPartialLine()) &&
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE )
(TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == analyzer::tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != analyzer::tcp::TCP_ENDPOINT_INACTIVE )
Weird("partial_ident_request");
}
void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
int remote_port, local_port;
const char* line = (const char*) data;
const char* orig_line = line;
const char* end_of_line = line + length;
zeek::analyzer::tcp::TCP_Endpoint* s = nullptr;
analyzer::tcp::TCP_Endpoint* s = nullptr;
if ( TCP() )
s = is_orig ? TCP()->Orig() : TCP()->Resp();
@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = ParsePair(line, end_of_line, remote_port, local_port);
if ( ! line )
{
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled.
return;
@ -80,14 +80,14 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( line != end_of_line )
{
zeek::String s((const u_char*)orig_line, length, true);
String s((const u_char*)orig_line, length, true);
Weird("ident_request_addendum", s.CheckString());
}
EnqueueConnEvent(ident_request,
ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP)
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP)
);
did_deliver = true;
@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( ! line || line == end_of_line || line[0] != ':' )
{
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
if ( s && s->state == analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled.
return;
@ -112,7 +112,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return;
}
line = zeek::util::skip_whitespace(line + 1, end_of_line);
line = util::skip_whitespace(line + 1, end_of_line);
int restlen = end_of_line - line;
int is_error;
@ -132,7 +132,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return;
}
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
if ( line >= end_of_line || line[0] != ':' )
{
@ -140,16 +140,16 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
return;
}
line = zeek::util::skip_whitespace(line + 1, end_of_line);
line = util::skip_whitespace(line + 1, end_of_line);
if ( is_error )
{
if ( ident_error )
EnqueueConnEvent(ident_error,
ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line)
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line)
);
}
@ -172,18 +172,18 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
while ( --sys_end > sys_type && isspace(*sys_end) )
;
zeek::String* sys_type_s =
new zeek::String((const u_char*) sys_type,
String* sys_type_s =
new String((const u_char*) sys_type,
sys_end - sys_type + 1, true);
line = zeek::util::skip_whitespace(colon + 1, end_of_line);
line = util::skip_whitespace(colon + 1, end_of_line);
EnqueueConnEvent(ident_reply,
ConnVal(),
zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
zeek::val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
zeek::make_intrusive<zeek::StringVal>(sys_type_s)
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line),
make_intrusive<StringVal>(sys_type_s)
);
}
}
@ -214,7 +214,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
{
int n = 0;
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
if ( line >= end_of_line || ! isdigit(*line) )
return nullptr;
@ -227,7 +227,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
}
while ( line < end_of_line && isdigit(*line) );
line = zeek::util::skip_whitespace(line, end_of_line);
line = util::skip_whitespace(line, end_of_line);
if ( n < 0 || n > 65535 )
{
@ -242,7 +242,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
void Ident_Analyzer::BadRequest(int length, const char* line)
{
zeek::String s((const u_char*)line, length, true);
String s((const u_char*)line, length, true);
Weird("bad_ident_request", s.CheckString());
}
@ -250,7 +250,7 @@ void Ident_Analyzer::BadReply(int length, const char* line)
{
if ( ! did_bad_reply )
{
zeek::String s((const u_char*)line, length, true);
String s((const u_char*)line, length, true);
Weird("bad_ident_reply", s.CheckString());
did_bad_reply = true;
}

10
src/analyzer/protocol/ident/Ident.h
View file

@ -7,14 +7,14 @@
namespace zeek::analyzer::ident {
class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class Ident_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Ident_Analyzer(zeek::Connection* conn);
explicit Ident_Analyzer(Connection* conn);
void Done() override;
void DeliverStream(int length, const u_char* data, bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Ident_Analyzer(conn); }
protected:
@ -26,8 +26,8 @@ protected:
void BadRequest(int length, const char* line);
void BadReply(int length, const char* line);
zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident;
zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident;
analyzer::tcp::ContentLine_Analyzer* orig_ident;
analyzer::tcp::ContentLine_Analyzer* resp_ident;
bool did_deliver;
bool did_bad_reply;

16
src/analyzer/protocol/imap/IMAP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::imap {
IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
IMAP_Analyzer::IMAP_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
{
interp = new binpac::IMAP::IMAP_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer()
void IMAP_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void IMAP_Analyzer::Done()
void IMAP_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls_active )
{
@ -61,13 +61,13 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}
@ -79,7 +79,7 @@ void IMAP_Analyzer::StartTLS()
// TLS datastream.
tls_active = true;
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);
}

8
src/analyzer/protocol/imap/IMAP.h
View file

@ -10,21 +10,21 @@
namespace zeek::analyzer::imap {
class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class IMAP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit IMAP_Analyzer(zeek::Connection* conn);
explicit IMAP_Analyzer(Connection* conn);
~IMAP_Analyzer() override;
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
void StartTLS();
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new IMAP_Analyzer(conn); }
protected:

314
src/analyzer/protocol/irc/IRC.cc
View file

@ -13,8 +13,8 @@ using namespace std;
namespace zeek::analyzer::irc {
IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
IRC_Analyzer::IRC_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
{
invalid_msg_count = 0;
invalid_msg_max_count = 20;
@ -23,15 +23,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
orig_zip_status = NO_ZIP;
resp_zip_status = NO_ZIP;
starttls = false;
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(cl_resp);
}
void IRC_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
}
inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
@ -45,9 +45,9 @@ inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
static auto irc_join_list = zeek::id::find_type<zeek::TableType>("irc_join_list");
static auto irc_join_info = zeek::id::find_type<zeek::RecordType>("irc_join_info");
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
static auto irc_join_list = id::find_type<TableType>("irc_join_list");
static auto irc_join_info = id::find_type<RecordType>("irc_join_info");
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
if ( starttls )
{
@ -239,10 +239,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_network_info,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::val_mgr->Int(users),
zeek::val_mgr->Int(services),
zeek::val_mgr->Int(servers));
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers));
}
break;
@ -273,21 +273,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set);
auto set = make_intrusive<TableVal>(id::string_set);
for ( auto& part : parts )
{
if ( part[0] == '@' )
part = part.substr(1);
auto idx = zeek::make_intrusive<zeek::StringVal>(part);
auto idx = make_intrusive<StringVal>(part);
set->Assign(std::move(idx), nullptr);
}
EnqueueConnEvent(irc_names_info,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(type.c_str()),
zeek::make_intrusive<zeek::StringVal>(channel.c_str()),
val_mgr->Bool(orig),
make_intrusive<StringVal>(type.c_str()),
make_intrusive<StringVal>(channel.c_str()),
std::move(set));
}
break;
@ -318,10 +318,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_server_info,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::val_mgr->Int(users),
zeek::val_mgr->Int(services),
zeek::val_mgr->Int(servers));
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers));
}
break;
@ -339,8 +339,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_info,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::val_mgr->Int(channels));
val_mgr->Bool(orig),
val_mgr->Int(channels));
}
break;
@ -370,9 +370,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_global_users,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(eop - prefix, prefix),
zeek::make_intrusive<zeek::StringVal>(++msg));
val_mgr->Bool(orig),
make_intrusive<StringVal>(eop - prefix, prefix),
make_intrusive<StringVal>(++msg));
break;
}
@ -392,13 +392,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
zeek::Args vl;
Args vl;
vl.reserve(6);
vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()));
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4);
@ -409,7 +409,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' )
real_name = real_name.substr(1);
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(real_name.c_str()));
vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
EnqueueConnEvent(irc_whois_user_line, std::move(vl));
}
@ -434,8 +434,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_operator_line,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()));
}
break;
@ -461,18 +461,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set);
auto set = make_intrusive<TableVal>(id::string_set);
for ( const auto& part : parts )
{
auto idx = zeek::make_intrusive<zeek::StringVal>(part);
auto idx = make_intrusive<StringVal>(part);
set->Assign(std::move(idx), nullptr);
}
EnqueueConnEvent(irc_whois_channel_line,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set));
}
break;
@ -501,9 +501,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_topic,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(t));
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(t));
}
else
{
@ -534,16 +534,16 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_line,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[3].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[4].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[5].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[6].c_str()),
zeek::val_mgr->Int(atoi(parts[7].c_str())),
zeek::make_intrusive<zeek::StringVal>(parts[8].c_str()));
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<StringVal>(parts[3].c_str()),
make_intrusive<StringVal>(parts[4].c_str()),
make_intrusive<StringVal>(parts[5].c_str()),
make_intrusive<StringVal>(parts[6].c_str()),
val_mgr->Int(atoi(parts[7].c_str())),
make_intrusive<StringVal>(parts[8].c_str()));
}
break;
@ -555,7 +555,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick,
ConnVal(),
zeek::val_mgr->Bool(orig));
val_mgr->Bool(orig));
break;
// Operator responses.
@ -564,8 +564,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::val_mgr->Bool(code == 381));
val_mgr->Bool(orig),
val_mgr->Bool(code == 381));
break;
case 670:
@ -578,10 +578,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_reply )
EnqueueConnEvent(irc_reply,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::val_mgr->Count(code),
zeek::make_intrusive<zeek::StringVal>(params.c_str()));
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
val_mgr->Count(code),
make_intrusive<StringVal>(params.c_str()));
break;
}
return;
@ -648,14 +648,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()),
zeek::make_intrusive<zeek::AddrVal>(htonl(raw_ip)),
zeek::val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? zeek::val_mgr->Count(atoi(parts[5].c_str())) : zeek::val_mgr->Count(0)
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<AddrVal>(htonl(raw_ip)),
val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
);
}
@ -664,10 +664,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
}
@ -689,10 +689,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_notice_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
@ -713,10 +713,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squery_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
@ -724,22 +724,22 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
// extract username and real name
vector<string> parts = SplitWords(params, ' ');
zeek::Args vl;
Args vl;
vl.reserve(6);
vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig));
vl.emplace_back(val_mgr->Bool(orig));
if ( parts.size() > 0 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 2 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()));
else vl.emplace_back(zeek::val_mgr->EmptyString());
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(val_mgr->EmptyString());
string realname;
for ( size_t i = 3; i < parts.size(); i++ )
@ -750,7 +750,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
const char* name = realname.c_str();
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(*name == ':' ? name + 1 : name));
vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
EnqueueConnEvent(irc_user_message, std::move(vl));
}
@ -762,9 +762,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
else
@ -781,13 +781,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
zeek::Args vl;
Args vl;
vl.reserve(6);
vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(prefix.c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
if ( parts.size() > 2 )
{
@ -798,10 +798,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' )
comment = comment.substr(1);
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(comment.c_str()));
vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
}
else
vl.emplace_back(zeek::val_mgr->EmptyString());
vl.emplace_back(val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl));
}
@ -827,7 +827,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos);
}
auto list = zeek::make_intrusive<zeek::TableVal>(irc_join_list);
auto list = make_intrusive<TableVal>(irc_join_list);
vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords;
@ -838,21 +838,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
string empty_string = "";
for ( size_t i = 0; i < channels.size(); ++i )
{
auto info = zeek::make_intrusive<zeek::RecordVal>(irc_join_info);
info->Assign(0, zeek::make_intrusive<zeek::StringVal>(nickname.c_str()));
info->Assign(1, zeek::make_intrusive<zeek::StringVal>(channels[i].c_str()));
auto info = make_intrusive<RecordVal>(irc_join_info);
info->Assign(0, make_intrusive<StringVal>(nickname.c_str()));
info->Assign(1, make_intrusive<StringVal>(channels[i].c_str()));
if ( i < passwords.size() )
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(passwords[i].c_str()));
info->Assign(2, make_intrusive<StringVal>(passwords[i].c_str()));
else
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str()));
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode.
info->Assign(3, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str()));
info->Assign(3, make_intrusive<StringVal>(empty_string.c_str()));
list->Assign(std::move(info), nullptr);
}
EnqueueConnEvent(irc_join_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -871,13 +871,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ',');
auto list = zeek::make_intrusive<zeek::TableVal>(irc_join_list);
auto list = make_intrusive<TableVal>(irc_join_list);
string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i )
{
auto info = zeek::make_intrusive<zeek::RecordVal>(irc_join_info);
auto info = make_intrusive<RecordVal>(irc_join_info);
string nick = users[i];
string mode = "none";
@ -901,18 +901,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
mode = "voice";
}
info->Assign(0, zeek::make_intrusive<zeek::StringVal>(nick.c_str()));
info->Assign(1, zeek::make_intrusive<zeek::StringVal>(channel.c_str()));
info->Assign(0, make_intrusive<StringVal>(nick.c_str()));
info->Assign(1, make_intrusive<StringVal>(channel.c_str()));
// Password:
info->Assign(2, zeek::make_intrusive<zeek::StringVal>(empty_string.c_str()));
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
// User mode:
info->Assign(3, zeek::make_intrusive<zeek::StringVal>(mode.c_str()));
info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
list->Assign(std::move(info), nullptr);
}
EnqueueConnEvent(irc_join_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -941,20 +941,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(0, pos);
vector<string> channelList = SplitWords(channels, ',');
auto set = zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set);
auto set = make_intrusive<TableVal>(id::string_set);
for ( const auto& channel : channelList )
{
auto idx = zeek::make_intrusive<zeek::StringVal>(channel);
auto idx = make_intrusive<StringVal>(channel);
set->Assign(std::move(idx), nullptr);
}
EnqueueConnEvent(irc_part_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
make_intrusive<StringVal>(message.c_str())
);
}
@ -974,9 +974,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_quit_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nickname.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(nickname.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
@ -988,9 +988,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_nick_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(nick.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(nick.c_str())
);
}
@ -1013,11 +1013,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
val_mgr->Bool(orig),
parts.size() > 0 ?
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()) :
zeek::val_mgr->EmptyString(),
zeek::val_mgr->Bool(oper)
make_intrusive<StringVal>(parts[0].c_str()) :
val_mgr->EmptyString(),
val_mgr->Bool(oper)
);
}
@ -1043,9 +1043,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(users.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(users.c_str())
);
}
@ -1056,9 +1056,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_error_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
@ -1072,10 +1072,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_invite_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
}
else
@ -1087,9 +1087,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
else
@ -1100,8 +1100,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
EnqueueConnEvent(irc_password_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(params.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(params.c_str())
);
}
@ -1122,10 +1122,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squit_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(message.c_str())
);
}
@ -1136,10 +1136,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
EnqueueConnEvent(irc_request,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
}
@ -1150,10 +1150,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
EnqueueConnEvent(irc_message,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str())
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
);
}
}
@ -1163,8 +1163,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
orig_zip_status = ZIP_LOADED;
resp_zip_status = ZIP_LOADED;
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), false));
AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new analyzer::zip::ZIP_Analyzer(Conn(), false));
}
return;
@ -1179,7 +1179,7 @@ void IRC_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);

10
src/analyzer/protocol/irc/IRC.h
View file

@ -9,14 +9,14 @@ namespace zeek::analyzer::irc {
/**
* \brief Main class for analyzing IRC traffic.
*/
class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class IRC_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
enum { WAIT_FOR_REGISTRATION, REGISTERED, };
enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
public:
/**
* \brief Constructor, builds a new analyzer object.
*/
explicit IRC_Analyzer(zeek::Connection* conn);
explicit IRC_Analyzer(Connection* conn);
/**
* \brief Called when connection is closed.
@ -32,7 +32,7 @@ public:
*/
void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{
return new IRC_Analyzer(conn);
}
@ -64,8 +64,8 @@ private:
*/
std::vector<std::string> SplitWords(const std::string& input, char split);
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
analyzer::tcp::ContentLine_Analyzer* cl_orig;
analyzer::tcp::ContentLine_Analyzer* cl_resp;
bool starttls; // if true, connection has been upgraded to tls
};

36
src/analyzer/protocol/krb/KRB.cc
View file

@ -16,7 +16,7 @@ krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
std::once_flag KRB_Analyzer::krb_initialized;
#endif
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
KRB_Analyzer::KRB_Analyzer(Connection* conn)
: Analyzer("KRB", conn)
{
interp = new binpac::KRB::KRB_Conn(this);
@ -29,19 +29,19 @@ KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
static void warn_krb(const char* msg, krb5_context ctx, krb5_error_code code)
{
auto err = krb5_get_error_message(ctx, code);
zeek::reporter->Warning("%s (%s)", msg, err);
reporter->Warning("%s (%s)", msg, err);
krb5_free_error_message(ctx, err);
}
void KRB_Analyzer::Initialize_Krb()
{
if ( zeek::BifConst::KRB::keytab->Len() == 0 )
if ( BifConst::KRB::keytab->Len() == 0 )
return; // no keytab set
const char* keytab_filename = zeek::BifConst::KRB::keytab->CheckString();
const char* keytab_filename = BifConst::KRB::keytab->CheckString();
if ( access(keytab_filename, R_OK) != 0 )
{
zeek::reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
return;
}
@ -73,7 +73,7 @@ void KRB_Analyzer::Done()
}
void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -83,30 +83,30 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* principal,
const zeek::String* ciphertext,
const bro_uint_t enctype)
StringValPtr KRB_Analyzer::GetAuthenticationInfo(const String* principal,
const String* ciphertext,
const bro_uint_t enctype)
{
#ifdef USE_KRB5
if ( !krb_available )
return nullptr;
zeek::String delim("/");
String delim("/");
int pos = principal->FindSubstring(&delim);
if ( pos == -1 )
{
zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr;
}
std::unique_ptr<zeek::String> service = unique_ptr<zeek::String>(principal->GetSubstring(0, pos));
std::unique_ptr<zeek::String> hostname = unique_ptr<zeek::String>(principal->GetSubstring(pos + 1, -1));
std::unique_ptr<String> service = unique_ptr<String>(principal->GetSubstring(0, pos));
std::unique_ptr<String> hostname = unique_ptr<String>(principal->GetSubstring(pos + 1, -1));
if ( !service || !hostname )
{
zeek::reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr;
}
krb5_principal sprinc;
@ -117,13 +117,13 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ
return nullptr;
}
auto tkt = static_cast<krb5_ticket*>(zeek::util::safe_malloc(sizeof(krb5_ticket)));
auto tkt = static_cast<krb5_ticket*>(util::safe_malloc(sizeof(krb5_ticket)));
memset(tkt, 0, sizeof(krb5_ticket));
tkt->server = sprinc;
tkt->enc_part.enctype = enctype;
auto ctd = static_cast<char*>(zeek::util::safe_malloc(ciphertext->Len()));
auto ctd = static_cast<char*>(util::safe_malloc(ciphertext->Len()));
memcpy(ctd, ciphertext->Bytes(), ciphertext->Len());
tkt->enc_part.ciphertext.data = ctd;
tkt->enc_part.ciphertext.length = ciphertext->Len();
@ -147,7 +147,7 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ
return nullptr;
}
auto ret = zeek::make_intrusive<zeek::StringVal>(cp);
auto ret = make_intrusive<StringVal>(cp);
krb5_free_unparsed_name(krb_context, cp);
krb5_free_ticket(krb_context, tkt);

14
src/analyzer/protocol/krb/KRB.h
View file

@ -12,22 +12,22 @@
namespace zeek::analyzer::krb {
class KRB_Analyzer final : public zeek::analyzer::Analyzer {
class KRB_Analyzer final : public analyzer::Analyzer {
public:
explicit KRB_Analyzer(zeek::Connection* conn);
explicit KRB_Analyzer(Connection* conn);
virtual ~KRB_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal,
const zeek::String* ciphertext,
const bro_uint_t enctype);
StringValPtr GetAuthenticationInfo(const String* principal,
const String* ciphertext,
const bro_uint_t enctype);
protected:

14
src/analyzer/protocol/krb/KRB_TCP.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::krb_tcp {
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
KRB_Analyzer::KRB_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
{
interp = new binpac::KRB_TCP::KRB_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer()
void KRB_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void KRB_Analyzer::Done()
void KRB_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -53,13 +53,13 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

16
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -8,25 +8,25 @@
namespace zeek::analyzer::krb_tcp {
class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class KRB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit KRB_Analyzer(zeek::Connection* conn);
explicit KRB_Analyzer(Connection* conn);
~KRB_Analyzer() override;
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal,
const zeek::String* ciphertext,
const bro_uint_t enctype)
{ return zeek::val_mgr->EmptyString(); }
StringValPtr GetAuthenticationInfo(const String* principal,
const String* ciphertext,
const bro_uint_t enctype)
{ return val_mgr->EmptyString(); }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
protected:

114
src/analyzer/protocol/login/Login.cc
View file

@ -17,18 +17,18 @@
namespace zeek::analyzer::login {
static zeek::RE_Matcher* re_skip_authentication = nullptr;
static zeek::RE_Matcher* re_direct_login_prompts;
static zeek::RE_Matcher* re_login_prompts;
static zeek::RE_Matcher* re_login_non_failure_msgs;
static zeek::RE_Matcher* re_login_failure_msgs;
static zeek::RE_Matcher* re_login_success_msgs;
static zeek::RE_Matcher* re_login_timeouts;
static RE_Matcher* re_skip_authentication = nullptr;
static RE_Matcher* re_direct_login_prompts;
static RE_Matcher* re_login_prompts;
static RE_Matcher* re_login_non_failure_msgs;
static RE_Matcher* re_login_failure_msgs;
static RE_Matcher* re_login_success_msgs;
static RE_Matcher* re_login_timeouts;
static zeek::RE_Matcher* init_RE(zeek::ListVal* l);
static RE_Matcher* init_RE(ListVal* l);
Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
{
state = LOGIN_STATE_AUTHENTICATE;
num_user_lines_seen = lines_scanned = 0;
@ -45,13 +45,13 @@ Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn)
if ( ! re_skip_authentication )
{
zeek::ListValPtr skip_authentication = zeek::id::find_val("skip_authentication")->AsTableVal()->ToPureListVal();
zeek::ListValPtr direct_login_prompts = zeek::id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_prompts = zeek::id::find_val("login_prompts")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_non_failure_msgs = zeek::id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_failure_msgs = zeek::id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_success_msgs = zeek::id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal();
zeek::ListValPtr login_timeouts = zeek::id::find_val("login_timeouts")->AsTableVal()->ToPureListVal();
ListValPtr skip_authentication = id::find_val("skip_authentication")->AsTableVal()->ToPureListVal();
ListValPtr direct_login_prompts = id::find_val("direct_login_prompts")->AsTableVal()->ToPureListVal();
ListValPtr login_prompts = id::find_val("login_prompts")->AsTableVal()->ToPureListVal();
ListValPtr login_non_failure_msgs = id::find_val("login_non_failure_msgs")->AsTableVal()->ToPureListVal();
ListValPtr login_failure_msgs = id::find_val("login_failure_msgs")->AsTableVal()->ToPureListVal();
ListValPtr login_success_msgs = id::find_val("login_success_msgs")->AsTableVal()->ToPureListVal();
ListValPtr login_timeouts = id::find_val("login_timeouts")->AsTableVal()->ToPureListVal();
#ifdef USE_PERFTOOLS_DEBUG
HeapLeakChecker::Disabler disabler;
@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer()
void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
char* str = new char[length+1];
@ -91,7 +91,7 @@ void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
str[j++] = line[i];
else
{
if ( Conn()->FlagEvent(zeek::NUL_IN_LINE) )
if ( Conn()->FlagEvent(NUL_IN_LINE) )
Weird("NUL_in_line");
}
@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state == LOGIN_STATE_AUTHENTICATE )
{
if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL )
if ( TCP()->OrigState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == analyzer::tcp::TCP_ENDPOINT_PARTIAL )
state = LOGIN_STATE_CONFUSED; // unknown login state
else
{
@ -129,7 +129,7 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state != LOGIN_STATE_CONFUSED )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "bad state in Login_Analyzer::NewLine");
return;
}
@ -323,38 +323,38 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else
{
if ( zeek::util::streq(name, "USER") )
if ( util::streq(name, "USER") )
{
if ( username )
{
const zeek::String* u = username->AsString();
const zeek::byte_vec ub = u->Bytes();
const String* u = username->AsString();
const byte_vec ub = u->Bytes();
const char* us = (const char*) ub;
if ( ! zeek::util::streq(val, us) )
if ( ! util::streq(val, us) )
Confused("multiple_USERs", val);
Unref(username);
}
// "val" gets copied here.
username = new zeek::StringVal(val);
username = new StringVal(val);
}
else if ( login_terminal && zeek::util::streq(name, "TERM") )
else if ( login_terminal && util::streq(name, "TERM") )
EnqueueConnEvent(login_terminal,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val)
make_intrusive<StringVal>(val)
);
else if ( login_display && zeek::util::streq(name, "DISPLAY") )
else if ( login_display && util::streq(name, "DISPLAY") )
EnqueueConnEvent(login_display,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val)
make_intrusive<StringVal>(val)
);
else if ( login_prompt && zeek::util::streq(name, "TTYPROMPT") )
else if ( login_prompt && util::streq(name, "TTYPROMPT") )
EnqueueConnEvent(login_prompt,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(val)
make_intrusive<StringVal>(val)
);
}
@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
void Login_Analyzer::EndpointEOF(bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
{
@ -373,7 +373,7 @@ void Login_Analyzer::EndpointEOF(bool orig)
}
}
void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
bool no_user_okay)
{
if ( ! f )
@ -389,7 +389,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
if ( no_user_okay )
{
Unref(username);
username = new zeek::StringVal("<none>");
username = new StringVal("<none>");
}
else
@ -414,7 +414,7 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
if ( no_user_okay )
{
Unref(username);
username = new zeek::StringVal("<none>");
username = new StringVal("<none>");
}
else
@ -425,16 +425,16 @@ void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
}
}
zeek::Val* password = HaveTypeahead() ?
PopUserTextVal() : new zeek::StringVal("<none>");
Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>");
EnqueueConnEvent(f,
ConnVal(),
zeek::IntrusivePtr{zeek::NewRef{}, username},
client_name ? zeek::IntrusivePtr{zeek::NewRef{}, client_name}
: zeek::val_mgr->EmptyString(),
zeek::IntrusivePtr{zeek::AdoptRef{}, password},
zeek::make_intrusive<zeek::StringVal>(line)
IntrusivePtr{NewRef{}, username},
client_name ? IntrusivePtr{NewRef{}, client_name}
: val_mgr->EmptyString(),
IntrusivePtr{AdoptRef{}, password},
make_intrusive<StringVal>(line)
);
}
@ -446,14 +446,14 @@ const char* Login_Analyzer::GetUsername(const char* line) const
return line;
}
void Login_Analyzer::LineEvent(zeek::EventHandlerPtr f, const char* line)
void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
{
if ( ! f )
return;
EnqueueConnEvent(f,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(line)
make_intrusive<StringVal>(line)
);
}
@ -465,8 +465,8 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused )
EnqueueConnEvent(login_confused,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(msg),
zeek::make_intrusive<zeek::StringVal>(line)
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(line)
);
if ( login_confused_text )
@ -489,7 +489,7 @@ void Login_Analyzer::ConfusionText(const char* line)
if ( login_confused_text )
EnqueueConnEvent(login_confused_text,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(line)
make_intrusive<StringVal>(line)
);
}
@ -562,7 +562,7 @@ void Login_Analyzer::AddUserText(const char* line)
if ( ++user_text_last == MAX_USER_TEXT )
user_text_last = 0;
user_text[user_text_last] = zeek::util::copy_string(line);
user_text[user_text_last] = util::copy_string(line);
++num_user_text;
}
@ -572,7 +572,7 @@ char* Login_Analyzer::PeekUserText()
{
if ( num_user_text <= 0 )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "underflow in Login_Analyzer::PeekUserText()");
return nullptr;
}
@ -595,14 +595,14 @@ char* Login_Analyzer::PopUserText()
return s;
}
zeek::Val* Login_Analyzer::PopUserTextVal()
Val* Login_Analyzer::PopUserTextVal()
{
char* s = PopUserText();
if ( s )
return new zeek::StringVal(new zeek::String(true, zeek::byte_vec(s), strlen(s)));
return new StringVal(new String(true, byte_vec(s), strlen(s)));
else
return zeek::val_mgr->EmptyString()->Ref();
return val_mgr->EmptyString()->Ref();
}
bool Login_Analyzer::MatchesTypeahead(const char* line) const
@ -612,7 +612,7 @@ bool Login_Analyzer::MatchesTypeahead(const char* line) const
if ( i == MAX_USER_TEXT )
i = 0;
if ( zeek::util::streq(user_text[i], line) )
if ( util::streq(user_text[i], line) )
return true;
}
@ -625,9 +625,9 @@ void Login_Analyzer::FlushEmptyTypeahead()
delete [] PopUserText();
}
zeek::RE_Matcher* init_RE(zeek::ListVal* l)
RE_Matcher* init_RE(ListVal* l)
{
zeek::RE_Matcher* re = l->BuildRE();
RE_Matcher* re = l->BuildRE();
if ( re )
re->Compile();

14
src/analyzer/protocol/login/Login.h
View file

@ -19,9 +19,9 @@ enum login_state {
// Maximum # lines look after login for failure.
#define MAX_LOGIN_LOOKAHEAD 10
class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class Login_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
Login_Analyzer(const char* name, zeek::Connection* conn);
Login_Analyzer(const char* name, Connection* conn);
~Login_Analyzer() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
@ -37,9 +37,9 @@ protected:
void NewLine(bool orig, char* line);
void AuthenticationDialog(bool orig, char* line);
void LoginEvent(zeek::EventHandlerPtr f, const char* line, bool no_user_okay=false);
void LoginEvent(EventHandlerPtr f, const char* line, bool no_user_okay=false);
const char* GetUsername(const char* line) const;
void LineEvent(zeek::EventHandlerPtr f, const char* line);
void LineEvent(EventHandlerPtr f, const char* line);
void Confused(const char* msg, const char* addl);
void ConfusionText(const char* line);
@ -55,7 +55,7 @@ protected:
void AddUserText(const char* line); // complains on overflow
char* PeekUserText(); // internal warning on underflow
char* PopUserText(); // internal warning on underflow
zeek::Val* PopUserTextVal();
Val* PopUserTextVal();
bool MatchesTypeahead(const char* line) const;
bool HaveTypeahead() const { return num_user_text > 0; }
@ -68,8 +68,8 @@ protected:
int user_text_first, user_text_last; // indices into user_text
int num_user_text; // number of entries in user_text
zeek::Val* username; // last username reported
zeek::Val* client_name; // rlogin client name (or nil if none)
Val* username; // last username reported
Val* client_name; // rlogin client name (or nil if none)
login_state state;
int lines_scanned;

22
src/analyzer/protocol/login/NVT.cc
View file

@ -44,7 +44,7 @@ void TelnetOption::RecvOption(unsigned int type)
if ( ! peer )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
endp, "option peer missing in TelnetOption::RecvOption");
return;
}
@ -92,7 +92,7 @@ void TelnetOption::RecvOption(unsigned int type)
break;
default:
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
endp, "bad option type in TelnetOption::RecvOption");
return;
}
@ -176,7 +176,7 @@ void TelnetEncryptOption::RecvSubOption(u_char* data, int len)
if ( ! peer )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
endp, "option peer missing in TelnetEncryptOption::RecvSubOption");
return;
}
@ -216,7 +216,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
if ( ! peer )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
endp, "option peer missing in TelnetAuthenticateOption::RecvSubOption");
return;
}
@ -251,7 +251,7 @@ void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
case AUTHENTICATION_NAME:
{
char* auth_name = new char[len];
zeek::util::safe_strncpy(auth_name, (char*) data + 1, len);
util::safe_strncpy(auth_name, (char*) data + 1, len);
endp->SetAuthName(auth_name);
}
break;
@ -309,7 +309,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
break;
}
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>
static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>
(endp->Parent())->SetEnv(endp->IsOrig(),
var_name, var_val);
}
@ -382,8 +382,8 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
} // namespace detail
NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig)
: zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
: analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
{
}
@ -463,7 +463,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
if ( login_terminal )
EnqueueConnEvent(login_terminal,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(terminal, len, false))
make_intrusive<StringVal>(new String(terminal, len, false))
);
}
@ -538,7 +538,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data)
else
{
if ( Conn()->FlagEvent(zeek::SINGULAR_LF) )
if ( Conn()->FlagEvent(SINGULAR_LF) )
Conn()->Weird("line_terminated_with_single_LF");
buf[offset++] = c;
}
@ -576,7 +576,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data)
if ( ! (CRLFAsEOL() & CR_as_EOL) &&
last_char == '\r' && c != '\n' && c != '\0' )
{
if ( Conn()->FlagEvent(zeek::SINGULAR_CR) )
if ( Conn()->FlagEvent(SINGULAR_CR) )
Weird("line_terminated_with_single_CR");
}

4
src/analyzer/protocol/login/NVT.h
View file

@ -126,9 +126,9 @@ protected:
} // namespace detail
class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
class NVT_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public:
NVT_Analyzer(zeek::Connection* conn, bool orig);
NVT_Analyzer(Connection* conn, bool orig);
~NVT_Analyzer() override;
TelnetOption* FindOption(unsigned int code);

41
src/analyzer/protocol/login/RSH.cc
View file

@ -13,9 +13,9 @@ namespace zeek::analyzer::login {
// FIXME: this code should probably be merged with Rlogin.cc.
Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig,
Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig,
Rsh_Analyzer* arg_analyzer)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
: analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
{
num_bytes_to_scan = 0;
analyzer = arg_analyzer;
@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer()
void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
{
zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
analyzer::tcp::TCP_Analyzer* tcp = static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) {
case RSH_FIRST_NULL:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RSH_UNKNOWN;
++len, --data; // put back c and reprocess
@ -131,7 +131,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
break;
default:
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "bad state in Contents_Rsh_Analyzer::DoDeliver");
break;
}
@ -144,7 +144,7 @@ void Contents_Rsh_Analyzer::BadProlog()
state = RSH_UNKNOWN;
}
Rsh_Analyzer::Rsh_Analyzer(zeek::Connection* conn)
Rsh_Analyzer::Rsh_Analyzer(Connection* conn)
: Login_Analyzer("RSH", conn)
{
contents_orig = new Contents_Rsh_Analyzer(conn, true, this);
@ -168,31 +168,31 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
return;
}
zeek::Args vl;
Args vl;
vl.reserve(4 + orig);
const char* line = (const char*) data;
line = zeek::util::skip_whitespace(line);
line = util::skip_whitespace(line);
vl.emplace_back(ConnVal());
if ( client_name )
vl.emplace_back(zeek::NewRef{}, client_name);
vl.emplace_back(NewRef{}, client_name);
else
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>("<none>"));
vl.emplace_back(make_intrusive<StringVal>("<none>"));
if ( username )
vl.emplace_back(zeek::NewRef{}, username);
vl.emplace_back(NewRef{}, username);
else
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>("<none>"));
vl.emplace_back(make_intrusive<StringVal>("<none>"));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(line));
vl.emplace_back(make_intrusive<StringVal>(line));
if ( orig )
{
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input
vl.emplace_back(zeek::val_mgr->True());
vl.emplace_back(val_mgr->True());
else
vl.emplace_back(zeek::val_mgr->False());
vl.emplace_back(val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl));
}
@ -205,23 +205,22 @@ void Rsh_Analyzer::ClientUserName(const char* s)
{
if ( client_name )
{
zeek::reporter->AnalyzerError(this, "multiple rsh client names");
reporter->AnalyzerError(this, "multiple rsh client names");
return;
}
client_name = new zeek::StringVal(s);
client_name = new StringVal(s);
}
void Rsh_Analyzer::ServerUserName(const char* s)
{
if ( username )
{
zeek::reporter->AnalyzerError(this,
"multiple rsh initial client names");
reporter->AnalyzerError(this, "multiple rsh initial client names");
return;
}
username = new zeek::StringVal(s);
username = new StringVal(s);
}
} // namespace zeek::analyzer::login

8
src/analyzer/protocol/login/RSH.h
View file

@ -22,9 +22,9 @@ enum rsh_state {
RSH_UNKNOWN, // we don't know what state we're in
};
class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
class Contents_Rsh_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public:
Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer);
Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer);
~Contents_Rsh_Analyzer() override;
rsh_state RshSaveState() const { return save_state; }
@ -41,14 +41,14 @@ protected:
class Rsh_Analyzer final : public Login_Analyzer {
public:
explicit Rsh_Analyzer(zeek::Connection* conn);
explicit Rsh_Analyzer(Connection* conn);
void DeliverStream(int len, const u_char* data, bool orig) override;
void ClientUserName(const char* s);
void ServerUserName(const char* s);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rsh_Analyzer(conn); }
Contents_Rsh_Analyzer* contents_orig;

24
src/analyzer/protocol/login/Rlogin.cc
View file

@ -11,8 +11,8 @@
namespace zeek::analyzer::login {
Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
: analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
{
num_bytes_to_scan = 0;
analyzer = arg_analyzer;
@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer()
void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
{
auto* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
auto* tcp = static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) {
case RLOGIN_FIRST_NULL:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess
@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
break;
case RLOGIN_SERVER_ACK:
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
endp_state == analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess
@ -194,7 +194,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
break;
default:
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "bad state in Contents_Rlogin_Analyzer::DoDeliver");
break;
}
@ -208,7 +208,7 @@ void Contents_Rlogin_Analyzer::BadProlog()
}
Rlogin_Analyzer::Rlogin_Analyzer(zeek::Connection* conn)
Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn)
: Login_Analyzer("RLOGIN", conn)
{
Contents_Rlogin_Analyzer* orig =
@ -227,11 +227,11 @@ void Rlogin_Analyzer::ClientUserName(const char* s)
{
if ( client_name )
{
zeek::reporter->AnalyzerError(this, "multiple rlogin client names");
reporter->AnalyzerError(this, "multiple rlogin client names");
return;
}
client_name = new zeek::StringVal(s);
client_name = new StringVal(s);
}
void Rlogin_Analyzer::ServerUserName(const char* s)
@ -246,7 +246,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
if ( login_terminal )
EnqueueConnEvent(login_terminal,
ConnVal(),
zeek::make_intrusive<zeek::StringVal>(s)
make_intrusive<StringVal>(s)
);
}

8
src/analyzer/protocol/login/Rlogin.h
View file

@ -30,9 +30,9 @@ enum rlogin_state {
RLOGIN_UNKNOWN, // we don't know what state we're in
};
class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
class Contents_Rlogin_Analyzer final : public analyzer::tcp::ContentLine_Analyzer {
public:
Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig,
Contents_Rlogin_Analyzer(Connection* conn, bool orig,
Rlogin_Analyzer* analyzer);
~Contents_Rlogin_Analyzer() override;
@ -55,13 +55,13 @@ protected:
class Rlogin_Analyzer final : public Login_Analyzer {
public:
explicit Rlogin_Analyzer(zeek::Connection* conn);
explicit Rlogin_Analyzer(Connection* conn);
void ClientUserName(const char* s);
void ServerUserName(const char* s);
void TerminalType(const char* s);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rlogin_Analyzer(conn); }
};

2
src/analyzer/protocol/login/Telnet.cc
View file

@ -9,7 +9,7 @@
namespace zeek::analyzer::login {
Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn)
Telnet_Analyzer::Telnet_Analyzer(Connection* conn)
: Login_Analyzer("TELNET", conn)
{
NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true);

4
src/analyzer/protocol/login/Telnet.h
View file

@ -8,10 +8,10 @@ namespace zeek::analyzer::login {
class Telnet_Analyzer : public Login_Analyzer {
public:
explicit Telnet_Analyzer(zeek::Connection* conn);
explicit Telnet_Analyzer(Connection* conn);
~Telnet_Analyzer() override {}
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Telnet_Analyzer(conn); }
};

172
src/analyzer/protocol/mime/MIME.cc
View file

@ -21,7 +21,7 @@
namespace zeek::analyzer::mime {
static const zeek::data_chunk_t null_data_chunk = { 0, nullptr };
static const data_chunk_t null_data_chunk = { 0, nullptr };
int mime_header_only = 0;
int mime_decode_data = 1;
@ -98,7 +98,7 @@ static const char* MIMEContentEncodingName[] = {
nullptr,
};
bool is_null_data_chunk(zeek::data_chunk_t b)
bool is_null_data_chunk(data_chunk_t b)
{
return b.data == nullptr;
}
@ -108,39 +108,39 @@ bool is_lws(char ch)
return ch == 9 || ch == 32;
}
zeek::StringVal* new_string_val(int length, const char* data)
StringVal* new_string_val(int length, const char* data)
{ return to_string_val(length, data).release(); }
zeek::StringVal* new_string_val(const char* data, const char* end_of_data)
StringVal* new_string_val(const char* data, const char* end_of_data)
{ return to_string_val(data, end_of_data).release(); }
zeek::StringVal* new_string_val(const zeek::data_chunk_t buf)
StringVal* new_string_val(const data_chunk_t buf)
{ return to_string_val(buf).release(); }
zeek::StringValPtr to_string_val(int length, const char* data)
StringValPtr to_string_val(int length, const char* data)
{
return zeek::make_intrusive<zeek::StringVal>(length, data);
return make_intrusive<StringVal>(length, data);
}
zeek::StringValPtr to_string_val(const char* data, const char* end_of_data)
StringValPtr to_string_val(const char* data, const char* end_of_data)
{
return zeek::make_intrusive<zeek::StringVal>(end_of_data - data, data);
return make_intrusive<StringVal>(end_of_data - data, data);
}
zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf)
StringValPtr to_string_val(const data_chunk_t buf)
{
return to_string_val(buf.length, buf.data);
}
static zeek::data_chunk_t get_data_chunk(zeek::String* s)
static data_chunk_t get_data_chunk(String* s)
{
zeek::data_chunk_t b;
data_chunk_t b;
b.length = s->Len();
b.data = (const char*) s->Bytes();
return b;
}
int fputs(zeek::data_chunk_t b, FILE* fp)
int fputs(data_chunk_t b, FILE* fp)
{
for ( int i = 0; i < b.length; ++i )
if ( fputc(b.data[i], fp) == EOF )
@ -150,12 +150,12 @@ int fputs(zeek::data_chunk_t b, FILE* fp)
void MIME_Mail::Undelivered(int len)
{
cur_entity_id = zeek::file_mgr->Gap(cur_entity_len, len,
cur_entity_id = file_mgr->Gap(cur_entity_len, len,
analyzer->GetAnalyzerTag(), analyzer->Conn(),
is_orig, cur_entity_id);
}
bool istrequal(zeek::data_chunk_t s, const char* t)
bool istrequal(data_chunk_t s, const char* t)
{
int len = strlen(t);
@ -233,7 +233,7 @@ int MIME_skip_lws_comments(int len, const char* data)
return len;
}
int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name)
int MIME_get_field_name(int len, const char* data, data_chunk_t* name)
{
int i = MIME_skip_lws_comments(len, data);
while ( i < len )
@ -281,7 +281,7 @@ static bool MIME_is_token_char (char ch, bool is_boundary = false)
// See RFC 2045, page 12.
// A token is composed of characters that are not SPACE, CTLs or tspecials
int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token,
int MIME_get_token(int len, const char* data, data_chunk_t* token,
bool is_boundary)
{
int i = 0;
@ -313,7 +313,7 @@ int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token,
return -1;
}
int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second)
int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second)
{
int offset;
const char* data_start = data;
@ -353,7 +353,7 @@ int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* fir
}
// See RFC 2822, page 13.
int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str)
int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str)
{
int offset = MIME_skip_lws_comments(len, data);
@ -380,7 +380,7 @@ int MIME_get_quoted_string(int len, const char* data, zeek::data_chunk_t* str)
return -1;
}
int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_boundary)
int MIME_get_value(int len, const char* data, String*& buf, bool is_boundary)
{
int offset = 0;
@ -392,7 +392,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
if ( len > 0 && *data == '"' )
{
zeek::data_chunk_t str;
data_chunk_t str;
int end = MIME_get_quoted_string(len, data, &str);
if ( end < 0 )
return -1;
@ -403,12 +403,12 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
else
{
zeek::data_chunk_t str;
data_chunk_t str;
int end = MIME_get_token(len, data, &str, is_boundary);
if ( end < 0 )
return -1;
buf = new zeek::String((const u_char*)str.data, str.length, true);
buf = new String((const u_char*)str.data, str.length, true);
return offset + end;
}
}
@ -416,7 +416,7 @@ int MIME_get_value(int len, const char* data, zeek::String*& buf, bool is_bounda
// Decode each quoted-pair: a '\' followed by a character by the
// quoted character. The decoded string is returned.
zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf)
String* MIME_decode_quoted_pairs(data_chunk_t buf)
{
const char* data = buf.data;
char* dest = new char[buf.length+1];
@ -436,7 +436,7 @@ zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf)
dest[j++] = data[i];
dest[j] = 0;
return new zeek::String(true, (zeek::byte_vec) dest, j);
return new String(true, (byte_vec) dest, j);
}
MIME_Multiline::MIME_Multiline()
@ -452,10 +452,10 @@ MIME_Multiline::~MIME_Multiline()
void MIME_Multiline::append(int len, const char* data)
{
buffer.push_back(new zeek::String((const u_char*) data, len, true));
buffer.push_back(new String((const u_char*) data, len, true));
}
zeek::String* MIME_Multiline::get_concatenated_line()
String* MIME_Multiline::get_concatenated_line()
{
if ( buffer.empty() )
return nullptr;
@ -472,7 +472,7 @@ MIME_Header::MIME_Header(MIME_Multiline* hl)
lines = hl;
name = value = value_token = rest_value = null_data_chunk;
zeek::String* s = hl->get_concatenated_line();
String* s = hl->get_concatenated_line();
int len = s->Len();
const char* data = (const char*) s->Bytes();
@ -518,7 +518,7 @@ int MIME_Header::get_first_token()
}
}
zeek::data_chunk_t MIME_Header::get_value_token()
data_chunk_t MIME_Header::get_value_token()
{
if ( ! is_null_data_chunk(value_token) )
return value_token;
@ -526,7 +526,7 @@ zeek::data_chunk_t MIME_Header::get_value_token()
return value_token;
}
zeek::data_chunk_t MIME_Header::get_value_after_token()
data_chunk_t MIME_Header::get_value_after_token()
{
if ( ! is_null_data_chunk(rest_value) )
return rest_value;
@ -555,8 +555,8 @@ void MIME_Entity::init()
need_to_parse_parameters = 0;
content_type_str = zeek::make_intrusive<zeek::StringVal>("TEXT");
content_subtype_str = zeek::make_intrusive<zeek::StringVal>("PLAIN");
content_type_str = make_intrusive<StringVal>("TEXT");
content_subtype_str = make_intrusive<StringVal>("PLAIN");
content_encoding_str = nullptr;
multipart_boundary = nullptr;
@ -581,7 +581,7 @@ void MIME_Entity::init()
MIME_Entity::~MIME_Entity()
{
if ( ! end_of_data )
zeek::reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr,
reporter->AnalyzerError(message ? message->GetAnalyzer() : nullptr,
"missing MIME_Entity::EndOfData() before ~MIME_Entity");
delete current_header_line;
@ -759,7 +759,7 @@ void MIME_Entity::FinishHeader()
delete h;
}
int MIME_Entity::LookupMIMEHeaderName(zeek::data_chunk_t name)
int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name)
{
// A linear lookup should be fine for now.
// header names are case-insensitive (RFC 822, 2822, 2045).
@ -790,11 +790,11 @@ void MIME_Entity::ParseMIMEHeader(MIME_Header* h)
bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
{
zeek::data_chunk_t val = h->get_value();
data_chunk_t val = h->get_value();
int len = val.length;
const char* data = val.data;
zeek::data_chunk_t ty, subty;
data_chunk_t ty, subty;
int offset;
offset = MIME_get_slash_token_pair(len, data, &ty, &subty);
@ -806,9 +806,9 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
data += offset;
len -= offset;
content_type_str = zeek::make_intrusive<zeek::StringVal>(ty.length, ty.data);
content_type_str = make_intrusive<StringVal>(ty.length, ty.data);
content_type_str->ToUpper();
content_subtype_str = zeek::make_intrusive<zeek::StringVal>(subty.length, subty.data);
content_subtype_str = make_intrusive<StringVal>(subty.length, subty.data);
content_subtype_str->ToUpper();
ParseContentType(ty, subty);
@ -829,7 +829,7 @@ bool MIME_Entity::ParseContentTypeField(MIME_Header* h)
bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
{
zeek::data_chunk_t enc;
data_chunk_t enc;
enc = h->get_value_token();
if ( is_null_data_chunk(enc) )
@ -839,12 +839,12 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
}
delete content_encoding_str;
content_encoding_str = new zeek::String((const u_char*)enc.data, enc.length, true);
content_encoding_str = new String((const u_char*)enc.data, enc.length, true);
ParseContentEncoding(enc);
if ( need_to_parse_parameters )
{
zeek::data_chunk_t val = h->get_value_after_token();
data_chunk_t val = h->get_value_after_token();
if ( ! is_null_data_chunk(val) )
ParseFieldParameters(val.length, val.data);
}
@ -854,7 +854,7 @@ bool MIME_Entity::ParseContentEncodingField(MIME_Header* h)
bool MIME_Entity::ParseFieldParameters(int len, const char* data)
{
zeek::data_chunk_t attr;
data_chunk_t attr;
while ( true )
{
@ -887,7 +887,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
data += offset;
len -= offset;
zeek::String* val = nullptr;
String* val = nullptr;
if ( current_field_type == MIME_CONTENT_TYPE &&
content_type == CONTENT_TYPE_MULTIPART &&
@ -903,9 +903,9 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
continue;
}
zeek::data_chunk_t vd = get_data_chunk(val);
data_chunk_t vd = get_data_chunk(val);
delete multipart_boundary;
multipart_boundary = new zeek::String((const u_char*)vd.data,
multipart_boundary = new String((const u_char*)vd.data,
vd.length, true);
}
else
@ -927,7 +927,7 @@ bool MIME_Entity::ParseFieldParameters(int len, const char* data)
return true;
}
void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type)
void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type)
{
int i;
for ( i = 0; MIMEContentTypeName[i]; ++i )
@ -954,7 +954,7 @@ void MIME_Entity::ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t s
}
}
void MIME_Entity::ParseContentEncoding(zeek::data_chunk_t encoding_mechanism)
void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism)
{
int i;
for ( i = 0; MIMEContentEncodingName[i]; ++i )
@ -968,7 +968,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
{
if ( ! multipart_boundary )
{
zeek::reporter->Warning("boundary delimiter was not specified for a multipart message\n");
reporter->Warning("boundary delimiter was not specified for a multipart message\n");
DEBUG_MSG("headers of the MIME entity for debug:\n");
DebugPrintHeaders();
return NOT_MULTIPART_BOUNDARY;
@ -978,7 +978,7 @@ int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
{
len -= 2; data += 2;
zeek::data_chunk_t delim = get_data_chunk(multipart_boundary);
data_chunk_t delim = get_data_chunk(multipart_boundary);
int i;
for ( i = 0; i < len && i < delim.length; ++i )
@ -1083,8 +1083,8 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
if ( i + 2 < len )
{
int a, b;
a = zeek::util::decode_hex(data[i+1]);
b = zeek::util::decode_hex(data[i+2]);
a = util::decode_hex(data[i+1]);
b = util::decode_hex(data[i+2]);
if ( a >= 0 && b >= 0 )
{
@ -1114,7 +1114,7 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
else
{
IllegalEncoding(zeek::util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i])));
IllegalEncoding(util::fmt("control characters in quoted-printable encoding: %d", (int) (data[i])));
DataOctet(data[i]);
}
}
@ -1145,15 +1145,15 @@ void MIME_Entity::StartDecodeBase64()
{
if ( base64_decoder )
{
zeek::reporter->InternalWarning("previous MIME Base64 decoder not released");
reporter->InternalWarning("previous MIME Base64 decoder not released");
delete base64_decoder;
}
zeek::analyzer::Analyzer* analyzer = message->GetAnalyzer();
analyzer::Analyzer* analyzer = message->GetAnalyzer();
if ( ! analyzer )
{
zeek::reporter->InternalWarning("no analyzer associated with MIME message");
reporter->InternalWarning("no analyzer associated with MIME message");
return;
}
@ -1184,7 +1184,7 @@ bool MIME_Entity::GetDataBuffer()
int ret = message->RequestBuffer(&data_buf_length, &data_buf_data);
if ( ! ret || data_buf_length == 0 || data_buf_data == nullptr )
{
// zeek::reporter->InternalError("cannot get data buffer from MIME_Message", "");
// reporter->InternalError("cannot get data buffer from MIME_Message", "");
return false;
}
@ -1291,13 +1291,13 @@ void MIME_Entity::DebugPrintHeaders()
#endif
}
zeek::RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
{ return ToHeaderVal(h).release(); }
zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h)
RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h)
{
static auto mime_header_rec = zeek::id::find_type<zeek::RecordType>("mime_header_rec");
auto header_record = zeek::make_intrusive<zeek::RecordVal>(mime_header_rec);
static auto mime_header_rec = id::find_type<RecordType>("mime_header_rec");
auto header_record = make_intrusive<RecordVal>(mime_header_rec);
header_record->Assign(0, to_string_val(h->get_name()));
auto upper_hn = to_string_val(h->get_name());
upper_hn->ToUpper();
@ -1306,17 +1306,17 @@ zeek::RecordValPtr MIME_Message::ToHeaderVal(MIME_Header* h)
return header_record;
}
zeek::TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
{ return ToHeaderTable(hlist).release(); }
zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
{
static auto mime_header_list = zeek::id::find_type<zeek::TableType>("mime_header_list");
auto t = zeek::make_intrusive<zeek::TableVal>(mime_header_list);
static auto mime_header_list = id::find_type<TableType>("mime_header_list");
auto t = make_intrusive<TableVal>(mime_header_list);
for ( size_t i = 0; i < hlist.size(); ++i )
{
auto index = zeek::val_mgr->Count(i + 1); // index starting from 1
auto index = val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i];
t->Assign(std::move(index), ToHeaderVal(h));
}
@ -1324,7 +1324,7 @@ zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
return t;
}
MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf_size)
MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, bool orig, int buf_size)
: MIME_Message(mail_analyzer), md5_hash()
{
analyzer = mail_analyzer;
@ -1345,12 +1345,12 @@ MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf
length = max_chunk_length;
buffer_start = data_start = 0;
data_buffer = new zeek::String(true, new u_char[length+1], length);
data_buffer = new String(true, new u_char[length+1], length);
if ( mime_content_hash )
{
compute_content_hash = 1;
md5_hash = zeek::detail::hash_init(zeek::detail::Hash_MD5);
md5_hash = zeek::detail::hash_init(detail::Hash_MD5);
}
else
compute_content_hash = 0;
@ -1375,14 +1375,14 @@ void MIME_Mail::Done()
analyzer->EnqueueConnEvent(mime_content_hash,
analyzer->ConnVal(),
zeek::val_mgr->Count(content_hash_length),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(true, digest, 16))
val_mgr->Count(content_hash_length),
make_intrusive<StringVal>(new String(true, digest, 16))
);
}
MIME_Message::Done();
zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
}
MIME_Mail::~MIME_Mail()
@ -1411,12 +1411,12 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{
if ( mime_entity_data )
{
zeek::String* s = concatenate(entity_content);
String* s = concatenate(entity_content);
analyzer->EnqueueConnEvent(mime_entity_data,
analyzer->ConnVal(),
zeek::val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s)
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
if ( ! mime_all_data )
@ -1428,7 +1428,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
if ( mime_end_entity )
analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear();
}
@ -1454,7 +1454,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
{
if ( buf != (char*) data_buffer->Bytes() + buffer_start )
{
zeek::reporter->AnalyzerError(GetAnalyzer(),
reporter->AnalyzerError(GetAnalyzer(),
"MIME buffer misalignment");
return;
}
@ -1467,7 +1467,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
if ( mime_entity_data || mime_all_data )
{
zeek::String* s = new zeek::String((const u_char*) buf, len, false);
String* s = new String((const u_char*) buf, len, false);
if ( mime_entity_data )
entity_content.push_back(s);
@ -1482,12 +1482,12 @@ void MIME_Mail::SubmitData(int len, const char* buf)
analyzer->EnqueueConnEvent(mime_segment_data,
analyzer->ConnVal(),
zeek::val_mgr->Count(data_len),
zeek::make_intrusive<zeek::StringVal>(data_len, data)
val_mgr->Count(data_len),
make_intrusive<StringVal>(data_len, data)
);
}
cur_entity_id = zeek::file_mgr->DataIn(
cur_entity_id = file_mgr->DataIn(
reinterpret_cast<const u_char*>(buf), len,
analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig,
cur_entity_id);
@ -1525,13 +1525,13 @@ void MIME_Mail::SubmitAllData()
{
if ( mime_all_data )
{
zeek::String* s = concatenate(all_content);
String* s = concatenate(all_content);
delete_strings(all_content);
analyzer->EnqueueConnEvent(mime_all_data,
analyzer->ConnVal(),
zeek::val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s)
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
}
}
@ -1550,7 +1550,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
break;
default:
zeek::reporter->AnalyzerError(GetAnalyzer(),
reporter->AnalyzerError(GetAnalyzer(),
"unrecognized MIME_Mail event");
return;
}
@ -1558,8 +1558,8 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event )
analyzer->EnqueueConnEvent(mime_event,
analyzer->ConnVal(),
zeek::make_intrusive<zeek::StringVal>(category),
zeek::make_intrusive<zeek::StringVal>(detail)
make_intrusive<StringVal>(category),
make_intrusive<StringVal>(detail)
);
}

104
src/analyzer/protocol/mime/MIME.h
View file

@ -15,8 +15,8 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Base64Converter, zeek::detail);
namespace zeek {
using TableValPtr = zeek::IntrusivePtr<TableVal>;
using StringValPtr = zeek::IntrusivePtr<StringVal>;
using TableValPtr = IntrusivePtr<TableVal>;
using StringValPtr = IntrusivePtr<StringVal>;
}
namespace zeek::analyzer::mime {
@ -61,11 +61,11 @@ public:
~MIME_Multiline();
void append(int len, const char* data);
zeek::String* get_concatenated_line();
String* get_concatenated_line();
protected:
std::vector<const zeek::String*> buffer;
zeek::String* line;
std::vector<const String*> buffer;
String* line;
};
class MIME_Header {
@ -73,19 +73,19 @@ public:
explicit MIME_Header(MIME_Multiline* hl);
~MIME_Header();
zeek::data_chunk_t get_name() const { return name; }
zeek::data_chunk_t get_value() const { return value; }
data_chunk_t get_name() const { return name; }
data_chunk_t get_value() const { return value; }
zeek::data_chunk_t get_value_token();
zeek::data_chunk_t get_value_after_token();
data_chunk_t get_value_token();
data_chunk_t get_value_after_token();
protected:
int get_first_token();
MIME_Multiline* lines;
zeek::data_chunk_t name;
zeek::data_chunk_t value;
zeek::data_chunk_t value_token, rest_value;
data_chunk_t name;
data_chunk_t value;
data_chunk_t value_token, rest_value;
};
@ -102,11 +102,11 @@ public:
MIME_Entity* Parent() const { return parent; }
int MIMEContentType() const { return content_type; }
[[deprecated("Remove in v4.1. Use GetContentType().")]]
zeek::StringVal* ContentType() const { return content_type_str.get(); }
StringVal* ContentType() const { return content_type_str.get(); }
[[deprecated("Remove in v4.1. Use GetContentSubType().")]]
zeek::StringVal* ContentSubType() const { return content_subtype_str.get(); }
const zeek::StringValPtr& GetContentType() const { return content_type_str; }
const zeek::StringValPtr& GetContentSubType() const { return content_subtype_str; }
StringVal* ContentSubType() const { return content_subtype_str.get(); }
const StringValPtr& GetContentType() const { return content_type_str; }
const StringValPtr& GetContentSubType() const { return content_subtype_str; }
int ContentTransferEncoding() const { return content_encoding; }
protected:
@ -118,13 +118,13 @@ protected:
void FinishHeader();
void ParseMIMEHeader(MIME_Header* h);
int LookupMIMEHeaderName(zeek::data_chunk_t name);
int LookupMIMEHeaderName(data_chunk_t name);
bool ParseContentTypeField(MIME_Header* h);
bool ParseContentEncodingField(MIME_Header* h);
bool ParseFieldParameters(int len, const char* data);
void ParseContentType(zeek::data_chunk_t type, zeek::data_chunk_t sub_type);
void ParseContentEncoding(zeek::data_chunk_t encoding_mechanism);
void ParseContentType(data_chunk_t type, data_chunk_t sub_type);
void ParseContentEncoding(data_chunk_t encoding_mechanism);
void BeginBody();
void NewDataLine(int len, const char* data, bool trailing_CRLF);
@ -162,10 +162,10 @@ protected:
int current_field_type;
int need_to_parse_parameters;
zeek::StringValPtr content_type_str;
zeek::StringValPtr content_subtype_str;
zeek::String* content_encoding_str;
zeek::String* multipart_boundary;
StringValPtr content_type_str;
StringValPtr content_subtype_str;
String* content_encoding_str;
String* multipart_boundary;
int content_type, content_subtype, content_encoding;
@ -190,7 +190,7 @@ protected:
class MIME_Message {
public:
explicit MIME_Message(zeek::analyzer::Analyzer* arg_analyzer)
explicit MIME_Message(analyzer::Analyzer* arg_analyzer)
{
// Cannot initialize top_level entity because we do
// not know its type yet (MIME_Entity / MIME_Mail /
@ -203,7 +203,7 @@ public:
virtual ~MIME_Message()
{
if ( ! finished )
zeek::reporter->AnalyzerError(analyzer,
reporter->AnalyzerError(analyzer,
"missing MIME_Message::Done() call");
}
@ -216,7 +216,7 @@ public:
top_level->Deliver(len, data, trailing_CRLF);
}
zeek::analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
// Events generated by MIME_Entity
virtual void BeginEntity(MIME_Entity*) = 0;
@ -228,23 +228,23 @@ public:
virtual void SubmitEvent(int event_type, const char* detail) = 0;
protected:
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
MIME_Entity* top_level;
bool finished;
[[deprecated("Remove in v4.1. Use ToHeaderVal().")]]
zeek::RecordVal* BuildHeaderVal(MIME_Header* h);
RecordVal* BuildHeaderVal(MIME_Header* h);
[[deprecated("Remove in v4.1. Use ToHeaderTable().")]]
zeek::TableVal* BuildHeaderTable(MIME_HeaderList& hlist);
TableVal* BuildHeaderTable(MIME_HeaderList& hlist);
zeek::RecordValPtr ToHeaderVal(MIME_Header* h);
zeek::TableValPtr ToHeaderTable(MIME_HeaderList& hlist);
RecordValPtr ToHeaderVal(MIME_Header* h);
TableValPtr ToHeaderTable(MIME_HeaderList& hlist);
};
class MIME_Mail final : public MIME_Message {
public:
MIME_Mail(zeek::analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
~MIME_Mail() override;
void Done() override;
@ -267,40 +267,40 @@ protected:
int compute_content_hash;
int content_hash_length;
EVP_MD_CTX* md5_hash;
std::vector<const zeek::String*> entity_content;
std::vector<const zeek::String*> all_content;
std::vector<const String*> entity_content;
std::vector<const String*> all_content;
zeek::String* data_buffer;
String* data_buffer;
uint64_t cur_entity_len;
std::string cur_entity_id;
};
extern bool is_null_data_chunk(zeek::data_chunk_t b);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf);
extern zeek::StringValPtr to_string_val(int length, const char* data);
extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data);
extern zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf);
extern int fputs(zeek::data_chunk_t b, FILE* fp);
extern bool istrequal(zeek::data_chunk_t s, const char* t);
extern bool is_null_data_chunk(data_chunk_t b);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern StringVal* new_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern StringVal* new_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
extern StringVal* new_string_val(const data_chunk_t buf);
extern StringValPtr to_string_val(int length, const char* data);
extern StringValPtr to_string_val(const char* data, const char* end_of_data);
extern StringValPtr to_string_val(const data_chunk_t buf);
extern int fputs(data_chunk_t b, FILE* fp);
extern bool istrequal(data_chunk_t s, const char* t);
extern bool is_lws(char ch);
extern bool MIME_is_field_name_char(char ch);
extern int MIME_count_leading_lws(int len, const char* data);
extern int MIME_count_trailing_lws(int len, const char* data);
extern int MIME_skip_comments(int len, const char* data);
extern int MIME_skip_lws_comments(int len, const char* data);
extern int MIME_get_token(int len, const char* data, zeek::data_chunk_t* token,
extern int MIME_get_token(int len, const char* data, data_chunk_t* token,
bool is_boundary = false);
extern int MIME_get_slash_token_pair(int len, const char* data, zeek::data_chunk_t* first, zeek::data_chunk_t* second);
extern int MIME_get_value(int len, const char* data, zeek::String*& buf,
extern int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second);
extern int MIME_get_value(int len, const char* data, String*& buf,
bool is_boundary = false);
extern int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name);
extern zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf);
extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name);
extern String* MIME_decode_quoted_pairs(data_chunk_t buf);
} // namespace zeek::analyzer::mime

2
src/analyzer/protocol/modbus/Modbus.cc
View file

@ -6,7 +6,7 @@
namespace zeek::analyzer::modbus {
ModbusTCP_Analyzer::ModbusTCP_Analyzer(zeek::Connection* c)
ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("MODBUS", c)
{
interp = new binpac::ModbusTCP::ModbusTCP_Conn(this);

6
src/analyzer/protocol/modbus/Modbus.h
View file

@ -5,9 +5,9 @@
namespace zeek::analyzer::modbus {
class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class ModbusTCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit ModbusTCP_Analyzer(zeek::Connection* conn);
explicit ModbusTCP_Analyzer(Connection* conn);
~ModbusTCP_Analyzer() override;
void Done() override;
@ -16,7 +16,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ModbusTCP_Analyzer(conn); }
protected:

14
src/analyzer/protocol/mqtt/MQTT.cc
View file

@ -9,8 +9,8 @@
namespace zeek::analyzer::mqtt {
MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
MQTT_Analyzer::MQTT_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
{
interp = new binpac::MQTT::MQTT_Conn(this);
}
@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer()
void MQTT_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -30,13 +30,13 @@ void MQTT_Analyzer::Done()
void MQTT_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -46,13 +46,13 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

6
src/analyzer/protocol/mqtt/MQTT.h
View file

@ -9,10 +9,10 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } }
namespace zeek::analyzer::mqtt {
class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class MQTT_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
MQTT_Analyzer(zeek::Connection* conn);
MQTT_Analyzer(Connection* conn);
~MQTT_Analyzer() override;
void Done() override;
@ -20,7 +20,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new MQTT_Analyzer(conn); }
protected:

14
src/analyzer/protocol/mysql/MySQL.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::mysql {
MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
MySQL_Analyzer::MySQL_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
{
interp = new binpac::MySQL::MySQL_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer()
void MySQL_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void MySQL_Analyzer::Done()
void MySQL_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -53,13 +53,13 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/mysql/MySQL.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::mysql {
class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class MySQL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit MySQL_Analyzer(zeek::Connection* conn);
explicit MySQL_Analyzer(Connection* conn);
~MySQL_Analyzer() override;
// Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new MySQL_Analyzer(conn); }
protected:

38
src/analyzer/protocol/ncp/NCP.cc
View file

@ -25,7 +25,7 @@ using namespace std;
namespace zeek::analyzer::ncp {
namespace detail {
NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a)
NCP_Session::NCP_Session(analyzer::Analyzer* a)
: analyzer(a)
{
req_frame_type = 0;
@ -43,7 +43,7 @@ void NCP_Session::Deliver(bool is_orig, int len, const u_char* data)
}
catch ( const binpac::Exception& e )
{
analyzer->ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
analyzer->ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
@ -60,24 +60,24 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
}
}
zeek::EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
if ( f )
{
if ( frame->is_orig() )
analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(),
zeek::val_mgr->Count(frame->frame_type()),
zeek::val_mgr->Count(frame->body_length()),
zeek::val_mgr->Count(req_func)
val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()),
val_mgr->Count(req_func)
);
else
analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(),
zeek::val_mgr->Count(frame->frame_type()),
zeek::val_mgr->Count(frame->body_length()),
zeek::val_mgr->Count(req_frame_type),
zeek::val_mgr->Count(req_func),
zeek::val_mgr->Count(frame->reply()->completion_code())
val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()),
val_mgr->Count(req_frame_type),
val_mgr->Count(req_func),
val_mgr->Count(frame->reply()->completion_code())
);
}
}
@ -131,7 +131,7 @@ int FrameBuffer::Deliver(int &len, const u_char* &data)
if ( msg_len > buf_len )
{
if ( msg_len > zeek::BifConst::NCP::max_frame_size )
if ( msg_len > BifConst::NCP::max_frame_size )
return 1;
buf_len = msg_len;
@ -167,8 +167,8 @@ void NCP_FrameBuffer::compute_msg_length()
} // namespace detail
Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* arg_session)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* arg_session)
: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
{
session = arg_session;
resync = true;
@ -181,7 +181,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
@ -189,7 +189,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
{
resync_set = true;
resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
}
if ( tcp && tcp->HadGap(orig) )
@ -242,14 +242,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
buffer.Reset();
resync = true;
}
NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
NCP_Analyzer::NCP_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
{
session = new detail::NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session);

14
src/analyzer/protocol/ncp/NCP.h
View file

@ -31,7 +31,7 @@ namespace detail {
class NCP_Session {
public:
explicit NCP_Session(zeek::analyzer::Analyzer* analyzer);
explicit NCP_Session(analyzer::Analyzer* analyzer);
void Deliver(bool is_orig, int len, const u_char* data);
@ -43,7 +43,7 @@ public:
protected:
void DeliverFrame(const binpac::NCP::ncp_frame* frame);
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
int req_frame_type;
int req_func;
};
@ -85,9 +85,9 @@ protected:
} // namespace detail
class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
class Contents_NCP_Analyzer : public analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* session);
Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* session);
~Contents_NCP_Analyzer() override;
protected:
@ -102,12 +102,12 @@ protected:
bool resync_set;
};
class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class NCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NCP_Analyzer(zeek::Connection* conn);
explicit NCP_Analyzer(Connection* conn);
~NCP_Analyzer() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NCP_Analyzer(conn); }
protected:

60
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -49,7 +49,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
MAKE_INT16(offset, data);; len -= 2;
}
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
//smb_session = arg_smb_session;
@ -61,9 +61,9 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
if ( netbios_session_message )
analyzer->EnqueueConnEvent(netbios_session_message,
analyzer->ConnVal(),
zeek::val_mgr->Bool(is_query),
zeek::val_mgr->Count(type),
zeek::val_mgr->Count(len)
val_mgr->Bool(is_query),
val_mgr->Count(type),
val_mgr->Count(len)
);
switch ( type ) {
@ -105,7 +105,7 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
break;
default:
analyzer->Weird("unknown_netbios_type", zeek::util::fmt("0x%x", type));
analyzer->Weird("unknown_netbios_type", util::fmt("0x%x", type));
break;
}
}
@ -125,11 +125,11 @@ void NetbiosSSN_Interpreter::ParseBroadcast(const u_char* data, int len,
// FIND THE NUL-TERMINATED NAME STRINGS HERE!
// Not sure what's in them, so we don't keep them currently.
zeek::String* srcname = new zeek::String((char*) data);
String* srcname = new String((char*) data);
data += srcname->Len()+1;
len -= srcname->Len();
zeek::String* dstname = new zeek::String((char*) data);
String* dstname = new String((char*) data);
data += dstname->Len()+1;
len -= dstname->Len();
@ -146,7 +146,7 @@ void NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len,
NetbiosSSN_RawMsgHdr hdr(data, len);
if ( hdr.length > unsigned(len) )
analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)",
analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)",
hdr.length, len));
else if ( hdr.length < unsigned(len) )
@ -164,12 +164,12 @@ void NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len,
NetbiosDGM_RawMsgHdr hdr(data, len);
if ( unsigned(hdr.length-14) > unsigned(len) )
analyzer->Weird("excess_netbios_hdr_len", zeek::util::fmt("(%d > %d)",
analyzer->Weird("excess_netbios_hdr_len", util::fmt("(%d > %d)",
hdr.length, len));
else if ( hdr.length < unsigned(len) )
{
analyzer->Weird("deficit_netbios_hdr_len", zeek::util::fmt("(%d < %d)",
analyzer->Weird("deficit_netbios_hdr_len", util::fmt("(%d < %d)",
hdr.length, len));
len = hdr.length;
}
@ -313,7 +313,7 @@ void NetbiosSSN_Interpreter::ParseKeepAlive(const u_char* data, int len,
Event(netbios_session_keepalive, data, len);
}
void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* data,
void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
int len, int is_orig)
{
if ( ! event )
@ -322,19 +322,19 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da
if ( is_orig >= 0 )
analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(),
zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false)));
val_mgr->Bool(is_orig),
make_intrusive<StringVal>(new String(data, len, false)));
else
analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false)));
make_intrusive<StringVal>(new String(data, len, false)));
}
} // namespace detail
Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig,
detail::NetbiosSSN_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
{
interp = arg_interp;
type = flags = msg_size = 0;
@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
if ( state == detail::NETBIOS_SSN_TYPE )
{
@ -453,8 +453,8 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
state = detail::NETBIOS_SSN_TYPE;
}
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
{
//smb_session = new SMB_Session(this);
interp = new detail::NetbiosSSN_Interpreter(this);
@ -471,7 +471,7 @@ NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
else
{
ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,
zeek::run_state::network_time + netbios_ssn_session_timeout, true,
run_state::network_time + netbios_ssn_session_timeout, true,
zeek::detail::TIMER_NB_EXPIRE);
}
}
@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer()
void NetbiosSSN_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout();
if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done()
void NetbiosSSN_Analyzer::EndpointEOF(bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
(orig ? orig_netbios : resp_netbios)->Flush();
}
void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event)
void NetbiosSSN_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, bool gen_event)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
// Question: Why do we flush *both* endpoints upon connection close?
// orig_netbios->Flush();
@ -511,9 +511,9 @@ void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* en
}
void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
if ( orig )
interp->ParseMessageUDP(data, len, true);
@ -526,12 +526,12 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t)
// The - 1.0 in the following is to allow 1 second for the
// common case of a single request followed by a single reply,
// so we don't needlessly set the timer twice in that case.
if ( zeek::run_state::terminating ||
zeek::run_state::network_time - Conn()->LastTime() >=
if ( run_state::terminating ||
run_state::network_time - Conn()->LastTime() >=
netbios_ssn_session_timeout - 1.0 )
{
Event(connection_timeout);
zeek::sessions->Remove(Conn());
sessions->Remove(Conn());
}
else
ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,

22
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -70,7 +70,7 @@ enum NetbiosSSN_State {
class NetbiosSSN_Interpreter {
public:
explicit NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* analyzer);
explicit NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer);
void ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, bool is_query);
@ -95,7 +95,7 @@ protected:
void ParseSambaMsg(const u_char* data, int len, bool is_query);
void Event(zeek::EventHandlerPtr event, const u_char* data, int len,
void Event(EventHandlerPtr event, const u_char* data, int len,
int is_orig = -1);
// Pass in name/length, returns in xname/xlen the converted
@ -105,16 +105,16 @@ protected:
u_char*& xname, int& xlen);
protected:
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
//SMB_Session* smb_session;
};
} // namespace detail
// ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
class Contents_NetbiosSSN final : public analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
Contents_NetbiosSSN(Connection* conn, bool orig,
detail::NetbiosSSN_Interpreter* interp);
~Contents_NetbiosSSN() override;
@ -139,21 +139,21 @@ protected:
detail::NetbiosSSN_State state;
};
class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class NetbiosSSN_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NetbiosSSN_Analyzer(zeek::Connection* conn);
explicit NetbiosSSN_Analyzer(Connection* conn);
~NetbiosSSN_Analyzer() override;
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NetbiosSSN_Analyzer(conn); }
protected:
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void EndpointEOF(bool is_orig) override;
void ExpireTimer(double t);

14
src/analyzer/protocol/ntlm/NTLM.cc
View file

@ -7,8 +7,8 @@
namespace zeek::analyzer::ntlm {
NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
NTLM_Analyzer::NTLM_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
{
interp = new binpac::NTLM::NTLM_Conn(this);
}
@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer()
void NTLM_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -28,13 +28,13 @@ void NTLM_Analyzer::Done()
void NTLM_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -45,13 +45,13 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/ntlm/NTLM.h
View file

@ -9,10 +9,10 @@
namespace zeek::analyzer::ntlm {
class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class NTLM_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NTLM_Analyzer(zeek::Connection* conn);
explicit NTLM_Analyzer(Connection* conn);
~NTLM_Analyzer() override;
// Overriden from Analyzer.
@ -21,10 +21,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTLM_Analyzer(conn); }
protected:

8
src/analyzer/protocol/ntp/NTP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::ntp {
NTP_Analyzer::NTP_Analyzer(zeek::Connection* c)
: zeek::analyzer::Analyzer("NTP", c)
NTP_Analyzer::NTP_Analyzer(Connection* c)
: analyzer::Analyzer("NTP", c)
{
interp = new binpac::NTP::NTP_Conn(this);
}
@ -24,7 +24,7 @@ NTP_Analyzer::~NTP_Analyzer()
}
void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -34,7 +34,7 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/ntp/NTP.h
View file

@ -9,17 +9,17 @@
namespace zeek::analyzer::ntp {
class NTP_Analyzer final : public zeek::analyzer::Analyzer {
class NTP_Analyzer final : public analyzer::Analyzer {
public:
explicit NTP_Analyzer(zeek::Connection* conn);
explicit NTP_Analyzer(Connection* conn);
~NTP_Analyzer() override;
// Overriden from Analyzer.
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTP_Analyzer(conn); }
protected:

66
src/analyzer/protocol/pia/PIA.cc
View file

@ -11,7 +11,7 @@
namespace zeek::analyzer::pia {
PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer)
PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
: state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet()
{
}
@ -37,7 +37,7 @@ void PIA::ClearBuffer(Buffer* buffer)
}
void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
bool is_orig, const zeek::IP_Hdr* ip)
bool is_orig, const IP_Hdr* ip)
{
u_char* tmp = nullptr;
@ -67,14 +67,14 @@ void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
}
void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig,
const zeek::IP_Hdr* ip)
const IP_Hdr* ip)
{
AddToBuffer(buffer, -1, len, data, is_orig, ip);
}
void PIA::ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer)
void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer)
{
DBG_LOG(zeek::DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size);
DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size);
for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, b->ip, 0);
@ -86,7 +86,7 @@ void PIA::PIA_Done()
}
void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,
const zeek::IP_Hdr* ip, int caplen, bool clear_state)
const IP_Hdr* ip, int caplen, bool clear_state)
{
if ( pkt_buffer.state == SKIPPING )
return;
@ -131,7 +131,7 @@ void PIA::Match(zeek::detail::Rule::PatternType type, const u_char* data, int le
}
void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bool clear_state, const zeek::IP_Hdr* ip)
bool clear_state, const IP_Hdr* ip)
{
if ( ! zeek::detail::rule_matcher )
return;
@ -146,11 +146,11 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bol, eol, clear_state);
}
void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
{
if ( pkt_buffer.state == MATCHING_ONLY )
{
DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded");
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
// FIXME: This is where to check whether an analyzer
// supports partial connections once we get such.
@ -161,7 +161,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tag = GetAnalyzerTag();
const auto& tval = tag.AsVal();
zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
}
pkt_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
@ -171,7 +171,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
if ( Parent()->HasChildAnalyzer(tag) )
return;
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a )
return;
@ -180,9 +180,9 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
ReplayPacketBuffer(a);
}
void PIA_UDP::DeactivateAnalyzer(zeek::analyzer::Tag tag)
void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
{
zeek::reporter->InternalError("PIA_UDP::Deact not implemented yet");
reporter->InternalError("PIA_UDP::Deact not implemented yet");
}
//// TCP PIA
@ -194,7 +194,7 @@ PIA_TCP::~PIA_TCP()
void PIA_TCP::Init()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init();
analyzer::tcp::TCP_ApplicationAnalyzer::Init();
if ( Parent()->IsAnalyzer("TCP") )
{
@ -204,14 +204,14 @@ void PIA_TCP::Init()
}
}
void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip)
{
static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)];
static struct ip* ip4 = nullptr;
static struct tcphdr* tcp4 = nullptr;
static zeek::IP_Hdr* ip4_hdr = nullptr;
static IP_Hdr* ip4_hdr = nullptr;
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F"));
DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F"));
if ( ! ip )
{
@ -227,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
ip4->ip_p = IPPROTO_TCP;
// Cast to const so that it doesn't delete it.
ip4_hdr = new zeek::IP_Hdr(ip4, false);
ip4_hdr = new IP_Hdr(ip4, false);
}
if ( is_orig )
@ -254,7 +254,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( stream_buffer.state == SKIPPING )
return;
@ -284,7 +284,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( stream_buffer.state == BUFFERING )
// We use data=nil to mark an undelivered.
@ -293,11 +293,11 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
// No check for buffer overrun here. I think that's ok.
}
void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
{
if ( stream_buffer.state == MATCHING_ONLY )
{
DBG_LOG(zeek::DBG_ANALYZER, "analyzer found but buffer already exceeded");
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
// FIXME: This is where to check whether an analyzer supports
// partial connections once we get such.
@ -308,14 +308,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tag = GetAnalyzerTag();
const auto& tval = tag.AsVal();
zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
}
stream_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
return;
}
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a )
return;
@ -349,7 +349,7 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
// (4) We hand the two reassemblers to the TCP Analyzer (our parent),
// turning reassembly now on for all subsequent data.
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode");
DBG_LOG(DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode");
stream_mode = true;
// FIXME: The reassembler will query the endpoint for state. Not sure
@ -386,10 +386,10 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
// worth the effort.
if ( b->is_orig )
reass_orig->DataSent(zeek::run_state::network_time, orig_seq = b->seq,
reass_orig->DataSent(run_state::network_time, orig_seq = b->seq,
b->len, b->data, tcp::TCP_Flags(), true);
else
reass_resp->DataSent(zeek::run_state::network_time, resp_seq = b->seq,
reass_resp->DataSent(run_state::network_time, resp_seq = b->seq,
b->len, b->data, tcp::TCP_Flags(), true);
}
@ -398,11 +398,11 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
if ( current->data )
{
if ( current->is_orig )
reass_orig->DataSent(zeek::run_state::network_time,
reass_orig->DataSent(run_state::network_time,
orig_seq = current->seq,
current->len, current->data, analyzer::tcp::TCP_Flags(), true);
else
reass_resp->DataSent(zeek::run_state::network_time,
reass_resp->DataSent(run_state::network_time,
resp_seq = current->seq,
current->len, current->data, analyzer::tcp::TCP_Flags(), true);
}
@ -419,14 +419,14 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
tcp->SetReassembler(reass_orig, reass_resp);
}
void PIA_TCP::DeactivateAnalyzer(zeek::analyzer::Tag tag)
void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
{
zeek::reporter->InternalError("PIA_TCP::Deact not implemented yet");
reporter->InternalError("PIA_TCP::Deact not implemented yet");
}
void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer)
void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer)
{
DBG_LOG(zeek::DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);
DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);
for ( DataBlock* b = stream_buffer.head; b; b = b->next )
{

56
src/analyzer/protocol/pia/PIA.h
View file

@ -19,37 +19,37 @@ namespace zeek::analyzer::pia {
// PIAs and then each needs its own matching-state.
class PIA : public zeek::detail::RuleMatcherState {
public:
explicit PIA(zeek::analyzer::Analyzer* as_analyzer);
explicit PIA(analyzer::Analyzer* as_analyzer);
virtual ~PIA();
// Called when PIA wants to put an Analyzer in charge. rule is the
// signature that triggered the activitation, if any.
virtual void ActivateAnalyzer(zeek::analyzer::Tag tag,
virtual void ActivateAnalyzer(analyzer::Tag tag,
const zeek::detail::Rule* rule = nullptr) = 0;
// Called when PIA wants to remove an Analyzer.
virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0;
virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state);
void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer);
void ReplayPacketBuffer(analyzer::Analyzer* analyzer);
// Children are also derived from Analyzer. Return this object
// as pointer to an Analyzer.
zeek::analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
protected:
void PIA_Done();
void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen, bool clear_state);
uint64_t seq, const IP_Hdr* ip, int caplen, bool clear_state);
enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
// Buffers one chunk of data. Used both for packet payload (incl.
// sequence numbers for TCP) and chunks of a reassembled stream.
struct DataBlock {
zeek::IP_Hdr* ip;
IP_Hdr* ip;
const u_char* data;
bool is_orig;
int len;
@ -67,35 +67,35 @@ protected:
};
void AddToBuffer(Buffer* buffer, uint64_t seq, int len,
const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr);
const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr);
void AddToBuffer(Buffer* buffer, int len,
const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr);
const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr);
void ClearBuffer(Buffer* buffer);
DataBlock* CurrentPacket() { return &current_packet; }
void DoMatch(const u_char* data, int len, bool is_orig, bool bol,
bool eol, bool clear_state, const zeek::IP_Hdr* ip = nullptr);
bool eol, bool clear_state, const IP_Hdr* ip = nullptr);
void SetConn(zeek::Connection* c) { conn = c; }
void SetConn(Connection* c) { conn = c; }
Buffer pkt_buffer;
private:
zeek::analyzer::Analyzer* as_analyzer;
zeek::Connection* conn;
analyzer::Analyzer* as_analyzer;
Connection* conn;
DataBlock current_packet;
};
// PIA for UDP.
class PIA_UDP : public PIA, public zeek::analyzer::Analyzer {
class PIA_UDP : public PIA, public analyzer::Analyzer {
public:
explicit PIA_UDP(zeek::Connection* conn)
explicit PIA_UDP(Connection* conn)
: PIA(this), Analyzer("PIA_UDP", conn)
{ SetConn(conn); }
~PIA_UDP() override { }
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_UDP(conn); }
protected:
@ -106,22 +106,22 @@ protected:
}
void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override
uint64_t seq, const IP_Hdr* ip, int caplen) override
{
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
}
void ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) override;
void DeactivateAnalyzer(analyzer::Tag tag) override;
};
// PIA for TCP. Accepts both packet and stream input (and reassembles
// packets before passing payload on to children).
class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class PIA_TCP : public PIA, public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit PIA_TCP(zeek::Connection* conn)
: PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
explicit PIA_TCP(Connection* conn)
: PIA(this), analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
{ stream_mode = false; SetConn(conn); }
~PIA_TCP() override;
@ -136,11 +136,11 @@ public:
// matcher in the case that we already get reassembled input,
// and making it part of the general analyzer interface seems
// to be unnecessary overhead.)
void FirstPacket(bool is_orig, const zeek::IP_Hdr* ip);
void FirstPacket(bool is_orig, const IP_Hdr* ip);
void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer);
void ReplayStreamBuffer(analyzer::Analyzer* analyzer);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_TCP(conn); }
protected:
@ -151,7 +151,7 @@ protected:
}
void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override
uint64_t seq, const IP_Hdr* ip, int caplen) override
{
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
@ -160,9 +160,9 @@ protected:
void DeliverStream(int len, const u_char* data, bool is_orig) override;
void Undelivered(uint64_t seq, int len, bool is_orig) override;
void ActivateAnalyzer(zeek::analyzer::Tag tag,
void ActivateAnalyzer(analyzer::Tag tag,
const zeek::detail::Rule* rule = nullptr) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
void DeactivateAnalyzer(analyzer::Tag tag) override;
private:
// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.

48
src/analyzer/protocol/pop3/POP3.cc
View file

@ -25,8 +25,8 @@ static const char* pop3_cmd_word[] = {
#define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)")
POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
POP3_Analyzer::POP3_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
{
masterState = detail::POP3_START;
subState = detail::POP3_WOK;
@ -44,10 +44,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
mail = nullptr;
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false);
AddSupportAnalyzer(cl_resp);
}
@ -57,7 +57,7 @@ POP3_Analyzer::~POP3_Analyzer()
void POP3_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail )
EndData();
@ -66,7 +66,7 @@ void POP3_Analyzer::Done()
void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls )
{
@ -77,7 +77,7 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
if ( (TCP() && TCP()->IsPartial()) )
return;
zeek::String terminated_string(data, len, true);
String terminated_string(data, len, true);
if ( orig )
ProcessRequest(len, (char*) terminated_string.Bytes());
@ -91,7 +91,7 @@ static std::string trim_whitespace(const char* in)
char* out = new char[n + 1];
char* out_p = out;
in = zeek::util::skip_whitespace(in);
in = util::skip_whitespace(in);
while ( *in )
{
@ -134,8 +134,8 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
{
++authLines;
zeek::String encoded(line);
zeek::String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn());
String encoded(line);
String* decoded = zeek::detail::decode_base64(&encoded, nullptr, Conn());
if ( ! decoded )
{
@ -212,7 +212,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
break;
default:
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "unexpected POP3 authorization state");
delete decoded;
return;
@ -245,7 +245,7 @@ static std::string commands[] = {
void POP3_Analyzer::NotAllowed(const char* cmd, const char* state)
{
POP3Event(pop3_unexpected, true, cmd,
zeek::util::fmt("not allowed in other state than '%s'", state));
util::fmt("not allowed in other state than '%s'", state));
}
void POP3_Analyzer::ProcessClientCmd()
@ -320,7 +320,7 @@ void POP3_Analyzer::ProcessClientCmd()
state = detail::APOP;
subState = detail::POP3_WOK;
char* arg1 = zeek::util::copy_string(message);
char* arg1 = util::copy_string(message);
char* e;
for ( e = arg1; *e && *e != ' ' && *e != '\t'; ++e )
;
@ -354,7 +354,7 @@ void POP3_Analyzer::ProcessClientCmd()
{
state = detail::AUTH;
POP3Event(pop3_unexpected, true, cmd,
zeek::util::fmt("unknown AUTH method %s", message));
util::fmt("unknown AUTH method %s", message));
}
subState = detail::POP3_WOK;
@ -571,7 +571,7 @@ void POP3_Analyzer::ProcessClientCmd()
break;
default:
zeek::reporter->AnalyzerError(this, "unknown POP3 command");
reporter->AnalyzerError(this, "unknown POP3 command");
return;
}
}
@ -634,7 +634,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
{
if ( ! waitingForAuthentication )
{
ProtocolViolation(zeek::util::fmt("unknown server command (%s)",
ProtocolViolation(util::fmt("unknown server command (%s)",
(tokens.size() > 0 ?
tokens[0].c_str() :
"???")),
@ -820,7 +820,7 @@ void POP3_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);
@ -838,13 +838,13 @@ void POP3_Analyzer::AuthSuccessfull()
void POP3_Analyzer::BeginData(bool orig)
{
delete mail;
mail = new zeek::analyzer::mime::MIME_Mail(this, orig);
mail = new analyzer::mime::MIME_Mail(this, orig);
}
void POP3_Analyzer::EndData()
{
if ( ! mail )
zeek::reporter->Warning("unmatched end of data");
reporter->Warning("unmatched end of data");
else
{
mail->Done();
@ -909,22 +909,22 @@ std::vector<std::string> POP3_Analyzer::TokenizeLine(const std::string& input, c
return tokens;
}
void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig,
void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
const char* arg1, const char* arg2)
{
if ( ! event )
return;
zeek::Args vl;
Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(ConnVal());
vl.emplace_back(zeek::val_mgr->Bool(is_orig));
vl.emplace_back(val_mgr->Bool(is_orig));
if ( arg1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg1));
vl.emplace_back(make_intrusive<StringVal>(arg1));
if ( arg2 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg2));
vl.emplace_back(make_intrusive<StringVal>(arg2));
EnqueueConnEvent(event, std::move(vl));
}

14
src/analyzer/protocol/pop3/POP3.h
View file

@ -64,15 +64,15 @@ enum POP3_SubState {
} // namespace detail
class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class POP3_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit POP3_Analyzer(zeek::Connection* conn);
explicit POP3_Analyzer(Connection* conn);
~POP3_Analyzer() override;
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{
return new POP3_Analyzer(conn);
}
@ -105,16 +105,16 @@ protected:
std::vector<std::string> TokenizeLine(const std::string& input, char split);
int ParseCmd(std::string cmd);
void AuthSuccessfull();
void POP3Event(zeek::EventHandlerPtr event, bool is_orig,
void POP3Event(EventHandlerPtr event, bool is_orig,
const char* arg1 = nullptr, const char* arg2 = nullptr);
zeek::analyzer::mime::MIME_Mail* mail;
analyzer::mime::MIME_Mail* mail;
std::list<std::string> cmds;
private:
bool tls;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
analyzer::tcp::ContentLine_Analyzer* cl_orig;
analyzer::tcp::ContentLine_Analyzer* cl_resp;
};
} // namespace zeek::analyzer::pop3

8
src/analyzer/protocol/radius/RADIUS.cc
View file

@ -8,8 +8,8 @@
namespace zeek::analyzer::radius {
RADIUS_Analyzer::RADIUS_Analyzer(zeek::Connection* c)
: zeek::analyzer::Analyzer("RADIUS", c)
RADIUS_Analyzer::RADIUS_Analyzer(Connection* c)
: analyzer::Analyzer("RADIUS", c)
{
interp = new binpac::RADIUS::RADIUS_Conn(this);
}
@ -25,7 +25,7 @@ void RADIUS_Analyzer::Done()
}
void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -35,7 +35,7 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/radius/RADIUS.h
View file

@ -10,17 +10,17 @@
namespace zeek::analyzer::radius {
class RADIUS_Analyzer final : public zeek::analyzer::Analyzer {
class RADIUS_Analyzer final : public analyzer::Analyzer {
public:
explicit RADIUS_Analyzer(zeek::Connection* conn);
explicit RADIUS_Analyzer(Connection* conn);
~RADIUS_Analyzer() override;
// Overriden from Analyzer.
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new RADIUS_Analyzer(conn); }
protected:

20
src/analyzer/protocol/rdp/RDP.cc
View file

@ -6,8 +6,8 @@
namespace zeek::analyzer::rdp {
RDP_Analyzer::RDP_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c)
RDP_Analyzer::RDP_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c)
{
interp = new binpac::RDP::RDP_Conn(this);
@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer()
void RDP_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -30,13 +30,13 @@ void RDP_Analyzer::Done()
void RDP_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -56,11 +56,11 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
if ( ! pia )
{
pia = new zeek::analyzer::pia::PIA_TCP(Conn());
pia = new analyzer::pia::PIA_TCP(Conn());
if ( ! AddChildAnalyzer(pia) )
{
zeek::reporter->AnalyzerError(this,
reporter->AnalyzerError(this,
"failed to add TCP child analyzer "
"to RDP analyzer: already exists");
return;
@ -75,7 +75,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
else
{
if ( rdp_native_encrypted_data )
zeek::BifEvent::enqueue_rdp_native_encrypted_data(
BifEvent::enqueue_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len);
}
@ -88,14 +88,14 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
}
void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/rdp/RDP.h
View file

@ -7,10 +7,10 @@
namespace zeek::analyzer::rdp {
class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class RDP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit RDP_Analyzer(zeek::Connection* conn);
explicit RDP_Analyzer(Connection* conn);
~RDP_Analyzer() override;
// Overriden from Analyzer.
@ -19,14 +19,14 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RDP_Analyzer(conn); }
protected:
binpac::RDP::RDP_Conn* interp;
bool had_gap;
zeek::analyzer::pia::PIA_TCP *pia;
analyzer::pia::PIA_TCP *pia;
};
} // namespace zeek::analyzer::rdp

8
src/analyzer/protocol/rdp/RDPEUDP.cc
View file

@ -5,8 +5,8 @@
namespace zeek::analyzer::rdpeudp {
RDP_Analyzer::RDP_Analyzer(zeek::Connection* c)
: zeek::analyzer::Analyzer("RDPEUDP", c)
RDP_Analyzer::RDP_Analyzer(Connection* c)
: analyzer::Analyzer("RDPEUDP", c)
{
interp = new binpac::RDPEUDP::RDPEUDP_Conn(this);
}
@ -22,7 +22,7 @@ void RDP_Analyzer::Done()
}
void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -32,7 +32,7 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/rdp/RDPEUDP.h
View file

@ -6,16 +6,16 @@
namespace zeek::analyzer::rdpeudp {
class RDP_Analyzer final : public zeek::analyzer::Analyzer {
class RDP_Analyzer final : public analyzer::Analyzer {
public:
explicit RDP_Analyzer(zeek::Connection* conn);
explicit RDP_Analyzer(Connection* conn);
~RDP_Analyzer() override;
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RDP_Analyzer(conn); }
protected:

14
src/analyzer/protocol/rfb/RFB.cc
View file

@ -8,8 +8,8 @@
namespace zeek::analyzer::rfb {
RFB_Analyzer::RFB_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c)
RFB_Analyzer::RFB_Analyzer(Connection* c)
: analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c)
{
interp = new binpac::RFB::RFB_Conn(this);
had_gap = false;
@ -23,7 +23,7 @@ RFB_Analyzer::~RFB_Analyzer()
void RFB_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -32,13 +32,13 @@ void RFB_Analyzer::Done()
void RFB_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
return;
@ -63,14 +63,14 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
invalid = true;
}
}
void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/rfb/RFB.h
View file

@ -8,10 +8,10 @@
namespace zeek::analyzer::rfb {
class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class RFB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit RFB_Analyzer(zeek::Connection* conn);
explicit RFB_Analyzer(Connection* conn);
~RFB_Analyzer() override;
// Overriden from Analyzer.
@ -20,10 +20,10 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RFB_Analyzer(conn); }
protected:

72
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -19,11 +19,11 @@ namespace detail {
bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
{
if ( c->Program() != 100005 )
Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program()));
Weird("bad_RPC_program", util::fmt("%d", c->Program()));
uint32_t proc = c->Proc();
// The call arguments, depends on the call type obviously ...
zeek::RecordValPtr callarg;
RecordValPtr callarg;
switch ( proc ) {
case BifEnum::MOUNT3::PROC_NULL:
@ -50,7 +50,7 @@ bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
n = 0;
}
else
Weird("unknown_MOUNT_request", zeek::util::fmt("%u", proc));
Weird("unknown_MOUNT_request", util::fmt("%u", proc));
// Return 1 so that replies to unprocessed calls will still
// be processed, and the return status extracted.
@ -69,8 +69,8 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
const u_char*& buf, int& n, double start_time,
double last_time, int reply_len)
{
zeek::EventHandlerPtr event = nullptr;
zeek::ValPtr reply;
EventHandlerPtr event = nullptr;
ValPtr reply;
BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK;
bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
@ -128,7 +128,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
// Otherwise DeliverRPC would complain about
// excess_RPC.
n = 0;
reply = zeek::BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc());
reply = BifType::Enum::MOUNT3::proc_t->GetEnumVal(c->Proc());
event = mount_proc_not_implemented;
}
else
@ -167,7 +167,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
return true;
}
zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status,
double rep_start_time,
@ -175,43 +175,43 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
{
// Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ...
zeek::Args vl;
Args vl;
vl.reserve(2 + extra_elements);
vl.emplace_back(analyzer->ConnVal());
auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
auto auxgids = make_intrusive<VectorVal>(id::index_vec);
for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
{
auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i]));
auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i]));
}
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::info_t);
info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, zeek::BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime() - c->StartTime()));
info->Assign(4, zeek::val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time - rep_start_time));
info->Assign(7, zeek::val_mgr->Count(reply_len));
info->Assign(8, zeek::val_mgr->Count(c->Uid()));
info->Assign(9, zeek::val_mgr->Count(c->Gid()));
info->Assign(10, zeek::val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName()));
auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime() - c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time - rep_start_time));
info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info));
return vl;
}
zeek::EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n)
EnumValPtr MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n)
{
BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t);
auto rval = BifType::Enum::MOUNT3::auth_flavor_t->GetEnumVal(t);
return rval;
}
zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
{
int fh_n;
const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
@ -219,10 +219,10 @@ zeek::StringValPtr MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
if ( ! fh )
return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(fh, fh_n, false));
return make_intrusive<StringVal>(new String(fh, fh_n, false));
}
zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
{
int name_len;
const u_char* name = extract_XDR_opaque(buf, n, name_len);
@ -230,20 +230,20 @@ zeek::StringValPtr MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
if ( ! name )
return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_len, false));
return make_intrusive<StringVal>(new String(name, name_len, false));
}
zeek::RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n)
RecordValPtr MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n)
{
auto dirmntargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::dirmntargs_t);
auto dirmntargs = make_intrusive<RecordVal>(BifType::Record::MOUNT3::dirmntargs_t);
dirmntargs->Assign(0, mount3_filename(buf, n));
return dirmntargs;
}
zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
BifEnum::MOUNT3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::mnt_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::MOUNT3::mnt_reply_t);
if ( status == BifEnum::MOUNT3::MNT3_OK )
{
@ -259,8 +259,8 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
auth_flavors_count = max_auth_flavors;
}
auto enum_vector = zeek::make_intrusive<zeek::VectorType>(zeek::base_type(zeek::TYPE_ENUM));
auto auth_flavors = zeek::make_intrusive<zeek::VectorVal>(std::move(enum_vector));
auto enum_vector = make_intrusive<VectorType>(base_type(TYPE_ENUM));
auto auth_flavors = make_intrusive<VectorVal>(std::move(enum_vector));
for ( auto i = 0u; i < auth_flavors_count; ++i )
auth_flavors->Assign(auth_flavors->Size(),
@ -283,7 +283,7 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
} // namespace detail
MOUNT_Analyzer::MOUNT_Analyzer(zeek::Connection* conn)
MOUNT_Analyzer::MOUNT_Analyzer(Connection* conn)
: RPC_Analyzer("MOUNT", conn, new detail::MOUNT_Interp(this))
{
orig_rpc = resp_rpc = nullptr;

18
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -9,7 +9,7 @@ namespace detail {
class MOUNT_Interp : public RPC_Interpreter {
public:
explicit MOUNT_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
explicit MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -20,7 +20,7 @@ protected:
// Returns a new arg list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event
// ...
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time,
int reply_len, int extra_elements);
@ -30,22 +30,22 @@ protected:
// to 0. However, the methods might still return an allocated Val * !
// So, you might want to Unref() the Val if buf is 0. Method names
// are based on the type names of RFC 1813.
zeek::EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n);
zeek::StringValPtr mount3_fh(const u_char*& buf, int& n);
zeek::RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n);
zeek::StringValPtr mount3_filename(const u_char*& buf, int& n);
EnumValPtr mount3_auth_flavor(const u_char*& buf, int& n);
StringValPtr mount3_fh(const u_char*& buf, int& n);
RecordValPtr mount3_dirmntargs(const u_char*&buf, int &n);
StringValPtr mount3_filename(const u_char*& buf, int& n);
zeek::RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status);
RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status);
};
} // namespace detail
class MOUNT_Analyzer : public RPC_Analyzer {
public:
explicit MOUNT_Analyzer(zeek::Connection* conn);
explicit MOUNT_Analyzer(Connection* conn);
void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new MOUNT_Analyzer(conn); }
};

206
src/analyzer/protocol/rpc/NFS.cc
View file

@ -19,11 +19,11 @@ namespace detail {
bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
{
if ( c->Program() != 100003 )
Weird("bad_RPC_program", zeek::util::fmt("%d", c->Program()));
Weird("bad_RPC_program", util::fmt("%d", c->Program()));
uint32_t proc = c->Proc();
// The call arguments, depends on the call type obviously ...
zeek::ValPtr callarg;
ValPtr callarg;
switch ( proc ) {
case BifEnum::NFS3::PROC_NULL:
@ -104,7 +104,7 @@ bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
n = 0;
}
else
Weird("unknown_NFS_request", zeek::util::fmt("%u", proc));
Weird("unknown_NFS_request", util::fmt("%u", proc));
// Return 1 so that replies to unprocessed calls will still
// be processed, and the return status extracted.
@ -124,8 +124,8 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
const u_char*& buf, int& n, double start_time,
double last_time, int reply_len)
{
zeek::EventHandlerPtr event = nullptr;
zeek::ValPtr reply;
EventHandlerPtr event = nullptr;
ValPtr reply;
BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK;
bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
@ -243,7 +243,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
// Otherwise DeliverRPC would complain about
// excess_RPC.
n = 0;
reply = zeek::BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc());
reply = BifType::Enum::NFS3::proc_t->GetEnumVal(c->Proc());
event = nfs_proc_not_implemented;
}
else
@ -279,7 +279,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
return true;
}
zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size)
StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size)
{
int data_n;
@ -287,57 +287,57 @@ zeek::StringValPtr NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64
const u_char *data = extract_XDR_opaque(buf, n, data_n, 1 << 30, true);
// check whether we have to deliver data to the event
if ( ! zeek::BifConst::NFS3::return_data )
if ( ! BifConst::NFS3::return_data )
return nullptr;
if ( zeek::BifConst::NFS3::return_data_first_only && offset != 0 )
if ( BifConst::NFS3::return_data_first_only && offset != 0 )
return nullptr;
// Ok, so we want to return some data
data_n = std::min(data_n, size);
data_n = std::min(data_n, int(zeek::BifConst::NFS3::return_data_max));
data_n = std::min(data_n, int(BifConst::NFS3::return_data_max));
if ( data && data_n > 0 )
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, data_n, false));
return make_intrusive<StringVal>(new String(data, data_n, false));
return nullptr;
}
zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status,
double rep_start_time,
double rep_last_time, int reply_len, int extra_elements)
{
// Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ...
zeek::Args vl;
Args vl;
vl.reserve(2 + extra_elements);
vl.emplace_back(analyzer->ConnVal());
auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
auto auxgids = make_intrusive<VectorVal>(id::index_vec);
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i]));
auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i]));
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::info_t);
info->Assign(0, zeek::BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, zeek::BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime()-c->StartTime()));
info->Assign(4, zeek::val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time-rep_start_time));
info->Assign(7, zeek::val_mgr->Count(reply_len));
info->Assign(8, zeek::val_mgr->Count(c->Uid()));
info->Assign(9, zeek::val_mgr->Count(c->Gid()));
info->Assign(10, zeek::val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName()));
auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime()-c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time-rep_start_time));
info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info));
return vl;
}
zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
{
int fh_n;
const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
@ -345,13 +345,13 @@ zeek::StringValPtr NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
if ( ! fh )
return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(fh, fh_n, false));
return make_intrusive<StringVal>(new String(fh, fh_n, false));
}
zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
{
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattr_t);
auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::sattr_t);
attrs->Assign(0, nullptr); // mode
int mode_set_it = extract_XDR_uint32(buf, n);
@ -380,9 +380,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
return attrs;
}
zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattr_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::sattr_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
@ -398,9 +398,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifE
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
{
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::fattr_t);
auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::fattr_t);
attrs->Assign(0, nfs3_ftype(buf, n)); // file type
attrs->Assign(1, ExtractUint32(buf, n)); // mode
@ -420,23 +420,23 @@ zeek::RecordValPtr NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
return attrs;
}
zeek::EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n)
EnumValPtr NFS_Interp::nfs3_time_how(const u_char*& buf, int& n)
{
BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::time_how_t->GetEnumVal(t);
auto rval = BifType::Enum::NFS3::time_how_t->GetEnumVal(t);
return rval;
}
zeek::EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
EnumValPtr NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
{
BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::file_type_t->GetEnumVal(t);
auto rval = BifType::Enum::NFS3::file_type_t->GetEnumVal(t);
return rval;
}
zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
{
auto attrs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::wcc_attr_t);
auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::wcc_attr_t);
attrs->Assign(0, ExtractUint64(buf, n)); // size
attrs->Assign(1, ExtractTime(buf, n)); // mtime
@ -445,7 +445,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_wcc_attr(const u_char*& buf, int& n)
return attrs;
}
zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
{
int name_len;
const u_char* name = extract_XDR_opaque(buf, n, name_len);
@ -453,12 +453,12 @@ zeek::StringValPtr NFS_Interp::nfs3_filename(const u_char*& buf, int& n)
if ( ! name )
return nullptr;
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_len, false));
return make_intrusive<StringVal>(new String(name, name_len, false));
}
zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
{
auto diropargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::diropargs_t);
auto diropargs = make_intrusive<RecordVal>(BifType::Record::NFS3::diropargs_t);
diropargs->Assign(0, nfs3_fh(buf, n));
diropargs->Assign(1, nfs3_filename(buf, n));
@ -466,9 +466,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
return diropargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
{
auto symlinkdata = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::symlinkdata_t);
auto symlinkdata = make_intrusive<RecordVal>(BifType::Record::NFS3::symlinkdata_t);
symlinkdata->Assign(0, nfs3_sattr(buf, n));
symlinkdata->Assign(1, nfs3_nfspath(buf, n));
@ -476,9 +476,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
return symlinkdata;
}
zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
{
auto renameopargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::renameopargs_t);
auto renameopargs = make_intrusive<RecordVal>(BifType::Record::NFS3::renameopargs_t);
renameopargs->Assign(0, nfs3_fh(buf, n));
renameopargs->Assign(1, nfs3_filename(buf, n));
@ -488,7 +488,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
return renameopargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
{
int have_attrs = extract_XDR_uint32(buf, n);
@ -498,7 +498,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
return nullptr;
}
zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
{
int have_fh = extract_XDR_uint32(buf, n);
@ -508,7 +508,7 @@ zeek::StringValPtr NFS_Interp::nfs3_post_op_fh(const u_char*& buf, int& n)
return nullptr;
}
zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
{
int have_attrs = extract_XDR_uint32(buf, n);
@ -517,16 +517,16 @@ zeek::RecordValPtr NFS_Interp::nfs3_pre_op_attr(const u_char*& buf, int& n)
return nullptr;
}
zeek::EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n)
EnumValPtr NFS_Interp::nfs3_stable_how(const u_char*& buf, int& n)
{
BifEnum::NFS3::stable_how_t stable = (BifEnum::NFS3::stable_how_t)extract_XDR_uint32(buf, n);
auto rval = zeek::BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable);
auto rval = BifType::Enum::NFS3::stable_how_t->GetEnumVal(stable);
return rval;
}
zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::lookup_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::lookup_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
@ -543,9 +543,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, Bif
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
{
auto readargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readargs_t);
auto readargs = make_intrusive<RecordVal>(BifType::Record::NFS3::readargs_t);
readargs->Assign(0, nfs3_fh(buf, n));
readargs->Assign(1, ExtractUint64(buf, n)); // offset
@ -554,10 +554,10 @@ zeek::RecordValPtr NFS_Interp::nfs3_readargs(const u_char*& buf, int& n)
return readargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status,
RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status,
bro_uint_t offset)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::read_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::read_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK)
{
@ -565,7 +565,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn
rep->Assign(0, nfs3_post_op_attr(buf, n));
bytes_read = extract_XDR_uint32(buf, n);
rep->Assign(1, zeek::val_mgr->Count(bytes_read));
rep->Assign(1, val_mgr->Count(bytes_read));
rep->Assign(2, ExtractBool(buf, n));
rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
}
@ -577,9 +577,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readlink_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readlink_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK)
{
@ -594,9 +594,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, B
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::link_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::link_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
@ -610,9 +610,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEn
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
{
auto symlinkargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::symlinkargs_t);
auto symlinkargs = make_intrusive<RecordVal>(BifType::Record::NFS3::symlinkargs_t);
symlinkargs->Assign(0, nfs3_diropargs(buf, n));
symlinkargs->Assign(1, nfs3_symlinkdata(buf, n));
@ -620,9 +620,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
return symlinkargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
{
auto sattrargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::sattrargs_t);
auto sattrargs = make_intrusive<RecordVal>(BifType::Record::NFS3::sattrargs_t);
sattrargs->Assign(0, nfs3_fh(buf, n));
sattrargs->Assign(1, nfs3_sattr(buf, n));
@ -630,9 +630,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
return sattrargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
{
auto linkargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::linkargs_t);
auto linkargs = make_intrusive<RecordVal>(BifType::Record::NFS3::linkargs_t);
linkargs->Assign(0, nfs3_fh(buf, n));
linkargs->Assign(1, nfs3_diropargs(buf, n));
@ -640,17 +640,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
return linkargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
{
uint32_t bytes;
uint64_t offset;
auto writeargs = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::writeargs_t);
auto writeargs = make_intrusive<RecordVal>(BifType::Record::NFS3::writeargs_t);
writeargs->Assign(0, nfs3_fh(buf, n));
offset = extract_XDR_uint64(buf, n);
writeargs->Assign(1, zeek::val_mgr->Count(offset)); // offset
writeargs->Assign(1, val_mgr->Count(offset)); // offset
bytes = extract_XDR_uint32(buf, n);
writeargs->Assign(2, zeek::val_mgr->Count(bytes)); // size
writeargs->Assign(2, val_mgr->Count(bytes)); // size
writeargs->Assign(3, nfs3_stable_how(buf, n));
writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
@ -658,9 +658,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
return writeargs;
}
zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::write_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::write_reply_t);
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
@ -683,9 +683,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_write_reply(const u_char*& buf, int& n, BifE
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::newobj_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::newobj_reply_t);
if (status == BifEnum::NFS3::NFS3ERR_OK)
{
@ -707,9 +707,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, Bif
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::delobj_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::delobj_reply_t);
// wcc_data
rep->Assign(0, nfs3_pre_op_attr(buf, n));
@ -718,9 +718,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::renameobj_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::renameobj_reply_t);
// wcc_data
rep->Assign(0, nfs3_pre_op_attr(buf, n));
@ -731,11 +731,11 @@ zeek::RecordValPtr NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
return rep;
}
zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
{
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdirargs_t);
auto args = make_intrusive<RecordVal>(BifType::Record::NFS3::readdirargs_t);
args->Assign(0, zeek::val_mgr->Bool(isplus));
args->Assign(0, val_mgr->Bool(isplus));
args->Assign(1, nfs3_fh(buf, n));
args->Assign(2, ExtractUint64(buf,n)); // cookie
args->Assign(3, ExtractUint64(buf,n)); // cookieverf
@ -747,17 +747,17 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf,
return args;
}
zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
int&n, BifEnum::NFS3::status_t status)
{
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdir_reply_t);
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readdir_reply_t);
rep->Assign(0, zeek::val_mgr->Bool(isplus));
rep->Assign(0, val_mgr->Bool(isplus));
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
unsigned pos;
auto entries = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::NFS3::direntry_vec_t);
auto entries = make_intrusive<VectorVal>(BifType::Vector::NFS3::direntry_vec_t);
rep->Assign(1, nfs3_post_op_attr(buf,n)); // dir_attr
rep->Assign(2, ExtractUint64(buf,n)); // cookieverf
@ -766,7 +766,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
while ( extract_XDR_uint32(buf,n) )
{
auto entry = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::direntry_t);
auto entry = make_intrusive<RecordVal>(BifType::Record::NFS3::direntry_t);
entry->Assign(0, ExtractUint64(buf,n)); // fileid
entry->Assign(1, nfs3_filename(buf,n)); // fname
entry->Assign(2, ExtractUint64(buf,n)); // cookie
@ -792,34 +792,34 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
return rep;
}
zeek::ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
{
return zeek::val_mgr->Count(extract_XDR_uint32(buf, n));
return val_mgr->Count(extract_XDR_uint32(buf, n));
}
zeek::ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
{
return zeek::val_mgr->Count(extract_XDR_uint64(buf, n));
return val_mgr->Count(extract_XDR_uint64(buf, n));
}
zeek::ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n)
ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n)
{
return zeek::make_intrusive<zeek::TimeVal>(extract_XDR_time(buf, n));
return make_intrusive<TimeVal>(extract_XDR_time(buf, n));
}
zeek::ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
{
return zeek::make_intrusive<zeek::IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0);
return make_intrusive<IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0);
}
zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n)
ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n)
{
return zeek::val_mgr->Bool(extract_XDR_uint32(buf, n));
return val_mgr->Bool(extract_XDR_uint32(buf, n));
}
} // namespace detail
NFS_Analyzer::NFS_Analyzer(zeek::Connection* conn)
NFS_Analyzer::NFS_Analyzer(Connection* conn)
: RPC_Analyzer("NFS", conn, new detail::NFS_Interp(this))
{
orig_rpc = resp_rpc = nullptr;

82
src/analyzer/protocol/rpc/NFS.h
View file

@ -10,7 +10,7 @@ namespace detail {
class NFS_Interp : public RPC_Interpreter {
public:
explicit NFS_Interp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
explicit NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -21,7 +21,7 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event
// ...
zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time,
int reply_len, int extra_elements);
@ -31,63 +31,63 @@ protected:
// to 0. However, the methods might still return an allocated Val * !
// So, you might want to Unref() the Val if buf is 0. Method names
// are based on the type names of RFC 1813.
zeek::StringValPtr nfs3_fh(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_fattr(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_sattr(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_ftype(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_time_how(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_diropargs(const u_char*&buf, int &n);
zeek::RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n);
zeek::StringValPtr nfs3_filename(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_linkargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n);
zeek::StringValPtr nfs3_nfspath(const u_char*& buf, int& n)
StringValPtr nfs3_fh(const u_char*& buf, int& n);
RecordValPtr nfs3_fattr(const u_char*& buf, int& n);
RecordValPtr nfs3_sattr(const u_char*& buf, int& n);
EnumValPtr nfs3_ftype(const u_char*& buf, int& n);
EnumValPtr nfs3_time_how(const u_char*& buf, int& n);
RecordValPtr nfs3_wcc_attr(const u_char*& buf, int& n);
RecordValPtr nfs3_diropargs(const u_char*&buf, int &n);
RecordValPtr nfs3_symlinkdata(const u_char*& buf, int& n);
RecordValPtr nfs3_renameopargs(const u_char*&buf, int &n);
StringValPtr nfs3_filename(const u_char*& buf, int& n);
RecordValPtr nfs3_linkargs(const u_char*& buf, int& n);
RecordValPtr nfs3_symlinkargs(const u_char*& buf, int& n);
RecordValPtr nfs3_sattrargs(const u_char*& buf, int& n);
StringValPtr nfs3_nfspath(const u_char*& buf, int& n)
{
return nfs3_filename(buf,n);
}
zeek::RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr
zeek::RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr
zeek::RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_readargs(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
zeek::RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_writeargs(const u_char*& buf, int& n);
zeek::EnumValPtr nfs3_stable_how(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
zeek::RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n);
zeek::StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n);
zeek::RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
zeek::RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_post_op_attr(const u_char*&buf, int &n); // Return 0 or an fattr
RecordValPtr nfs3_pre_op_attr(const u_char*&buf, int &n); // Return 0 or an wcc_attr
RecordValPtr nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_readargs(const u_char*& buf, int& n);
RecordValPtr nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
RecordValPtr nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_writeargs(const u_char*& buf, int& n);
EnumValPtr nfs3_stable_how(const u_char*& buf, int& n);
RecordValPtr nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
RecordValPtr nfs3_delobj_reply(const u_char*& buf, int& n);
RecordValPtr nfs3_renameobj_reply(const u_char*& buf, int& n);
StringValPtr nfs3_post_op_fh(const u_char*& buf, int& n);
RecordValPtr nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
RecordValPtr nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
// Consumes the file data in the RPC message. Depending on NFS::return_data* consts
// in bro.init returns NULL or the data as string val:
// * offset is the offset of the read/write call
// * size is the amount of bytes read (or requested to be written),
zeek::StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
zeek::ValPtr ExtractUint32(const u_char*& buf, int& n);
zeek::ValPtr ExtractUint64(const u_char*& buf, int& n);
zeek::ValPtr ExtractTime(const u_char*& buf, int& n);
zeek::ValPtr ExtractInterval(const u_char*& buf, int& n);
zeek::ValPtr ExtractBool(const u_char*& buf, int& n);
ValPtr ExtractUint32(const u_char*& buf, int& n);
ValPtr ExtractUint64(const u_char*& buf, int& n);
ValPtr ExtractTime(const u_char*& buf, int& n);
ValPtr ExtractInterval(const u_char*& buf, int& n);
ValPtr ExtractBool(const u_char*& buf, int& n);
};
} // namespace detail
class NFS_Analyzer : public RPC_Analyzer {
public:
explicit NFS_Analyzer(zeek::Connection* conn);
explicit NFS_Analyzer(Connection* conn);
void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NFS_Analyzer(conn); }
};

68
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -79,8 +79,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
double start_time, double last_time,
int reply_len)
{
zeek::EventHandlerPtr event;
zeek::ValPtr reply;
EventHandlerPtr event;
ValPtr reply;
int success = (status == BifEnum::RPC_SUCCESS);
switch ( c->Proc() ) {
@ -95,7 +95,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf )
return false;
reply = zeek::val_mgr->Bool(status);
reply = val_mgr->Bool(status);
event = pm_request_set;
}
else
@ -110,7 +110,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf )
return false;
reply = zeek::val_mgr->Bool(status);
reply = val_mgr->Bool(status);
event = pm_request_unset;
}
else
@ -125,9 +125,9 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf )
return false;
zeek::RecordVal* rv = c->RequestVal()->AsRecordVal();
RecordVal* rv = c->RequestVal()->AsRecordVal();
const auto& is_tcp = rv->GetField(2);
reply = zeek::val_mgr->Port(CheckPort(port), is_tcp->IsOne() ?
reply = val_mgr->Port(CheckPort(port), is_tcp->IsOne() ?
TRANSPORT_TCP : TRANSPORT_UDP);
event = pm_request_getport;
}
@ -139,8 +139,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
event = success ? pm_request_dump : pm_attempt_dump;
if ( success )
{
static auto pm_mappings = zeek::id::find_type<zeek::TableType>("pm_mappings");
auto mappings = zeek::make_intrusive<zeek::TableVal>(pm_mappings);
static auto pm_mappings = id::find_type<TableType>("pm_mappings");
auto mappings = make_intrusive<TableVal>(pm_mappings);
uint32_t nmap = 0;
// Each call in the loop test pulls the next "opted"
@ -151,7 +151,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! m )
break;
auto index = zeek::val_mgr->Count(++nmap);
auto index = val_mgr->Count(++nmap);
mappings->Assign(std::move(index), std::move(m));
}
@ -175,7 +175,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! opaque_reply )
return false;
reply = zeek::val_mgr->Port(CheckPort(port), TRANSPORT_UDP);
reply = val_mgr->Port(CheckPort(port), TRANSPORT_UDP);
event = pm_request_callit;
}
else
@ -190,17 +190,17 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
return true;
}
zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
{
static auto pm_mapping = zeek::id::find_type<zeek::RecordType>("pm_mapping");
auto mapping = zeek::make_intrusive<zeek::RecordVal>(pm_mapping);
static auto pm_mapping = id::find_type<RecordType>("pm_mapping");
auto mapping = make_intrusive<RecordVal>(pm_mapping);
mapping->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32_t port = extract_XDR_uint32(buf, len);
mapping->Assign(2, zeek::val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
mapping->Assign(2, val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
if ( ! buf )
return nullptr;
@ -208,16 +208,16 @@ zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
return mapping;
}
zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
{
static auto pm_port_request = zeek::id::find_type<zeek::RecordType>("pm_port_request");
auto pr = zeek::make_intrusive<zeek::RecordVal>(pm_port_request);
static auto pm_port_request = id::find_type<RecordType>("pm_port_request");
auto pr = make_intrusive<RecordVal>(pm_port_request);
pr->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
pr->Assign(2, zeek::val_mgr->Bool(is_tcp));
pr->Assign(2, val_mgr->Bool(is_tcp));
(void) extract_XDR_uint32(buf, len); // consume the bogus port
if ( ! buf )
@ -226,18 +226,18 @@ zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
return pr;
}
zeek::ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
{
static auto pm_callit_request = zeek::id::find_type<zeek::RecordType>("pm_callit_request");
auto c = zeek::make_intrusive<zeek::RecordVal>(pm_callit_request);
static auto pm_callit_request = id::find_type<RecordType>("pm_callit_request");
auto c = make_intrusive<RecordVal>(pm_callit_request);
c->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(2, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len)));
int arg_n;
(void) extract_XDR_opaque(buf, len, arg_n);
c->Assign(3, zeek::val_mgr->Count(arg_n));
c->Assign(3, val_mgr->Count(arg_n));
if ( ! buf )
return nullptr;
@ -253,7 +253,7 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
{
analyzer->EnqueueConnEvent(pm_bad_port,
analyzer->ConnVal(),
zeek::val_mgr->Count(port)
val_mgr->Count(port)
);
}
@ -263,12 +263,12 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
return port;
}
void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply)
void PortmapperInterp::Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply)
{
if ( ! f )
return;
zeek::Args vl;
Args vl;
vl.emplace_back(analyzer->ConnVal());
@ -281,7 +281,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE
}
else
{
vl.emplace_back(zeek::BifType::Enum::rpc_status->GetEnumVal(status));
vl.emplace_back(BifType::Enum::rpc_status->GetEnumVal(status));
if ( request )
vl.emplace_back(std::move(request));
@ -292,7 +292,7 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE
} // namespace detail
Portmapper_Analyzer::Portmapper_Analyzer(zeek::Connection* conn)
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
: RPC_Analyzer("PORTMAPPER", conn, new detail::PortmapperInterp(this))
{
orig_rpc = resp_rpc = nullptr;

14
src/analyzer/protocol/rpc/Portmap.h
View file

@ -9,7 +9,7 @@ namespace detail {
class PortmapperInterp : public RPC_Interpreter {
public:
explicit PortmapperInterp(zeek::analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
explicit PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected:
bool RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
@ -18,22 +18,22 @@ protected:
double last_time, int reply_len) override;
uint32_t CheckPort(uint32_t port);
void Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply);
void Event(EventHandlerPtr f, ValPtr request, BifEnum::rpc_status status, ValPtr reply);
zeek::ValPtr ExtractMapping(const u_char*& buf, int& len);
zeek::ValPtr ExtractPortRequest(const u_char*& buf, int& len);
zeek::ValPtr ExtractCallItRequest(const u_char*& buf, int& len);
ValPtr ExtractMapping(const u_char*& buf, int& len);
ValPtr ExtractPortRequest(const u_char*& buf, int& len);
ValPtr ExtractCallItRequest(const u_char*& buf, int& len);
};
} // namespace detail
class Portmapper_Analyzer : public RPC_Analyzer {
public:
explicit Portmapper_Analyzer(zeek::Connection* conn);
explicit Portmapper_Analyzer(Connection* conn);
~Portmapper_Analyzer() override;
void Init() override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Portmapper_Analyzer(conn); }
};

86
src/analyzer/protocol/rpc/RPC.cc
View file

@ -108,7 +108,7 @@ bool RPC_CallInfo::CompareRexmit(const u_char* buf, int n) const
}
RPC_Interpreter::RPC_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
}
@ -308,7 +308,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int rpclen,
else if ( n < 0 )
{
zeek::reporter->AnalyzerError(analyzer, "RPC underflow");
reporter->AnalyzerError(analyzer, "RPC underflow");
return 0;
}
@ -327,7 +327,7 @@ void RPC_Interpreter::Timeout()
const u_char* buf = nullptr;
int n = 0;
if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, zeek::run_state::network_time, zeek::run_state::network_time, 0) )
if ( ! RPC_BuildReply(c, BifEnum::RPC_TIMEOUT, buf, n, run_state::network_time, run_state::network_time, 0) )
Weird("bad_RPC");
}
}
@ -338,13 +338,13 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
if ( rpc_dialogue )
analyzer->EnqueueConnEvent(rpc_dialogue,
analyzer->ConnVal(),
zeek::val_mgr->Count(c->Program()),
zeek::val_mgr->Count(c->Version()),
zeek::val_mgr->Count(c->Proc()),
zeek::BifType::Enum::rpc_status->GetEnumVal(status),
zeek::make_intrusive<zeek::TimeVal>(c->StartTime()),
zeek::val_mgr->Count(c->CallLen()),
zeek::val_mgr->Count(reply_len)
val_mgr->Count(c->Program()),
val_mgr->Count(c->Version()),
val_mgr->Count(c->Proc()),
BifType::Enum::rpc_status->GetEnumVal(status),
make_intrusive<TimeVal>(c->StartTime()),
val_mgr->Count(c->CallLen()),
val_mgr->Count(reply_len)
);
}
@ -353,11 +353,11 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
if ( rpc_call )
analyzer->EnqueueConnEvent(rpc_call,
analyzer->ConnVal(),
zeek::val_mgr->Count(c->XID()),
zeek::val_mgr->Count(c->Program()),
zeek::val_mgr->Count(c->Version()),
zeek::val_mgr->Count(c->Proc()),
zeek::val_mgr->Count(c->CallLen())
val_mgr->Count(c->XID()),
val_mgr->Count(c->Program()),
val_mgr->Count(c->Version()),
val_mgr->Count(c->Proc()),
val_mgr->Count(c->CallLen())
);
}
@ -366,9 +366,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
if ( rpc_reply )
analyzer->EnqueueConnEvent(rpc_reply,
analyzer->ConnVal(),
zeek::val_mgr->Count(xid),
zeek::BifType::Enum::rpc_status->GetEnumVal(status),
zeek::val_mgr->Count(reply_len)
val_mgr->Count(xid),
BifType::Enum::rpc_status->GetEnumVal(status),
val_mgr->Count(reply_len)
);
}
@ -414,9 +414,9 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len)
} // namespace detail
Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
Contents_RPC::Contents_RPC(Connection* conn, bool orig,
detail::RPC_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
: analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
{
interp = arg_interp;
state = WAIT_FOR_MESSAGE;
@ -428,7 +428,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
void Contents_RPC::Init()
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::Init();
analyzer::tcp::TCP_SupportAnalyzer::Init();
}
Contents_RPC::~Contents_RPC()
@ -437,7 +437,7 @@ Contents_RPC::~Contents_RPC()
void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
NeedResync();
}
@ -456,12 +456,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
// is fully established we are in sync (since it's the first chunk
// of data after the SYN if its not established we need to
// resync.
zeek::analyzer::tcp::TCP_Analyzer* tcp =
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
analyzer::tcp::TCP_Analyzer* tcp =
static_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED )
analyzer::tcp::TCP_ENDPOINT_ESTABLISHED )
{
NeedResync();
}
@ -515,7 +515,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
if ( resync_toskip != 0 )
{
// Should never happen.
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "RPC resync: skipping over data failed");
return false;
}
@ -534,8 +534,8 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
// TCP keep-alive retransmissions.
DEBUG_MSG("%.6f RPC resync: "
"discard small pieces: %d\n",
zeek::run_state::network_time, len);
Conn()->Weird("RPC_resync", zeek::util::fmt("discard %d bytes\n", len));
run_state::network_time, len);
Conn()->Weird("RPC_resync", util::fmt("discard %d bytes\n", len));
}
NeedResync();
@ -623,7 +623,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
uint32_t marker;
bool last_frag;
@ -634,7 +634,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
while (len > 0)
{
last_time = zeek::run_state::network_time;
last_time = run_state::network_time;
switch (state) {
case WAIT_FOR_MESSAGE:
@ -649,7 +649,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
msg_buf.Init(MAX_RPC_LEN, 0);
last_frag = false;
state = WAIT_FOR_MARKER;
start_time = zeek::run_state::network_time;
start_time = run_state::network_time;
// no break. fall through
case WAIT_FOR_MARKER:
@ -667,7 +667,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
if ( ! dummy_p )
{
zeek::reporter->AnalyzerError(
reporter->AnalyzerError(
this, "inconsistent RPC record marker extraction");
return;
}
@ -675,10 +675,10 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
last_frag = (marker & 0x80000000) != 0;
marker &= 0x7fffffff;
//printf("%.6f %d marker= %u <> last_frag= %d <> expected=%llu <> processed= %llu <> len = %d\n",
// zeek::run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len);
// run_state::network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len);
if ( ! msg_buf.AddToExpected(marker) )
Conn()->Weird("RPC_message_too_long", zeek::util::fmt("%" PRId64, msg_buf.GetExpected()));
Conn()->Weird("RPC_message_too_long", util::fmt("%" PRId64, msg_buf.GetExpected()));
if ( last_frag )
state = WAIT_FOR_LAST_DATA;
@ -722,14 +722,14 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
} // end while
}
RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn,
RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn,
detail::RPC_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn),
: analyzer::tcp::TCP_ApplicationAnalyzer(name, conn),
interp(arg_interp), orig_rpc(), resp_rpc()
{
if ( Conn()->ConnTransport() == TRANSPORT_UDP )
ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer,
zeek::run_state::network_time + zeek::detail::rpc_timeout, true,
run_state::network_time + zeek::detail::rpc_timeout, true,
zeek::detail::TIMER_RPC_EXPIRE);
}
@ -739,26 +739,26 @@ RPC_Analyzer::~RPC_Analyzer()
}
void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
len = std::min(len, caplen);
if ( orig )
{
if ( ! interp->DeliverRPC(data, len, len, true, zeek::run_state::network_time, zeek::run_state::network_time) )
if ( ! interp->DeliverRPC(data, len, len, true, run_state::network_time, run_state::network_time) )
Weird("bad_RPC");
}
else
{
if ( ! interp->DeliverRPC(data, len, len, false, zeek::run_state::network_time, zeek::run_state::network_time) )
if ( ! interp->DeliverRPC(data, len, len, false, run_state::network_time, run_state::network_time) )
Weird("bad_RPC");
}
}
void RPC_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout();
}
@ -766,7 +766,7 @@ void RPC_Analyzer::Done()
void RPC_Analyzer::ExpireTimer(double /* t */)
{
Event(connection_timeout);
zeek::sessions->Remove(Conn());
sessions->Remove(Conn());
}
} // namespace zeek::analyzer::rpc

22
src/analyzer/protocol/rpc/RPC.h
View file

@ -53,9 +53,9 @@ public:
double last_time, int rpc_len);
~RPC_CallInfo();
void AddVal(zeek::ValPtr arg_v) { v = std::move(arg_v); }
const zeek::ValPtr& RequestVal() const { return v; }
zeek::ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; }
void AddVal(ValPtr arg_v) { v = std::move(arg_v); }
const ValPtr& RequestVal() const { return v; }
ValPtr TakeRequestVal() { auto rv = std::move(v); return rv; }
bool CompareRexmit(const u_char* buf, int n) const;
@ -96,12 +96,12 @@ protected:
int header_len; // size of data before the arguments
bool valid_call; // whether call was well-formed
zeek::ValPtr v; // single (perhaps compound) value corresponding to call
ValPtr v; // single (perhaps compound) value corresponding to call
};
class RPC_Interpreter {
public:
explicit RPC_Interpreter(zeek::analyzer::Analyzer* analyzer);
explicit RPC_Interpreter(analyzer::Analyzer* analyzer);
virtual ~RPC_Interpreter();
// Delivers the given RPC. Returns true if "len" bytes were
@ -124,7 +124,7 @@ protected:
void Weird(const char* name, const char* addl = "");
std::map<uint32_t, RPC_CallInfo*> calls;
zeek::analyzer::Analyzer* analyzer;
analyzer::Analyzer* analyzer;
};
@ -187,9 +187,9 @@ protected:
} // namespace detail
/* Support Analyzer for reassembling RPC-over-TCP messages */
class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
class Contents_RPC final : public analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_RPC(zeek::Connection* conn, bool orig, detail::RPC_Interpreter* interp);
Contents_RPC(Connection* conn, bool orig, detail::RPC_Interpreter* interp);
~Contents_RPC() override;
protected:
@ -233,9 +233,9 @@ protected:
int resync_toskip;
};
class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class RPC_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
RPC_Analyzer(const char* name, zeek::Connection* conn,
RPC_Analyzer(const char* name, Connection* conn,
detail::RPC_Interpreter* arg_interp);
~RPC_Analyzer() override;
@ -243,7 +243,7 @@ public:
protected:
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
void ExpireTimer(double t);

8
src/analyzer/protocol/sip/SIP.cc
View file

@ -4,8 +4,8 @@
namespace zeek::analyzer::sip {
SIP_Analyzer::SIP_Analyzer(zeek::Connection* c)
: zeek::analyzer::Analyzer("SIP", c)
SIP_Analyzer::SIP_Analyzer(Connection* c)
: analyzer::Analyzer("SIP", c)
{
interp = new binpac::SIP::SIP_Conn(this);
}
@ -21,7 +21,7 @@ void SIP_Analyzer::Done()
}
void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
bool real_orig = true;
if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )
@ -39,7 +39,7 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/sip/SIP.h
View file

@ -7,18 +7,18 @@
namespace zeek::analyzer::sip{
class SIP_Analyzer final : public zeek::analyzer::Analyzer {
class SIP_Analyzer final : public analyzer::Analyzer {
public:
explicit SIP_Analyzer(zeek::Connection* conn);
explicit SIP_Analyzer(Connection* conn);
~SIP_Analyzer() override;
// Overridden from Analyzer
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SIP_Analyzer(conn); }
protected:

14
src/analyzer/protocol/sip/SIP_TCP.cc
View file

@ -9,8 +9,8 @@
namespace zeek::analyzer::sip_tcp {
SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
SIP_Analyzer::SIP_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
{
interp = new binpac::SIP_TCP::SIP_Conn(this);
had_gap = false;
@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer()
void SIP_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -31,13 +31,13 @@ void SIP_Analyzer::Done()
void SIP_Analyzer::EndpointEOF(bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -55,13 +55,13 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

8
src/analyzer/protocol/sip/SIP_TCP.h
View file

@ -11,19 +11,19 @@
namespace zeek::analyzer::sip_tcp {
class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class SIP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SIP_Analyzer(zeek::Connection* conn);
explicit SIP_Analyzer(Connection* conn);
~SIP_Analyzer() override;
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SIP_Analyzer(conn); }
protected:

6
src/analyzer/protocol/smb/SMB.cc
View file

@ -6,8 +6,8 @@ namespace zeek::analyzer::smb {
// being seen.
#define SMB_MAX_LEN (1<<18)
SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn)
SMB_Analyzer::SMB_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn)
{
chunks=0;
interp = new binpac::SMB::SMB_Conn(this);
@ -81,7 +81,7 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
NeedResync();
}
}

6
src/analyzer/protocol/smb/SMB.h
View file

@ -5,9 +5,9 @@
namespace zeek::analyzer::smb {
class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class SMB_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SMB_Analyzer(zeek::Connection* conn);
explicit SMB_Analyzer(Connection* conn);
~SMB_Analyzer() override;
void Done() override;
@ -18,7 +18,7 @@ public:
bool HasSMBHeader(int len, const u_char* data);
void NeedResync();
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SMB_Analyzer(conn); }
protected:

62
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -26,8 +26,8 @@ static const char* unknown_cmd = "(UNKNOWN)";
namespace zeek::analyzer::smtp {
SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn)
SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
: analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn)
{
expect_sender = false;
expect_recver = true;
@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
line_after_gap = nullptr;
mail = nullptr;
UpdateState(first_cmd, 0, true);
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
cl_orig->SetIsNULSensitive(true);
cl_orig->SetSkipPartial(true);
AddSupportAnalyzer(cl_orig);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
cl_resp = new analyzer::tcp::ContentLine_Analyzer(conn, false);
cl_resp->SetIsNULSensitive(true);
cl_resp->SetSkipPartial(true);
AddSupportAnalyzer(cl_resp);
@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
void SMTP_Analyzer::ConnectionFinished(bool half_finished)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
if ( ! half_finished && mail )
EndData();
@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer()
void SMTP_Analyzer::Done()
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail )
EndData();
@ -80,12 +80,12 @@ void SMTP_Analyzer::Done()
void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( len <= 0 )
return;
const char* buf = zeek::util::fmt("seq = %" PRIu64", len = %d", seq, len);
const char* buf = util::fmt("seq = %" PRIu64", len = %d", seq, len);
int buf_len = strlen(buf);
Unexpected(is_orig, "content gap", buf_len, buf);
@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
// If an TLS transaction has been initiated, forward to child and abort.
if ( state == detail::SMTP_IN_TLS )
@ -183,7 +183,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
delete line_after_gap;
line_after_gap =
new zeek::String((const u_char *) line, length, true);
new String((const u_char *) line, length, true);
}
else if ( state == detail::SMTP_IN_DATA && line[0] == '.' && length == 1 )
@ -221,8 +221,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
{
EnqueueConnEvent(smtp_data,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(data_len, line)
val_mgr->Bool(orig),
make_intrusive<StringVal>(data_len, line)
);
}
}
@ -240,8 +240,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
expect_sender = false;
expect_recver = true;
zeek::util::get_word(length, line, cmd_len, cmd);
line = zeek::util::skip_whitespace(line + cmd_len, end_of_line);
util::get_word(length, line, cmd_len, cmd);
line = util::skip_whitespace(line + cmd_len, end_of_line);
cmd_code = ParseCmd(cmd_len, cmd);
if ( cmd_code == -1 )
@ -299,7 +299,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
{
reply_code = -1;
Unexpected(is_sender, "reply code out of range", length, line);
ProtocolViolation(zeek::util::fmt("reply code %d out of range",
ProtocolViolation(util::fmt("reply code %d out of range",
reply_code), line, length);
}
@ -319,12 +319,12 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( reply_code >= 0 && length > 3 && line[3] == '-' )
{ // A continued reply.
pending_reply = reply_code;
line = zeek::util::skip_whitespace(line+4, end_of_line);
line = util::skip_whitespace(line+4, end_of_line);
}
else
{ // This is the end of the reply.
line = zeek::util::skip_whitespace(line+3, end_of_line);
line = util::skip_whitespace(line+3, end_of_line);
pending_reply = 0;
expect_sender = true;
@ -351,11 +351,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
EnqueueConnEvent(smtp_reply,
ConnVal(),
zeek::val_mgr->Bool(orig),
zeek::val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(cmd),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
zeek::val_mgr->Bool((pending_reply > 0))
val_mgr->Bool(orig),
val_mgr->Count(reply_code),
make_intrusive<StringVal>(cmd),
make_intrusive<StringVal>(end_of_line - line, line),
val_mgr->Bool((pending_reply > 0))
);
}
}
@ -366,7 +366,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
const char* ext;
int ext_len;
zeek::util::get_word(end_of_line - line, line, ext_len, ext);
util::get_word(end_of_line - line, line, ext_len, ext);
ProcessExtension(ext_len, ext);
}
}
@ -405,7 +405,7 @@ void SMTP_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);
@ -855,14 +855,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
if ( smtp_request )
{
auto cmd_arg = zeek::make_intrusive<zeek::StringVal>(cmd_len, cmd);
auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
cmd_arg->ToUpper();
EnqueueConnEvent(smtp_request,
ConnVal(),
zeek::val_mgr->Bool(orig_is_sender),
val_mgr->Bool(orig_is_sender),
std::move(cmd_arg),
zeek::make_intrusive<zeek::StringVal>(arg_len, arg)
make_intrusive<StringVal>(arg_len, arg)
);
}
}
@ -881,9 +881,9 @@ void SMTP_Analyzer::Unexpected(bool is_sender, const char* msg,
EnqueueConnEvent(smtp_unexpected,
ConnVal(),
zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(msg),
zeek::make_intrusive<zeek::StringVal>(detail_len, detail)
val_mgr->Bool(is_orig),
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(detail_len, detail)
);
}
}
@ -928,7 +928,7 @@ void SMTP_Analyzer::BeginData(bool orig)
delete mail;
}
mail = new zeek::analyzer::mime::MIME_Mail(this, orig);
mail = new analyzer::mime::MIME_Mail(this, orig);
}
void SMTP_Analyzer::EndData()

14
src/analyzer/protocol/smtp/SMTP.h
View file

@ -37,9 +37,9 @@ enum SMTP_State {
} // namespace detail
class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
class SMTP_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SMTP_Analyzer(zeek::Connection* conn);
explicit SMTP_Analyzer(Connection* conn);
~SMTP_Analyzer() override;
void Done() override;
@ -49,7 +49,7 @@ public:
void SkipData() { skip_data = 1; } // skip delivery of data lines
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
static analyzer::Analyzer* Instantiate(Connection* conn)
{
return new SMTP_Analyzer(conn);
}
@ -86,14 +86,14 @@ protected:
int pending_reply; // code assoc. w/ multi-line reply, or 0
std::list<int> pending_cmd_q; // to support pipelining
bool skip_data; // whether to skip message body
zeek::String* line_after_gap; // last line before the first reply
String* line_after_gap; // last line before the first reply
// after a gap
zeek::analyzer::mime::MIME_Mail* mail;
analyzer::mime::MIME_Mail* mail;
private:
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
analyzer::tcp::ContentLine_Analyzer* cl_orig;
analyzer::tcp::ContentLine_Analyzer* cl_resp;
};
} // namespace zeek::analyzer::smtp

6
src/analyzer/protocol/snmp/SNMP.cc
View file

@ -8,7 +8,7 @@
namespace zeek::analyzer::snmp {
SNMP_Analyzer::SNMP_Analyzer(zeek::Connection* conn)
SNMP_Analyzer::SNMP_Analyzer(Connection* conn)
: Analyzer("SNMP", conn)
{
interp = new binpac::SNMP::SNMP_Conn(this);
@ -26,7 +26,7 @@ void SNMP_Analyzer::Done()
}
void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
uint64_t seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -36,7 +36,7 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
}
}

8
src/analyzer/protocol/snmp/SNMP.h
View file

@ -6,18 +6,18 @@
namespace zeek::analyzer::snmp {
class SNMP_Analyzer final : public zeek::analyzer::Analyzer {
class SNMP_Analyzer final : public analyzer::Analyzer {
public:
explicit SNMP_Analyzer(zeek::Connection* conn);
explicit SNMP_Analyzer(Connection* conn);
virtual ~SNMP_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
uint64_t seq, const IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new SNMP_Analyzer(conn); }
protected:

Some files were not shown because too many files have changed in this diff Show more