diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 82e230f761..66d73f2c57 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -475,14 +475,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - tcp->AddChildPacketAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new zeek::analyzer::conn_size::ConnSize_Analyzer(conn)); } else { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - root->AddChildAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new zeek::analyzer::conn_size::ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc index 2a3dba5da0..7bc78fa050 100644 --- a/src/analyzer/protocol/ayiya/AYIYA.cc +++ b/src/analyzer/protocol/ayiya/AYIYA.cc @@ -2,7 +2,7 @@ #include "AYIYA.h" #include "Func.h" -using namespace analyzer::ayiya; +namespace zeek::analyzer::ayiya { AYIYA_Analyzer::AYIYA_Analyzer(zeek::Connection* conn) : Analyzer("AYIYA", conn) @@ -34,3 +34,5 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6 ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::ayiya diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h index b42c21526a..5416c407c1 100644 --- a/src/analyzer/protocol/ayiya/AYIYA.h +++ b/src/analyzer/protocol/ayiya/AYIYA.h @@ -2,7 +2,7 @@ #include "ayiya_pac.h" -namespace analyzer { namespace ayiya { +namespace zeek::analyzer::ayiya { class AYIYA_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -20,4 +20,8 @@ protected: binpac::AYIYA::AYIYA_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ayiya + +namespace analyzer::ayiya { + using AYIYA_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ayiya::AYIYA_Analyzer.")]] = zeek::analyzer::ayiya::AYIYA_Analyzer; +} diff --git a/src/analyzer/protocol/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc index a89aea577f..9f263e2577 100644 --- a/src/analyzer/protocol/ayiya/Plugin.cc +++ b/src/analyzer/protocol/ayiya/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("AYIYA", zeek::analyzer::ayiya::AYIYA_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::AYIYA"; diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index f9e09847df..9f4a0cce1a 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -5,7 +5,7 @@ #include "events.bif.h" -using namespace analyzer::bittorrent; +namespace zeek::analyzer::bittorrent { BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) @@ -124,3 +124,5 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) zeek::val_mgr->Bool(orig), zeek::make_intrusive(msg)); } + +} // namespace zeek::analyzer::bittorrent diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h index 6a4306baec..b266a8dc32 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.h +++ b/src/analyzer/protocol/bittorrent/BitTorrent.h @@ -6,7 +6,7 @@ #include "bittorrent_pac.h" -namespace analyzer { namespace bittorrent { +namespace zeek::analyzer::bittorrent { class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -29,4 +29,10 @@ protected: uint64_t stream_len_orig, stream_len_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::bittorrent + +namespace analyzer::bittorrent { + + using BitTorrent_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::BitTorrent_Analyzer.")]] = zeek::analyzer::bittorrent::BitTorrent_Analyzer; + +} diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index a4a0662c08..2dc3bd7293 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -13,7 +13,7 @@ # define FMT_INT "%" PRId64 # define FMT_UINT "%" PRIu64 -using namespace analyzer::bittorrent; +namespace zeek::analyzer::bittorrent { static zeek::TableTypePtr bt_tracker_headers; static zeek::RecordTypePtr bittorrent_peer; @@ -40,14 +40,14 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) keep_alive = false; - req_state = BTT_REQ_GET; + req_state = detail::BTT_REQ_GET; req_buf[sizeof(req_buf) - 1] = 0; req_buf_pos = req_buf; req_buf_len = 0; req_val_uri = nullptr; req_val_headers = new zeek::TableVal(bt_tracker_headers); - res_state = BTT_RES_STATUS; + res_state = detail::BTT_RES_STATUS; res_allow_blank_line = false; res_buf[sizeof(res_buf) - 1] = 0; res_buf_pos = res_buf; @@ -130,9 +130,9 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data) req_buf_pos = lf + 1; - if ( req_state == BTT_REQ_DONE && keep_alive ) + if ( req_state == detail::BTT_REQ_DONE && keep_alive ) { - req_state = BTT_REQ_GET; + req_state = detail::BTT_REQ_GET; req_buf_len -= (req_buf_pos - req_buf); memmove(req_buf, req_buf_pos, req_buf_len); req_buf_pos = req_buf; @@ -146,7 +146,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) if ( stop_resp ) return; - if ( res_state == BTT_RES_DONE ) + if ( res_state == detail::BTT_RES_DONE ) // We are done already, i.e. state != 200. return; @@ -163,7 +163,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) while ( true ) { - while ( res_state != BTT_RES_BODY && + while ( res_state != detail::BTT_RES_BODY && res_buf_pos < res_buf + res_buf_len ) { char* lf = strchr(res_buf_pos, '\n'); @@ -181,17 +181,17 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) res_buf_pos = lf + 1; } - if ( res_state != BTT_RES_BODY || + if ( res_state != detail::BTT_RES_BODY || res_buf_pos >= res_buf + res_buf_len ) break; ResponseBody(); - if ( res_state != BTT_RES_DONE || + if ( res_state != detail::BTT_RES_DONE || res_status != 200 || ! keep_alive ) break; - res_state = BTT_RES_STATUS; + res_state = detail::BTT_RES_STATUS; res_allow_blank_line = true; res_buf_len -= res_buf_pos - res_buf; memmove(res_buf, res_buf_pos, res_buf_len); @@ -228,9 +228,9 @@ void BitTorrentTracker_Analyzer::InitBencParser(void) benc_stack.clear(); benc_count.clear(); - benc_state = BENC_STATE_EMPTY; + benc_state = detail::BENC_STATE_EMPTY; benc_raw = nullptr; - benc_raw_type = BENC_TYPE_NONE; + benc_raw_type = detail::BENC_TYPE_NONE; benc_raw_len = 0; benc_key = nullptr; benc_key_len = 0; @@ -267,7 +267,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) } switch ( req_state ) { - case BTT_REQ_GET: + case detail::BTT_REQ_GET: { regmatch_t match[1]; if ( regexec(&r_get, line, 1, match, 0) ) @@ -293,16 +293,16 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) RequestGet(&line[match[0].rm_eo]); - req_state = BTT_REQ_HEADER; + req_state = detail::BTT_REQ_HEADER; } break; - case BTT_REQ_HEADER: + case detail::BTT_REQ_HEADER: { if ( ! *line ) { EmitRequest(); - req_state = BTT_REQ_DONE; + req_state = detail::BTT_REQ_DONE; break; } @@ -319,7 +319,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) } break; - case BTT_REQ_DONE: + case detail::BTT_REQ_DONE: if ( *line ) { auto msg = fmt("Got post request data: %s\n", line); @@ -370,7 +370,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) } switch ( res_state ) { - case BTT_RES_STATUS: + case detail::BTT_RES_STATUS: { if ( res_allow_blank_line && ! *line ) { @@ -390,11 +390,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) } ResponseStatus(&line[match[0].rm_eo]); - res_state = BTT_RES_HEADER; + res_state = detail::BTT_RES_HEADER; } break; - case BTT_RES_HEADER: + case detail::BTT_RES_HEADER: if ( ! *line ) { if ( res_status != 200 ) @@ -408,10 +408,10 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) ); res_val_headers = nullptr; res_buf_pos = res_buf + res_buf_len; - res_state = BTT_RES_DONE; + res_state = detail::BTT_RES_DONE; } else - res_state = BTT_RES_BODY; + res_state = detail::BTT_RES_BODY; break; } @@ -465,7 +465,8 @@ void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value, } void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, - enum btt_benc_types type, int value_len, char* value) + detail::BTT_BencTypes type, + int value_len, char* value) { if ( name_len == 5 && ! strncmp(name, "peers", 5) ) { @@ -494,7 +495,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, } void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, - enum btt_benc_types type, bro_int_t value) + detail::BTT_BencTypes type, bro_int_t value) { auto benc_value = zeek::make_intrusive(bittorrent_benc_value); auto name_ = zeek::make_intrusive(name_len, name); @@ -508,7 +509,7 @@ void BitTorrentTracker_Analyzer::ResponseBody(void) switch ( ResponseParseBenc() ) { case 0: EmitResponse(); - res_state = BTT_RES_DONE; + res_state = detail::BTT_RES_DONE; break; case -1: // parsing failed @@ -540,7 +541,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) --len, ++res_buf_pos ) { switch ( benc_state ) { - case BENC_STATE_EMPTY: + case detail::BENC_STATE_EMPTY: { switch ( res_buf_pos[0] ) { case 'd': @@ -548,7 +549,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) case 0: break; case 1: benc_raw = res_buf_pos; - benc_raw_type = BENC_TYPE_DIR; + benc_raw_type = detail::BENC_TYPE_DIR; /* fall through */ default: VIOLATION_IF(benc_stack.back() == 'd' && @@ -569,7 +570,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) case 1: benc_raw = res_buf_pos; - benc_raw_type = BENC_TYPE_LIST; + benc_raw_type = detail::BENC_TYPE_LIST; /* fall through */ default: @@ -590,10 +591,10 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) ! (benc_count.back() % 2), "BitTorrentTracker: directory key is not a string but an int") - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; - benc_state = BENC_STATE_INT1; + benc_state = detail::BENC_STATE_INT1; break; case 'e': @@ -603,7 +604,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) benc_count.back() % 2, "BitTorrentTracker: directory has an odd count of members") - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; if ( benc_stack.size() == 2 ) @@ -615,7 +616,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) benc_key_len = 0; benc_raw = nullptr; benc_raw_len = 0; - benc_raw_type = BENC_TYPE_NONE; + benc_raw_type = detail::BENC_TYPE_NONE; } benc_stack.pop_back(); @@ -635,11 +636,11 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) VIOLATION_IF(! benc_stack.size(), "BitTorrentTracker: not a bencoded directory (first char: [0-9])") - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; benc_strlen = res_buf_pos; - benc_state = BENC_STATE_STR1; + benc_state = detail::BENC_STATE_STR1; break; default: @@ -648,28 +649,28 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) } break; - case BENC_STATE_INT1: + case detail::BENC_STATE_INT1: benc_int = res_buf_pos; if ( res_buf_pos[0] == '-' ) { - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; - benc_state = BENC_STATE_INT2; + benc_state = detail::BENC_STATE_INT2; break; } - case BENC_STATE_INT2: + case detail::BENC_STATE_INT2: VIOLATION_IF(res_buf_pos[0] < '0' || res_buf_pos[0] > '9', "BitTorrentTracker: no valid bencoding") - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; - benc_state = BENC_STATE_INT3; + benc_state = detail::BENC_STATE_INT3; break; - case BENC_STATE_INT3: + case detail::BENC_STATE_INT3: if ( res_buf_pos[0] == 'e' ) { if ( sscanf(benc_int, FMT_INT, @@ -678,7 +679,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) if ( benc_stack.size() == 1 ) { ResponseBenc(benc_key_len, - benc_key, BENC_TYPE_INT, + benc_key, detail::BENC_TYPE_INT, benc_int_val); benc_key = nullptr; benc_key_len = 0; @@ -688,7 +689,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) VIOLATION_IF(1, "BitTorrentTracker: no valid bencoding") INC_COUNT - benc_state = BENC_STATE_EMPTY; + benc_state = detail::BENC_STATE_EMPTY; } else @@ -696,16 +697,16 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) res_buf_pos[0] > '9', "BitTorrentTracker: no valid bencoding"); - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; break; - case BENC_STATE_STR1: + case detail::BENC_STATE_STR1: switch ( res_buf_pos[0] ) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; break; @@ -724,10 +725,10 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) benc_key_len = benc_str_len; } - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) ++benc_raw_len; - benc_state = BENC_STATE_STR2; + benc_state = detail::BENC_STATE_STR2; break; default: @@ -735,14 +736,14 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) } break; - case BENC_STATE_STR2: + case detail::BENC_STATE_STR2: if ( benc_str_have < benc_str_len ) { unsigned int seek = std::min(len, benc_str_len - benc_str_have); benc_str_have += seek; - if ( benc_raw_type != BENC_TYPE_NONE ) + if ( benc_raw_type != detail::BENC_TYPE_NONE ) benc_raw_len += seek; res_buf_pos += seek - 1; @@ -755,7 +756,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) benc_key != benc_str ) { ResponseBenc(benc_key_len, benc_key, - BENC_TYPE_STR, + detail::BENC_TYPE_STR, benc_str_len, benc_str); benc_key_len = 0; benc_key = nullptr; @@ -768,7 +769,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void) } INC_COUNT - benc_state = BENC_STATE_EMPTY; + benc_state = detail::BENC_STATE_EMPTY; } break; } @@ -794,3 +795,5 @@ void BitTorrentTracker_Analyzer::EmitResponse(void) res_val_peers = nullptr; res_val_benc = nullptr; } + +} // namespace zeek::analyzer::bittorrent diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h index 6b7c6defbd..47fa655894 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h @@ -8,13 +8,15 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek); -namespace analyzer { namespace bittorrent { +namespace zeek::analyzer::bittorrent { // If the following is defined, then the analyzer will store all of // the headers seen in tracker messages. //#define BTTRACKER_STORE_HEADERS 1 -enum btt_states { +namespace detail { + +enum BTT_States { BTT_REQ_GET, BTT_REQ_HEADER, BTT_REQ_DONE, @@ -22,19 +24,19 @@ enum btt_states { BTT_RES_STATUS, BTT_RES_HEADER, BTT_RES_BODY, - BTT_RES_DONE, + BTT_RES_DONE }; // "benc" = Bencode ("Bee-Encode"), per http://en.wikipedia.org/wiki/Bencode -enum btt_benc_types { +enum BTT_BencTypes { BENC_TYPE_INT = 0, BENC_TYPE_STR = 1, BENC_TYPE_DIR = 2, BENC_TYPE_LIST = 3, - BENC_TYPE_NONE = 10, + BENC_TYPE_NONE = 10 }; -enum btt_benc_states { +enum BTT_BencStates { BENC_STATE_EMPTY, BENC_STATE_INT1, BENC_STATE_INT2, @@ -43,6 +45,8 @@ enum btt_benc_states { BENC_STATE_STR2, }; +} // namespace detail + class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit BitTorrentTracker_Analyzer(zeek::Connection* conn); @@ -75,10 +79,10 @@ protected: void ResponseHeader(char* name, char* value) { ParseHeader(name, value, false); } void ResponseBody(); - void ResponseBenc(int name_len, char* name, enum btt_benc_types type, - int value_len, char* value); - void ResponseBenc(int name_len, char* name, enum btt_benc_types type, - bro_int_t value); + void ResponseBenc(int name_len, char* name, detail::BTT_BencTypes type, + int value_len, char* value); + void ResponseBenc(int name_len, char* name, detail::BTT_BencTypes type, + bro_int_t value); int ResponseParseBenc(); void EmitResponse(); @@ -88,7 +92,7 @@ protected: bool keep_alive; // Request. - enum btt_states req_state; + detail::BTT_States req_state; char req_buf[BTTRACKER_BUF]; char* req_buf_pos; unsigned int req_buf_len; @@ -96,7 +100,7 @@ protected: zeek::TableVal* req_val_headers; // Response. - enum btt_states res_state; + detail::BTT_States res_state; bool res_allow_blank_line; char res_buf[BTTRACKER_BUF]; char* res_buf_pos; @@ -108,10 +112,10 @@ protected: std::vector benc_stack; std::vector benc_count; - enum btt_benc_states benc_state; + detail::BTT_BencStates benc_state; char* benc_raw; - enum btt_benc_types benc_raw_type; + detail::BTT_BencTypes benc_raw_type; unsigned int benc_raw_len; char* benc_key; @@ -129,4 +133,34 @@ protected: bool stop_orig, stop_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::bittorrent + +namespace analyzer::bittorrent { + + using btt_states [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_States.")]] = zeek::analyzer::bittorrent::detail::BTT_States; + constexpr auto BTT_REQ_GET [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_GET.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_GET; + constexpr auto BTT_REQ_HEADER [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_HEADER.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_HEADER; + constexpr auto BTT_REQ_DONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_DONE.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_DONE; + constexpr auto BTT_RES_STATUS [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_STATUS.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_STATUS; + constexpr auto BTT_RES_HEADER [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_HEADER.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_HEADER; + constexpr auto BTT_RES_BODY [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_BODY.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_BODY; + constexpr auto BTT_RES_DONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_DONE.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_DONE; + + using btt_benc_types [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_BencTypes.")]] = zeek::analyzer::bittorrent::detail::BTT_BencTypes; + constexpr auto BENC_TYPE_INT [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_INT.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_INT; + constexpr auto BENC_TYPE_STR [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_STR.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_STR; + constexpr auto BENC_TYPE_DIR [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_DIR.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_DIR; + constexpr auto BENC_TYPE_LIST [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_LIST.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_LIST; + constexpr auto BENC_TYPE_NONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_NONE.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_NONE; + + using btt_benc_states [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_BencStates.")]] = zeek::analyzer::bittorrent::detail::BTT_BencStates; + constexpr auto BENC_STATE_EMPTY [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_EMPTY.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_EMPTY; + constexpr auto BENC_STATE_INT1 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT1.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT1; + constexpr auto BENC_STATE_INT2 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT2.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT2; + constexpr auto BENC_STATE_INT3 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT3.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT3; + constexpr auto BENC_STATE_STR1 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_STR1.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_STR1; + constexpr auto BENC_STATE_STR2 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_STR2.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_STR2; + + using BitTorrentTracker_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer.")]] = zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer; + + } diff --git a/src/analyzer/protocol/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc index c651ba6061..1756a43a35 100644 --- a/src/analyzer/protocol/bittorrent/Plugin.cc +++ b/src/analyzer/protocol/bittorrent/Plugin.cc @@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("BitTorrent", ::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("BitTorrent", zeek::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("BitTorrentTracker", zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::BitTorrent"; diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc index 30b25bdd13..5c9d104123 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -10,7 +10,7 @@ #include "events.bif.h" -using namespace analyzer::conn_size; +namespace zeek::analyzer::conn_size { ConnSize_Analyzer::ConnSize_Analyzer(zeek::Connection* c) : Analyzer("CONNSIZE", c), @@ -205,3 +205,5 @@ void ConnSize_Analyzer::FlipRoles() orig_pkts = resp_pkts; resp_pkts = tmp; } + +} // namespace zeek::analyzer::conn_size diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h index 222bece169..766422e1b5 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.h +++ b/src/analyzer/protocol/conn-size/ConnSize.h @@ -6,7 +6,7 @@ #include "analyzer/Analyzer.h" #include "NetVar.h" -namespace analyzer { namespace conn_size { +namespace zeek::analyzer::conn_size { class ConnSize_Analyzer : public zeek::analyzer::Analyzer { public: @@ -50,4 +50,8 @@ protected: double duration_thresh; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::conn_size + +namespace analyzer::conn_size { + using ConnSize_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::conn_size::ConnSize_Analyzer.")]] = zeek::analyzer::conn_size::ConnSize_Analyzer; +} diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc index c8c1fd8d2e..919f366a1e 100644 --- a/src/analyzer/protocol/conn-size/Plugin.cc +++ b/src/analyzer/protocol/conn-size/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("ConnSize", zeek::analyzer::conn_size::ConnSize_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::ConnSize"; diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif index 582819f5a3..fa9d2d2c9d 100644 --- a/src/analyzer/protocol/conn-size/functions.bif +++ b/src/analyzer/protocol/conn-size/functions.bif @@ -37,7 +37,7 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or if ( ! a ) return zeek::val_mgr->False(); - static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig); + static_cast(a)->SetByteAndPacketThreshold(threshold, true, is_orig); return zeek::val_mgr->True(); %} @@ -61,7 +61,7 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_ if ( ! a ) return zeek::val_mgr->False(); - static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig); + static_cast(a)->SetByteAndPacketThreshold(threshold, false, is_orig); return zeek::val_mgr->True(); %} @@ -83,7 +83,7 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval% if ( ! a ) return zeek::val_mgr->False(); - static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold); + static_cast(a)->SetDurationThreshold(threshold); return zeek::val_mgr->True(); %} @@ -105,7 +105,7 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count if ( ! a ) return zeek::val_mgr->Count(0); - return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig)); + return zeek::val_mgr->Count(static_cast(a)->GetByteAndPacketThreshold(true, is_orig)); %} ## Gets the current packet threshold size for a connection. @@ -124,7 +124,7 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun if ( ! a ) return zeek::val_mgr->Count(0); - return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig)); + return zeek::val_mgr->Count(static_cast(a)->GetByteAndPacketThreshold(false, is_orig)); %} ## Gets the current duration threshold size for a connection. @@ -141,5 +141,5 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval if ( ! a ) return zeek::make_intrusive(0.0); - return zeek::make_intrusive(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold()); + return zeek::make_intrusive(static_cast(a)->GetDurationThreshold()); %} diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc index 022ac998cc..52c8ffb070 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc @@ -1,6 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. #include "zeek-config.h" +#include "DCE_RPC.h" #include #include @@ -8,9 +9,7 @@ using namespace std; -#include "DCE_RPC.h" - -using namespace analyzer::dce_rpc; +namespace zeek::analyzer::dce_rpc { DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) @@ -65,3 +64,5 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::dce_rpc diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h index 50676d91c2..9d1f95394e 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -9,7 +9,7 @@ #include "dce_rpc_pac.h" -namespace analyzer { namespace dce_rpc { +namespace zeek::analyzer::dce_rpc { class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -32,4 +32,8 @@ protected: binpac::DCE_RPC::DCE_RPC_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::dce_rpc + +namespace analyzer::dce_rpc { + using DCE_RPC_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dce_rpc::DCE_RPC_Analyzer.")]] = zeek::analyzer::dce_rpc::DCE_RPC_Analyzer; +} diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index 3a81e88de6..2d9523e428 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -12,7 +12,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DCE_RPC", zeek::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::DCE_RPC"; diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc index b4ecdca90e..6f945125c7 100644 --- a/src/analyzer/protocol/dhcp/DHCP.cc +++ b/src/analyzer/protocol/dhcp/DHCP.cc @@ -3,7 +3,7 @@ #include "events.bif.h" #include "types.bif.h" -using namespace analyzer::dhcp; +namespace zeek::analyzer::dhcp { DHCP_Analyzer::DHCP_Analyzer(zeek::Connection* conn) : Analyzer("DHCP", conn) @@ -36,3 +36,5 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, } } + +} // namespace zeek::analyzer::dhcp diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h index b8592c15f0..02ef9afc64 100644 --- a/src/analyzer/protocol/dhcp/DHCP.h +++ b/src/analyzer/protocol/dhcp/DHCP.h @@ -4,7 +4,7 @@ #include "dhcp_pac.h" -namespace analyzer { namespace dhcp { +namespace zeek::analyzer::dhcp { class DHCP_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -22,4 +22,8 @@ protected: binpac::DHCP::DHCP_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::dhcp + +namespace analyzer::dhcp { + using DHCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dhcp::DHCP_Analyzer.")]] = zeek::analyzer::dhcp::DHCP_Analyzer; +} diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc index b916f4b922..dee7b8a2b7 100644 --- a/src/analyzer/protocol/dhcp/Plugin.cc +++ b/src/analyzer/protocol/dhcp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DHCP", zeek::analyzer::dhcp::DHCP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::DHCP"; diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 71ca3cf45e..48e8d82943 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -100,19 +100,19 @@ #include "Reporter.h" #include "events.bif.h" -using namespace analyzer::dnp3; +constexpr unsigned int PSEUDO_LENGTH_INDEX = 2; // index of len field of DNP3 Pseudo Link Layer +constexpr unsigned int PSEUDO_CONTROL_FIELD_INDEX = 3; // index of ctrl field of DNP3 Pseudo Link Layer +constexpr unsigned int PSEUDO_TRANSPORT_INDEX = 10; // index of DNP3 Pseudo Transport Layer +constexpr unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-layer byte. +constexpr unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer +constexpr unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer -const unsigned int PSEUDO_LENGTH_INDEX = 2; // index of len field of DNP3 Pseudo Link Layer -const unsigned int PSEUDO_CONTROL_FIELD_INDEX = 3; // index of ctrl field of DNP3 Pseudo Link Layer -const unsigned int PSEUDO_TRANSPORT_INDEX = 10; // index of DNP3 Pseudo Transport Layer -const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-layer byte. -const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer -const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer +namespace zeek::analyzer::dnp3 { +namespace detail { bool DNP3_Base::crc_table_initialized = false; unsigned int DNP3_Base::crc_table[256]; - DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; @@ -385,6 +385,7 @@ unsigned int DNP3_Base::CalcCRC(int len, const u_char* data) return ~crc & 0xFFFF; } +} // namespace detail DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(zeek::Connection* c) : DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c) { @@ -456,3 +457,5 @@ void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ui throw; } } + +} // namespace zeek::analyzer::dnp3 diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index c18e508310..45ff9969b3 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -6,7 +6,9 @@ #include "dnp3_pac.h" -namespace analyzer { namespace dnp3 { +namespace zeek::analyzer::dnp3 { + +namespace detail { class DNP3_Base { public: @@ -61,7 +63,9 @@ protected: Endpoint resp_state; }; -class DNP3_TCP_Analyzer : public DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +} // namespace detail + +class DNP3_TCP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit DNP3_TCP_Analyzer(zeek::Connection* conn); ~DNP3_TCP_Analyzer() override; @@ -75,7 +79,7 @@ public: { return new DNP3_TCP_Analyzer(conn); } }; -class DNP3_UDP_Analyzer : public DNP3_Base, public zeek::analyzer::Analyzer { +class DNP3_UDP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::Analyzer { public: explicit DNP3_UDP_Analyzer(zeek::Connection* conn); ~DNP3_UDP_Analyzer() override; @@ -88,4 +92,11 @@ public: }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::dnp3 + +namespace analyzer::dnp3 { + using DNP3_Base [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::detail::DNP3_Base.")]] = zeek::analyzer::dnp3::detail::DNP3_Base; + using DNP3_TCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::DNP3_TCP_Analyzer.")]] = zeek::analyzer::dnp3::DNP3_TCP_Analyzer; + using DNP3_UDP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::DNP3_UDP_Analyzer.")]] = zeek::analyzer::dnp3::DNP3_UDP_Analyzer; + +} diff --git a/src/analyzer/protocol/dnp3/Plugin.cc b/src/analyzer/protocol/dnp3/Plugin.cc index 58fdc5d6a8..af7c216284 100644 --- a/src/analyzer/protocol/dnp3/Plugin.cc +++ b/src/analyzer/protocol/dnp3/Plugin.cc @@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DNP3_TCP", zeek::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DNP3_UDP", zeek::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::DNP3"; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 931a078ceb..8b132c80c1 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -17,7 +17,9 @@ #include "events.bif.h" -using namespace analyzer::dns; +namespace zeek::analyzer::dns { + +namespace detail { DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) { @@ -27,7 +29,7 @@ DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { - int hdr_len = sizeof(DNS_RawMsgHdr); + int hdr_len = sizeof(detail::DNS_RawMsgHdr); if ( len < hdr_len ) { @@ -35,7 +37,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) return; } - DNS_MsgInfo msg((DNS_RawMsgHdr*) data, is_query); + detail::DNS_MsgInfo msg((detail::DNS_RawMsgHdr*) data, is_query); if ( first_message && msg.QR && is_query == 1 ) { @@ -76,8 +78,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) return; } - if ( ! ParseAnswers(&msg, msg.ancount, DNS_ANSWER, - data, len, msg_start) ) + if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER, + data, len, msg_start) ) { EndMessage(&msg); return; @@ -107,8 +109,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) } msg.skip_event = skip_auth; - if ( ! ParseAnswers(&msg, msg.nscount, DNS_AUTHORITY, - data, len, msg_start) ) + if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY, + data, len, msg_start) ) { EndMessage(&msg); return; @@ -122,8 +124,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) } msg.skip_event = skip_addl; - if ( ! ParseAnswers(&msg, msg.arcount, DNS_ADDITIONAL, - data, len, msg_start) ) + if ( ! ParseAnswers(&msg, msg.arcount, detail::DNS_ADDITIONAL, + data, len, msg_start) ) { EndMessage(&msg); return; @@ -132,7 +134,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) EndMessage(&msg); } -void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) +void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg) { if ( dns_end ) analyzer->EnqueueConnEvent(dns_end, @@ -141,9 +143,9 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) ); } -bool DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg, - const u_char*& data, int& len, - const u_char* msg_start) +bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, + const u_char* msg_start) { int n = msg->qdcount; @@ -152,9 +154,9 @@ bool DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg, return n == 0; } -bool DNS_Interpreter::ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType atype, - const u_char*& data, int& len, - const u_char* msg_start) +bool DNS_Interpreter::ParseAnswers(detail::DNS_MsgInfo* msg, int n, detail::DNS_AnswerType atype, + const u_char*& data, int& len, + const u_char* msg_start) { msg->answer_type = atype; @@ -164,9 +166,9 @@ bool DNS_Interpreter::ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType atype return n == 0; } -bool DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg, - const u_char*& data, int& len, - const u_char* msg_start) +bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, + const u_char* msg_start) { u_char name[513]; int name_len = sizeof(name) - 1; @@ -217,9 +219,9 @@ bool DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, - const u_char*& data, int& len, - const u_char* msg_start) +bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, + const u_char* msg_start) { u_char name[513]; int name_len = sizeof(name) - 1; @@ -239,7 +241,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, // re-interpreted by other, more adventurous RR types. msg->query_name = zeek::make_intrusive(new zeek::String(name, name_end - name, true)); - msg->atype = RR_Type(ExtractShort(data, len)); + msg->atype = detail::RR_Type(ExtractShort(data, len)); msg->aclass = ExtractShort(data, len); msg->ttl = ExtractLong(data, len); @@ -252,54 +254,54 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, bool status; switch ( msg->atype ) { - case TYPE_A: + case detail::TYPE_A: status = ParseRR_A(msg, data, len, rdlength); break; - case TYPE_A6: - case TYPE_AAAA: + case detail::TYPE_A6: + case detail::TYPE_AAAA: status = ParseRR_AAAA(msg, data, len, rdlength); break; - case TYPE_NS: - case TYPE_CNAME: - case TYPE_PTR: + case detail::TYPE_NS: + case detail::TYPE_CNAME: + case detail::TYPE_PTR: status = ParseRR_Name(msg, data, len, rdlength, msg_start); break; - case TYPE_SOA: + case detail::TYPE_SOA: status = ParseRR_SOA(msg, data, len, rdlength, msg_start); break; - case TYPE_WKS: + case detail::TYPE_WKS: status = ParseRR_WKS(msg, data, len, rdlength); break; - case TYPE_HINFO: + case detail::TYPE_HINFO: status = ParseRR_HINFO(msg, data, len, rdlength); break; - case TYPE_MX: + case detail::TYPE_MX: status = ParseRR_MX(msg, data, len, rdlength, msg_start); break; - case TYPE_TXT: + case detail::TYPE_TXT: status = ParseRR_TXT(msg, data, len, rdlength, msg_start); break; - case TYPE_SPF: + case detail::TYPE_SPF: status = ParseRR_SPF(msg, data, len, rdlength, msg_start); break; - case TYPE_CAA: + case detail::TYPE_CAA: status = ParseRR_CAA(msg, data, len, rdlength, msg_start); break; - case TYPE_NBS: + case detail::TYPE_NBS: status = ParseRR_NBS(msg, data, len, rdlength, msg_start); break; - case TYPE_SRV: + case detail::TYPE_SRV: if ( ntohs(analyzer->Conn()->RespPort()) == 137 ) { // This is an NBSTAT (NetBIOS NODE STATUS) record. @@ -313,31 +315,31 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, break; - case TYPE_EDNS: + case detail::TYPE_EDNS: status = ParseRR_EDNS(msg, data, len, rdlength, msg_start); break; - case TYPE_TSIG: + case detail::TYPE_TSIG: status = ParseRR_TSIG(msg, data, len, rdlength, msg_start); break; - case TYPE_RRSIG: + case detail::TYPE_RRSIG: status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start); break; - case TYPE_DNSKEY: + case detail::TYPE_DNSKEY: status = ParseRR_DNSKEY(msg, data, len, rdlength, msg_start); break; - case TYPE_NSEC: + case detail::TYPE_NSEC: status = ParseRR_NSEC(msg, data, len, rdlength, msg_start); break; - case TYPE_NSEC3: + case detail::TYPE_NSEC3: status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start); break; - case TYPE_DS: + case detail::TYPE_DS: status = ParseRR_DS(msg, data, len, rdlength, msg_start); break; @@ -361,8 +363,8 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, } u_char* DNS_Interpreter::ExtractName(const u_char*& data, int& len, - u_char* name, int name_len, - const u_char* msg_start, bool downcase) + u_char* name, int name_len, + const u_char* msg_start, bool downcase) { u_char* name_start = name; @@ -391,8 +393,8 @@ u_char* DNS_Interpreter::ExtractName(const u_char*& data, int& len, } bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, - u_char*& name, int& name_len, - const u_char* msg_start) + u_char*& name, int& name_len, + const u_char* msg_start) { if ( len <= 0 ) return false; @@ -518,9 +520,9 @@ uint32_t DNS_Interpreter::ExtractLong(const u_char*& data, int& len) return val; } -bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { const u_char* data_start = data; @@ -538,17 +540,17 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg, zeek::EventHandlerPtr reply_event; switch ( msg->atype ) { - case TYPE_NS: + case detail::TYPE_NS: reply_event = dns_NS_reply; break; - case TYPE_CNAME: - case TYPE_AAAA: - case TYPE_A6: + case detail::TYPE_CNAME: + case detail::TYPE_AAAA: + case detail::TYPE_A6: reply_event = dns_CNAME_reply; break; - case TYPE_PTR: + case detail::TYPE_PTR: reply_event = dns_PTR_reply; break; @@ -568,9 +570,9 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { const u_char* data_start = data; @@ -623,9 +625,9 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { const u_char* data_start = data; @@ -653,18 +655,18 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_NBS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_NBS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { data += rdlength; len -= rdlength; return true; } -bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { const u_char* data_start = data; @@ -696,9 +698,9 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( dns_EDNS_addl && ! msg->skip_event ) analyzer->EnqueueConnEvent(dns_EDNS_addl, @@ -721,14 +723,14 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, // TODO: Implement additional option codes switch ( option_code ) { - case TYPE_ECS: + case detail::TYPE_ECS: { // must be 4 bytes + variable number of octets for address if ( option_len <= 4 ) { break; } - EDNS_ECS opt{}; + detail::EDNS_ECS opt{}; uint16_t ecs_family = ExtractShort(data, option_len); uint16_t source_scope = ExtractShort(data, option_len); opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; @@ -893,9 +895,9 @@ zeek::String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int return rval; } -bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { const u_char* data_start = data; u_char alg_name[1024]; @@ -918,7 +920,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, if ( dns_TSIG_addl ) { - TSIG_DATA tsig; + detail::TSIG_DATA tsig; tsig.alg_name = new zeek::String(alg_name, alg_name_end - alg_name, true); tsig.sig = request_MAC; @@ -938,9 +940,9 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_RRSIG || msg->skip_event ) { @@ -973,42 +975,42 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, return false; int sig_len = rdlength - ((data - data_start) + 18); - DNSSEC_Algo dsa = DNSSEC_Algo(algo); + detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo); zeek::String* sign = ExtractStream(data, len, sig_len); switch ( dsa ) { - case RSA_MD5: + case detail::RSA_MD5: analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", fmt("%d", algo)); break; - case Diffie_Hellman: + case detail::Diffie_Hellman: break; - case DSA_SHA1: + case detail::DSA_SHA1: break; - case Elliptic_Curve: + case detail::Elliptic_Curve: break; - case RSA_SHA1: + case detail::RSA_SHA1: break; - case DSA_NSEC3_SHA1: + case detail::DSA_NSEC3_SHA1: break; - case RSA_SHA1_NSEC3_SHA1: + case detail::RSA_SHA1_NSEC3_SHA1: break; - case RSA_SHA256: + case detail::RSA_SHA256: break; - case RSA_SHA512: + case detail::RSA_SHA512: break; - case GOST_R_34_10_2001: + case detail::GOST_R_34_10_2001: break; - case ECDSA_curveP256withSHA256: + case detail::ECDSA_curveP256withSHA256: break; - case ECDSA_curveP384withSHA384: + case detail::ECDSA_curveP384withSHA384: break; - case Indirect: + case detail::Indirect: analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", fmt("%d", algo)); break; - case PrivateDNS: + case detail::PrivateDNS: analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", fmt("%d", algo)); break; - case PrivateOID: + case detail::PrivateOID: analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", fmt("%d", algo)); break; default: @@ -1018,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, if ( dns_RRSIG ) { - RRSIG_DATA rrsig; + detail::RRSIG_DATA rrsig; rrsig.type_covered = type_covered; rrsig.algorithm = algo; rrsig.labels = lab; @@ -1040,9 +1042,9 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_DNSKEY || msg->skip_event ) { @@ -1059,7 +1061,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, auto proto_algo = ExtractShort(data, len); unsigned int dprotocol = (proto_algo >> 8) & 0xff; unsigned int dalgorithm = proto_algo & 0xff; - DNSSEC_Algo dsa = DNSSEC_Algo(dalgorithm); + detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm); //Evaluating the size of remaining bytes for Public Key zeek::String* key = ExtractStream(data, len, rdlength - 4); @@ -1077,38 +1079,38 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol)); switch ( dsa ) { - case RSA_MD5: + case detail::RSA_MD5: analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", fmt("%d", dalgorithm)); break; - case Diffie_Hellman: + case detail::Diffie_Hellman: break; - case DSA_SHA1: + case detail::DSA_SHA1: break; - case Elliptic_Curve: + case detail::Elliptic_Curve: break; - case RSA_SHA1: + case detail::RSA_SHA1: break; - case DSA_NSEC3_SHA1: + case detail::DSA_NSEC3_SHA1: break; - case RSA_SHA1_NSEC3_SHA1: + case detail::RSA_SHA1_NSEC3_SHA1: break; - case RSA_SHA256: + case detail::RSA_SHA256: break; - case RSA_SHA512: + case detail::RSA_SHA512: break; - case GOST_R_34_10_2001: + case detail::GOST_R_34_10_2001: break; - case ECDSA_curveP256withSHA256: + case detail::ECDSA_curveP256withSHA256: break; - case ECDSA_curveP384withSHA384: + case detail::ECDSA_curveP384withSHA384: break; - case Indirect: + case detail::Indirect: analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", fmt("%d", dalgorithm)); break; - case PrivateDNS: + case detail::PrivateDNS: analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", fmt("%d", dalgorithm)); break; - case PrivateOID: + case detail::PrivateOID: analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", fmt("%d", dalgorithm)); break; default: @@ -1118,7 +1120,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, if ( dns_DNSKEY ) { - DNSKEY_DATA dnskey; + detail::DNSKEY_DATA dnskey; dnskey.dflags = dflags; dnskey.dalgorithm = dalgorithm; dnskey.dprotocol = dprotocol; @@ -1135,9 +1137,9 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_NSEC || msg->skip_event ) { @@ -1187,9 +1189,9 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_NSEC3 || msg->skip_event ) { @@ -1252,7 +1254,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, if ( dns_NSEC3 ) { - NSEC3_DATA nsec3; + detail::NSEC3_DATA nsec3; nsec3.nsec_flags = nsec_flags; nsec3.nsec_hash_algo = hash_algo; nsec3.nsec_iter = iter; @@ -1273,9 +1275,9 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_DS || msg->skip_event ) { @@ -1292,19 +1294,19 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, uint32_t ds_algo_dtype = ExtractShort(data, len); unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff; unsigned int ds_dtype = ds_algo_dtype & 0xff; - DNSSEC_Digest ds_digest_type = DNSSEC_Digest(ds_dtype); + detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype); zeek::String* ds_digest = ExtractStream(data, len, rdlength - 4); switch ( ds_digest_type ) { - case SHA1: + case detail::SHA1: break; - case SHA256: + case detail::SHA256: break; - case GOST_R_34_11_94: + case detail::GOST_R_34_11_94: break; - case SHA384: + case detail::SHA384: break; - case analyzer::dns::reserved: + case detail::reserved: analyzer->Weird("DNSSEC_DS_ResrevedDigestType", fmt("%d", ds_dtype)); break; default: @@ -1314,7 +1316,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, if ( dns_DS ) { - DS_DATA ds; + detail::DS_DATA ds; ds.key_tag = ds_key_tag; ds.algorithm = ds_algo; ds.digest_type = ds_dtype; @@ -1331,8 +1333,8 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength) +bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength) { if ( rdlength != 4 ) { @@ -1353,8 +1355,8 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength) +bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength) { uint32_t addr[4]; @@ -1364,7 +1366,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, if ( len < 0 ) { - if ( msg->atype == TYPE_AAAA ) + if ( msg->atype == detail::TYPE_AAAA ) analyzer->Weird("DNS_AAAA_neg_length"); else analyzer->Weird("DNS_A6_neg_length"); @@ -1373,7 +1375,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, } zeek::EventHandlerPtr event; - if ( msg->atype == TYPE_AAAA ) + if ( msg->atype == detail::TYPE_AAAA ) event = dns_AAAA_reply; else event = dns_A6_reply; @@ -1389,8 +1391,8 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_WKS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength) +bool DNS_Interpreter::ParseRR_WKS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength) { data += rdlength; len -= rdlength; @@ -1398,8 +1400,8 @@ bool DNS_Interpreter::ParseRR_WKS(DNS_MsgInfo* msg, return true; } -bool DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength) +bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength) { data += rdlength; len -= rdlength; @@ -1435,9 +1437,9 @@ extract_char_string(zeek::analyzer::Analyzer* analyzer, return rval; } -bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_TXT_reply || msg->skip_event ) { @@ -1463,9 +1465,9 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg, return rdlength == 0; } -bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_SPF(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_SPF_reply || msg->skip_event ) { @@ -1491,9 +1493,9 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg, return rdlength == 0; } -bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start) +bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) { if ( ! dns_CAA_reply || msg->skip_event ) { @@ -1540,13 +1542,13 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg, } -void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg, +void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event, const u_char*& data, int& len, zeek::String* question_name, zeek::String* original_name) { - RR_Type qtype = RR_Type(ExtractShort(data, len)); + detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len)); int qclass = ExtractShort(data, len); assert(event); @@ -1561,7 +1563,6 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg, ); } - DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) { //### Need to fix alignment if hdr is misaligned (not on a short @@ -1585,7 +1586,7 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) id = ntohs(hdr->id); is_query = arg_is_query; - atype = TYPE_ALL; + atype = detail::TYPE_ALL; aclass = 0; ttl = 0; @@ -1795,15 +1796,17 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) return r; } +} // namespace detail + Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig, - DNS_Interpreter* arg_interp) + detail::DNS_Interpreter* arg_interp) : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; msg_buf = nullptr; buf_n = buf_len = msg_size = 0; - state = DNS_LEN_HI; + state = detail::DNS_LEN_HI; } Contents_DNS::~Contents_DNS() @@ -1829,10 +1832,10 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) { - if ( state == DNS_LEN_HI ) + if ( state == detail::DNS_LEN_HI ) { msg_size = (*data) << 8; - state = DNS_LEN_LO; + state = detail::DNS_LEN_LO; ++data; --len; @@ -1841,10 +1844,10 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state == DNS_LEN_LO ) + if ( state == detail::DNS_LEN_LO ) { msg_size += *data; - state = DNS_MESSAGE_BUFFER; + state = detail::DNS_MESSAGE_BUFFER; buf_n = 0; @@ -1869,7 +1872,7 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state != DNS_MESSAGE_BUFFER ) + if ( state != detail::DNS_MESSAGE_BUFFER ) Conn()->Internal("state inconsistency in Contents_DNS::DeliverStream"); int n; @@ -1886,13 +1889,13 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) ForwardPacket(msg_size, msg_buf, orig, -1, nullptr, 0); buf_n = 0; - state = DNS_LEN_HI; + state = detail::DNS_LEN_HI; } DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn) { - interp = new DNS_Interpreter(this); + interp = new detail::DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = nullptr; if ( Conn()->ConnTransport() == TRANSPORT_TCP ) @@ -1963,3 +1966,5 @@ void DNS_Analyzer::ExpireTimer(double t) t + dns_session_timeout, true, zeek::detail::TIMER_DNS_EXPIRE); } + +} // namespace zeek::analyzer::dns diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 1754274a8d..1d41918d05 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -5,9 +5,10 @@ #include "analyzer/protocol/tcp/TCP.h" #include "binpac_bro.h" -namespace analyzer { namespace dns { +namespace zeek::analyzer::dns { +namespace detail { -typedef enum { +enum DNS_Opcode { DNS_OP_QUERY = 0, ///< standard query DNS_OP_IQUERY = 1, ///< reverse query @@ -20,18 +21,18 @@ typedef enum { NETBIOS_RELEASE = 6, NETBIOS_WACK = 7, // wait for ACK NETBIOS_REFRESH = 8, -} DNS_Opcode; +}; -typedef enum { +enum DNS_Code { DNS_CODE_OK = 0, ///< no error DNS_CODE_FORMAT_ERR = 1, ///< format error DNS_CODE_SERVER_FAIL = 2, ///< server failure DNS_CODE_NAME_ERR = 3, ///< no such domain DNS_CODE_NOT_IMPL = 4, ///< not implemented DNS_CODE_REFUSED = 5, ///< refused -} DNS_Code; +}; -typedef enum { +enum RR_Type { TYPE_A = 1, ///< host address TYPE_NS = 2, ///< authoritative name server TYPE_CNAME = 5, ///< canonical name @@ -69,21 +70,21 @@ typedef enum { TYPE_ALL = 255, TYPE_WINS = 65281, ///< Microsoft's WINS RR TYPE_WINSR = 65282, ///< Microsoft's WINS-R RR -} RR_Type; +}; #define DNS_CLASS_IN 1 #define DNS_CLASS_ANY 255 -typedef enum { +enum DNS_AnswerType { DNS_QUESTION, DNS_ANSWER, DNS_AUTHORITY, DNS_ADDITIONAL, -} DNS_AnswerType; +}; // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml // DNS EDNS0 Option Codes (OPT) -typedef enum { +enum EDNS_OPT_Type { TYPE_LLQ = 1, ///< https://www.iana.org/go/draft-sekar-dns-llq-06 TYPE_UL = 2, ///< http://files.dns-sd.org/draft-sekar-dns-ul.txt TYPE_NSID = 3, ///< RFC5001 @@ -101,9 +102,9 @@ typedef enum { TYPE_CLIENT_TAG = 16, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags TYPE_SERVER_TAG = 17, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags TYPE_DEVICE_ID = 26946 ///< https://docs.umbrella.com/developer/networkdevices-api/identifying-dns-traffic2 -} EDNS_OPT_Type; +}; -typedef enum { +enum DNSSEC_Algo { reserved0 = 0, RSA_MD5 = 1, ///< [RFC2537] NOT RECOMMENDED Diffie_Hellman = 2, ///< [RFC2539] @@ -121,15 +122,15 @@ typedef enum { PrivateDNS = 253, ///< OPTIONAL PrivateOID = 254, ///< OPTIONAL reserved255 = 255, -} DNSSEC_Algo; +}; -typedef enum { +enum DNSSEC_Digest { reserved = 0, SHA1 = 1, ///< [RFC3110] MANDATORY SHA256 = 2, GOST_R_34_11_94 = 3, SHA384 = 4, -} DNSSEC_Digest; +}; struct DNS_RawMsgHdr { unsigned short id; @@ -258,7 +259,6 @@ public: ///< for forward lookups }; - class DNS_Interpreter { public: explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer); @@ -268,26 +268,27 @@ public: void Timeout() { } protected: - void EndMessage(DNS_MsgInfo* msg); + void EndMessage(detail::DNS_MsgInfo* msg); - bool ParseQuestions(DNS_MsgInfo* msg, - const u_char*& data, int& len, - const u_char* start); - bool ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType answer_type, - const u_char*& data, int& len, - const u_char* start); + bool ParseQuestions(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, + const u_char* start); + bool ParseAnswers(detail::DNS_MsgInfo* msg, int n, + detail::DNS_AnswerType answer_type, + const u_char*& data, int& len, + const u_char* start); - bool ParseQuestion(DNS_MsgInfo* msg, - const u_char*& data, int& len, const u_char* start); - bool ParseAnswer(DNS_MsgInfo* msg, - const u_char*& data, int& len, const u_char* start); + bool ParseQuestion(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, const u_char* start); + bool ParseAnswer(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, const u_char* start); u_char* ExtractName(const u_char*& data, int& len, - u_char* label, int label_len, - const u_char* msg_start, bool downcase = true); + u_char* label, int label_len, + const u_char* msg_start, bool downcase = true); bool ExtractLabel(const u_char*& data, int& len, - u_char*& label, int& label_len, - const u_char* msg_start); + u_char*& label, int& label_len, + const u_char* msg_start); uint16_t ExtractShort(const u_char*& data, int& len); uint32_t ExtractLong(const u_char*& data, int& len); @@ -295,63 +296,63 @@ protected: zeek::String* ExtractStream(const u_char*& data, int& len, int sig_len); - bool ParseRR_Name(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_SOA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_MX(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_NBS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_SRV(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_EDNS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_EDNS_ECS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_A(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength); - bool ParseRR_AAAA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength); - bool ParseRR_WKS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength); - bool ParseRR_HINFO(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength); - bool ParseRR_TXT(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_SPF(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_CAA(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_TSIG(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_RRSIG(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_DNSKEY(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_NSEC(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_NSEC3(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - bool ParseRR_DS(DNS_MsgInfo* msg, - const u_char*& data, int& len, int rdlength, - const u_char* msg_start); - void SendReplyOrRejectEvent(DNS_MsgInfo* msg, zeek::EventHandlerPtr event, + bool ParseRR_Name(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_SOA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_MX(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_NBS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_SRV(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_EDNS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_EDNS_ECS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_A(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength); + bool ParseRR_AAAA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength); + bool ParseRR_WKS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength); + bool ParseRR_HINFO(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength); + bool ParseRR_TXT(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_SPF(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_CAA(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_TSIG(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_RRSIG(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_NSEC(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_NSEC3(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + bool ParseRR_DS(detail::DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event, const u_char*& data, int& len, zeek::String* question_name, zeek::String* original_name); @@ -360,35 +361,36 @@ protected: bool first_message; }; - -typedef enum { +enum TCP_DNS_state { DNS_LEN_HI, ///< looking for the high-order byte of the length DNS_LEN_LO, ///< looking for the low-order byte of the length DNS_MESSAGE_BUFFER, ///< building up the message in the buffer -} TCP_DNS_state; +}; + +} // namespace detail // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_DNS(zeek::Connection* c, bool orig, DNS_Interpreter* interp); + Contents_DNS(zeek::Connection* c, bool orig, detail::DNS_Interpreter* interp); ~Contents_DNS() override; void Flush(); ///< process any partially-received data - TCP_DNS_state State() const { return state; } + detail::TCP_DNS_state State() const { return state; } protected: void DeliverStream(int len, const u_char* data, bool orig) override; void ProcessChunk(int& len, const u_char*& data, bool orig); - DNS_Interpreter* interp; + detail::DNS_Interpreter* interp; u_char* msg_buf; int buf_n; ///< number of bytes in msg_buf int buf_len; ///< size of msg_buf int msg_size; ///< expected size of message - TCP_DNS_state state; + detail::TCP_DNS_state state; }; // Works for both TCP and UDP. @@ -410,9 +412,134 @@ public: { return new DNS_Analyzer(conn); } protected: - DNS_Interpreter* interp; + detail::DNS_Interpreter* interp; Contents_DNS* contents_dns_orig; Contents_DNS* contents_dns_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::dns + +namespace analyzer::dns { + using DNS_Opcode [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Opcode.")]] = zeek::analyzer::dns::detail::DNS_Opcode; + constexpr auto DNS_OP_QUERY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_QUERY.")]] = zeek::analyzer::dns::detail::DNS_OP_QUERY; + constexpr auto DNS_OP_IQUERY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_IQUERY.")]] = zeek::analyzer::dns::detail::DNS_OP_IQUERY; + constexpr auto DNS_OP_SERVER_STATUS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_SERVER_STATUS.")]] = zeek::analyzer::dns::detail::DNS_OP_SERVER_STATUS; + constexpr auto NETBIOS_REGISTRATION [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_REGISTRATION.")]] = zeek::analyzer::dns::detail::NETBIOS_REGISTRATION; + constexpr auto NETBIOS_RELEASE [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_RELEASE.")]] = zeek::analyzer::dns::detail::NETBIOS_RELEASE; + constexpr auto NETBIOS_WACK [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_WACK.")]] = zeek::analyzer::dns::detail::NETBIOS_WACK; + constexpr auto NETBIOS_REFRESH [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_REFRESH.")]] = zeek::analyzer::dns::detail::NETBIOS_REFRESH; + + using DNS_Code [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Code.")]] = zeek::analyzer::dns::detail::DNS_Code; + constexpr auto DNS_CODE_OK [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_OK.")]] = zeek::analyzer::dns::detail::DNS_CODE_OK; + constexpr auto DNS_CODE_FORMAT_ERR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_FORMAT_ERR.")]] = zeek::analyzer::dns::detail::DNS_CODE_FORMAT_ERR; + constexpr auto DNS_CODE_SERVER_FAIL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_SERVER_FAIL.")]] = zeek::analyzer::dns::detail::DNS_CODE_SERVER_FAIL; + constexpr auto DNS_CODE_NAME_ERR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_NAME_ERR.")]] = zeek::analyzer::dns::detail::DNS_CODE_NAME_ERR; + constexpr auto DNS_CODE_NOT_IMPL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_NOT_IMPL.")]] = zeek::analyzer::dns::detail::DNS_CODE_NOT_IMPL; + constexpr auto DNS_CODE_REFUSED [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_REFUSED.")]] = zeek::analyzer::dns::detail::DNS_CODE_REFUSED; + + using RR_Type [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RR_Type.")]] = zeek::analyzer::dns::detail::RR_Type; + constexpr auto TYPE_A [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_A.")]] = zeek::analyzer::dns::detail::TYPE_A; + constexpr auto TYPE_NS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NS.")]] = zeek::analyzer::dns::detail::TYPE_NS; + constexpr auto TYPE_CNAME [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CNAME.")]] = zeek::analyzer::dns::detail::TYPE_CNAME; + constexpr auto TYPE_SOA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SOA.")]] = zeek::analyzer::dns::detail::TYPE_SOA; + constexpr auto TYPE_WKS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WKS.")]] = zeek::analyzer::dns::detail::TYPE_WKS; + constexpr auto TYPE_PTR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PTR.")]] = zeek::analyzer::dns::detail::TYPE_PTR; + constexpr auto TYPE_HINFO [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_HINFO.")]] = zeek::analyzer::dns::detail::TYPE_HINFO; + constexpr auto TYPE_MX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_MX.")]] = zeek::analyzer::dns::detail::TYPE_MX; + constexpr auto TYPE_TXT [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TXT.")]] = zeek::analyzer::dns::detail::TYPE_TXT; + constexpr auto TYPE_SIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SIG.")]] = zeek::analyzer::dns::detail::TYPE_SIG; + constexpr auto TYPE_KEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KEY.")]] = zeek::analyzer::dns::detail::TYPE_KEY; + constexpr auto TYPE_PX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PX.")]] = zeek::analyzer::dns::detail::TYPE_PX; + constexpr auto TYPE_AAAA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_AAAA.")]] = zeek::analyzer::dns::detail::TYPE_AAAA; + constexpr auto TYPE_NBS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NBS.")]] = zeek::analyzer::dns::detail::TYPE_NBS; + constexpr auto TYPE_SRV [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SRV.")]] = zeek::analyzer::dns::detail::TYPE_SRV; + constexpr auto TYPE_NAPTR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NAPTR.")]] = zeek::analyzer::dns::detail::TYPE_NAPTR; + constexpr auto TYPE_KX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KX.")]] = zeek::analyzer::dns::detail::TYPE_KX; + constexpr auto TYPE_CERT [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CERT.")]] = zeek::analyzer::dns::detail::TYPE_CERT; + constexpr auto TYPE_A6 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_A6.")]] = zeek::analyzer::dns::detail::TYPE_A6; + constexpr auto TYPE_DNAME [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DNAME.")]] = zeek::analyzer::dns::detail::TYPE_DNAME; + constexpr auto TYPE_EDNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_EDNS.")]] = zeek::analyzer::dns::detail::TYPE_EDNS; + constexpr auto TYPE_TKEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TKEY.")]] = zeek::analyzer::dns::detail::TYPE_TKEY; + constexpr auto TYPE_TSIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TSIG.")]] = zeek::analyzer::dns::detail::TYPE_TSIG; + constexpr auto TYPE_CAA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CAA.")]] = zeek::analyzer::dns::detail::TYPE_CAA; + constexpr auto TYPE_RRSIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_RRSIG.")]] = zeek::analyzer::dns::detail::TYPE_RRSIG; + constexpr auto TYPE_NSEC [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSEC.")]] = zeek::analyzer::dns::detail::TYPE_NSEC; + constexpr auto TYPE_DNSKEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DNSKEY.")]] = zeek::analyzer::dns::detail::TYPE_DNSKEY; + constexpr auto TYPE_DS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DS.")]] = zeek::analyzer::dns::detail::TYPE_DS; + constexpr auto TYPE_NSEC3 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSEC3.")]] = zeek::analyzer::dns::detail::TYPE_NSEC3; + constexpr auto TYPE_SPF [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SPF.")]] = zeek::analyzer::dns::detail::TYPE_SPF; + constexpr auto TYPE_AXFR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_AXFR.")]] = zeek::analyzer::dns::detail::TYPE_AXFR; + constexpr auto TYPE_ALL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ALL.")]] = zeek::analyzer::dns::detail::TYPE_ALL; + constexpr auto TYPE_WINS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WINS.")]] = zeek::analyzer::dns::detail::TYPE_WINS; + constexpr auto TYPE_WINSR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WINSR.")]] = zeek::analyzer::dns::detail::TYPE_WINSR; + + using DNS_AnswerType [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_AnswerType.")]] = zeek::analyzer::dns::detail::DNS_AnswerType; + constexpr auto DNS_QUESTION [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_QUESTION.")]] = zeek::analyzer::dns::detail::DNS_QUESTION; + constexpr auto DNS_ANSWER [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_ANSWER.")]] = zeek::analyzer::dns::detail::DNS_ANSWER; + constexpr auto DNS_AUTHORITY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_AUTHORITY.")]] = zeek::analyzer::dns::detail::DNS_AUTHORITY; + constexpr auto DNS_ADDITIONAL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_ADDITIONAL.")]] = zeek::analyzer::dns::detail::DNS_ADDITIONAL; + + using EDNS_OPT_Type [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_OPT_Type.")]] = zeek::analyzer::dns::detail::EDNS_OPT_Type; + constexpr auto TYPE_LLQ [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_LLQ.")]] = zeek::analyzer::dns::detail::TYPE_LLQ; + constexpr auto TYPE_UL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_UL.")]] = zeek::analyzer::dns::detail::TYPE_UL; + constexpr auto TYPE_NSID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSID.")]] = zeek::analyzer::dns::detail::TYPE_NSID; + constexpr auto TYPE_DAU [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DAU.")]] = zeek::analyzer::dns::detail::TYPE_DAU; + constexpr auto TYPE_DHU [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DHU.")]] = zeek::analyzer::dns::detail::TYPE_DHU; + constexpr auto TYPE_N3U [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_N3U.")]] = zeek::analyzer::dns::detail::TYPE_N3U; + constexpr auto TYPE_ECS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ECS.")]] = zeek::analyzer::dns::detail::TYPE_ECS; + constexpr auto TYPE_EXPIRE [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_EXPIRE.")]] = zeek::analyzer::dns::detail::TYPE_EXPIRE; + constexpr auto TYPE_TCP_KA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TCP_KA.")]] = zeek::analyzer::dns::detail::TYPE_TCP_KA; + constexpr auto TYPE_PAD [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PAD.")]] = zeek::analyzer::dns::detail::TYPE_PAD; + constexpr auto TYPE_CHAIN [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CHAIN.")]] = zeek::analyzer::dns::detail::TYPE_CHAIN; + constexpr auto TYPE_KEY_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KEY_TAG.")]] = zeek::analyzer::dns::detail::TYPE_KEY_TAG; + constexpr auto TYPE_ERROR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ERROR.")]] = zeek::analyzer::dns::detail::TYPE_ERROR; + constexpr auto TYPE_CLIENT_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CLIENT_TAG.")]] = zeek::analyzer::dns::detail::TYPE_CLIENT_TAG; + constexpr auto TYPE_SERVER_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SERVER_TAG.")]] = zeek::analyzer::dns::detail::TYPE_SERVER_TAG; + constexpr auto TYPE_DEVICE_ID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DEVICE_ID.")]] = zeek::analyzer::dns::detail::TYPE_DEVICE_ID; + + using DNSSEC_Algo [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSSEC_Algo.")]] = zeek::analyzer::dns::detail::DNSSEC_Algo; + constexpr auto reserved0 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved0.")]] = zeek::analyzer::dns::detail::reserved0; + constexpr auto RSA_MD5 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_MD5.")]] = zeek::analyzer::dns::detail::RSA_MD5; + constexpr auto Diffie_Hellman [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Diffie_Hellman.")]] = zeek::analyzer::dns::detail::Diffie_Hellman; + constexpr auto DSA_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DSA_SHA1.")]] = zeek::analyzer::dns::detail::DSA_SHA1; + constexpr auto Elliptic_Curve [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Elliptic_Curve.")]] = zeek::analyzer::dns::detail::Elliptic_Curve; + constexpr auto RSA_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA1.")]] = zeek::analyzer::dns::detail::RSA_SHA1; + constexpr auto DSA_NSEC3_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DSA_NSEC3_SHA1.")]] = zeek::analyzer::dns::detail::DSA_NSEC3_SHA1; + constexpr auto RSA_SHA1_NSEC3_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA1_NSEC3_SHA1.")]] = zeek::analyzer::dns::detail::RSA_SHA1_NSEC3_SHA1; + constexpr auto RSA_SHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA256.")]] = zeek::analyzer::dns::detail::RSA_SHA256; + constexpr auto RSA_SHA512 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA512.")]] = zeek::analyzer::dns::detail::RSA_SHA512; + constexpr auto GOST_R_34_10_2001 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::GOST_R_34_10_2001.")]] = zeek::analyzer::dns::detail::GOST_R_34_10_2001; + constexpr auto ECDSA_curveP256withSHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::ECDSA_curveP256withSHA256.")]] = zeek::analyzer::dns::detail::ECDSA_curveP256withSHA256; + constexpr auto ECDSA_curveP384withSHA384 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::ECDSA_curveP384withSHA384.")]] = zeek::analyzer::dns::detail::ECDSA_curveP384withSHA384; + constexpr auto Indirect [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Indirect.")]] = zeek::analyzer::dns::detail::Indirect; + constexpr auto PrivateDNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::PrivateDNS.")]] = zeek::analyzer::dns::detail::PrivateDNS; + constexpr auto PrivateOID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::PrivateOID.")]] = zeek::analyzer::dns::detail::PrivateOID; + constexpr auto reserved255 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved255.")]] = zeek::analyzer::dns::detail::reserved255; + + using DNSSEC_Digest [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSSEC_Digest.")]] = zeek::analyzer::dns::detail::DNSSEC_Digest; + constexpr auto reserved [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved.")]] = zeek::analyzer::dns::detail::reserved; + constexpr auto SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA1.")]] = zeek::analyzer::dns::detail::SHA1; + constexpr auto SHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA256.")]] = zeek::analyzer::dns::detail::SHA256; + constexpr auto GOST_R_34_11_94 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::GOST_R_34_11_94.")]] = zeek::analyzer::dns::detail::GOST_R_34_11_94; + constexpr auto SHA384 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA384.")]] = zeek::analyzer::dns::detail::SHA384; + + using DNS_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_RawMsgHdr.")]] = zeek::analyzer::dns::detail::DNS_RawMsgHdr; + using EDNS_ADDITIONAL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_ADDITIONAL.")]] = zeek::analyzer::dns::detail::EDNS_ADDITIONAL; + using EDNS_ECS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_ECS.")]] = zeek::analyzer::dns::detail::EDNS_ECS; + using TSIG_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TSIG_DATA.")]] = zeek::analyzer::dns::detail::TSIG_DATA; + using RRSIG_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RRSIG_DATA.")]] = zeek::analyzer::dns::detail::RRSIG_DATA; + using DNSKEY_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSKEY_DATA.")]] = zeek::analyzer::dns::detail::DNSKEY_DATA; + using NSEC3_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NSEC3_DATA.")]] = zeek::analyzer::dns::detail::NSEC3_DATA; + using DS_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DS_DATA.")]] = zeek::analyzer::dns::detail::DS_DATA; + using DNS_MsgInfo [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_MsgInfo.")]] = zeek::analyzer::dns::detail::DNS_MsgInfo; + + using TCP_DNS_state [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TCP_DNS_state.")]] = zeek::analyzer::dns::detail::TCP_DNS_state; + constexpr auto DNS_LEN_HI [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_LEN_HI.")]] = zeek::analyzer::dns::detail::DNS_LEN_HI; + constexpr auto DNS_LEN_LO [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_LEN_LO.")]] = zeek::analyzer::dns::detail::DNS_LEN_LO; + constexpr auto DNS_MESSAGE_BUFFER [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_MESSAGE_BUFFER.")]] = zeek::analyzer::dns::detail::DNS_MESSAGE_BUFFER; + + using DNS_Interpreter [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Interpreter.")]] = zeek::analyzer::dns::detail::DNS_Interpreter; + using Contents_DNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::Contents_DNS.")]] = zeek::analyzer::dns::Contents_DNS; + using DNS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::DNS_Analyzer.")]] = zeek::analyzer::dns::DNS_Analyzer; + +} // namespace analyzer::dns diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc index 0b6316db0c..3d58a39005 100644 --- a/src/analyzer/protocol/dns/Plugin.cc +++ b/src/analyzer/protocol/dns/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("DNS", ::analyzer::dns::DNS_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DNS", zeek::analyzer::dns::DNS_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("Contents_DNS", nullptr)); zeek::plugin::Configuration config; diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index 9c6ec217d4..ed23402667 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -9,7 +9,7 @@ #include "events.bif.h" -using namespace analyzer::file; +namespace zeek::analyzer::file { File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn) : TCP_ApplicationAnalyzer(name, conn) @@ -87,3 +87,5 @@ void File_Analyzer::Identify() zeek::make_intrusive(match) ); } + +} // namespace zeek::analyzer::file diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h index a9903ac81e..e8d6b0075c 100644 --- a/src/analyzer/protocol/file/File.h +++ b/src/analyzer/protocol/file/File.h @@ -6,7 +6,7 @@ #include -namespace analyzer { namespace file { +namespace zeek::analyzer::file { class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -51,4 +51,12 @@ public: { return new FTP_Data(conn); } }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::file + +namespace analyzer::file { + + using File_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::file::File_Analyzer.")]] = zeek::analyzer::file::File_Analyzer; + using IRC_Data [[deprecated("Remove in v4.1. Use zeek::analyzer::file::IRC_Data.")]] = zeek::analyzer::file::IRC_Data; + using FTP_Data [[deprecated("Remove in v4.1. Use zeek::analyzer::file::FTP_Data.")]] = zeek::analyzer::file::FTP_Data; + +} // namespace analyzer::file diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc index 87b0e05341..89d94819a8 100644 --- a/src/analyzer/protocol/file/Plugin.cc +++ b/src/analyzer/protocol/file/Plugin.cc @@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("FTP_Data", ::analyzer::file::FTP_Data::Instantiate)); - AddComponent(new zeek::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate)); + AddComponent(new zeek::analyzer::Component("FTP_Data", zeek::analyzer::file::FTP_Data::Instantiate)); + AddComponent(new zeek::analyzer::Component("IRC_Data", zeek::analyzer::file::IRC_Data::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::File"; diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index 8dfba74f2d..7325477af8 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -11,7 +11,7 @@ #include "events.bif.h" -using namespace analyzer::finger; +namespace zeek::analyzer::finger { Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn) @@ -91,3 +91,5 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig ); } } + +} // namespace zeek::analyzer::finger diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h index 43eaf43426..3e595831dd 100644 --- a/src/analyzer/protocol/finger/Finger.h +++ b/src/analyzer/protocol/finger/Finger.h @@ -5,7 +5,7 @@ #include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace finger { +namespace zeek::analyzer::finger { class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -25,4 +25,10 @@ protected: int did_deliver; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::finger + +namespace analyzer::finger { + + using Finger_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::finger::Finger_Analyzer.")]] = zeek::analyzer::finger::Finger_Analyzer; + +} // namespace analyzer::finger diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc index 5bc3201137..65b77a24ea 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Finger", zeek::analyzer::finger::Finger_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Finger"; diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index d635d1caec..0f33df249a 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -15,20 +15,20 @@ #include "events.bif.h" -using namespace analyzer::ftp; +namespace zeek::analyzer::ftp { FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; - nvt_orig = new login::NVT_Analyzer(conn, true); + nvt_orig = new zeek::analyzer::login::NVT_Analyzer(conn, true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL); - nvt_resp = new login::NVT_Analyzer(conn, false); + nvt_resp = new zeek::analyzer::login::NVT_Analyzer(conn, false); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetCRLFAsEOL(LF_as_EOL); @@ -331,3 +331,5 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( done ) Parent()->Remove(); } + +} // namespace zeek::analyzer::ftp diff --git a/src/analyzer/protocol/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h index fde1827826..b08c4c6d18 100644 --- a/src/analyzer/protocol/ftp/FTP.h +++ b/src/analyzer/protocol/ftp/FTP.h @@ -4,9 +4,9 @@ #include "analyzer/protocol/tcp/TCP.h" -namespace analyzer { namespace login { class NVT_Analyzer; }} +ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login); -namespace analyzer { namespace ftp { +namespace zeek::analyzer::ftp { class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -21,8 +21,8 @@ public: } protected: - login::NVT_Analyzer* nvt_orig; - login::NVT_Analyzer* nvt_resp; + zeek::analyzer::login::NVT_Analyzer* nvt_orig; + zeek::analyzer::login::NVT_Analyzer* nvt_resp; uint32_t pending_reply; // code associated with multi-line reply, or 0 std::string auth_requested; // AUTH method requested }; @@ -49,4 +49,11 @@ protected: bool first_token; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ftp + +namespace analyzer::ftp { + + using FTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ftp::FTP_Analyzer.")]] = zeek::analyzer::ftp::FTP_Analyzer; + using FTP_ADAT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ftp::FTP_ADAT_Analyzer.")]] = zeek::analyzer::ftp::FTP_ADAT_Analyzer; + +} // namespace analyzer::ftp diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc index b62ca8ea7c..578de9c7bd 100644 --- a/src/analyzer/protocol/ftp/Plugin.cc +++ b/src/analyzer/protocol/ftp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("FTP", ::analyzer::ftp::FTP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("FTP", zeek::analyzer::ftp::FTP_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("FTP_ADAT", nullptr)); zeek::plugin::Configuration config; diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc index 69523da1fa..26c8ec67c6 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -14,7 +14,9 @@ #include "events.bif.h" -using namespace analyzer::gnutella; +namespace zeek::analyzer::gnutella { + +namespace detail { GnutellaMsgState::GnutellaMsgState() { @@ -32,6 +34,7 @@ GnutellaMsgState::GnutellaMsgState() payload_len = 0; } +} // namespace detail Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) @@ -42,8 +45,8 @@ Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn) ms = nullptr; - orig_msg_state = new GnutellaMsgState(); - resp_msg_state = new GnutellaMsgState(); + orig_msg_state = new detail::GnutellaMsgState(); + resp_msg_state = new detail::GnutellaMsgState(); } Gnutella_Analyzer::~Gnutella_Analyzer() @@ -66,7 +69,7 @@ void Gnutella_Analyzer::Done() if ( gnutella_partial_binary_msg ) { - GnutellaMsgState* p = orig_msg_state; + detail::GnutellaMsgState* p = orig_msg_state; for ( int i = 0; i < 2; ++i, p = resp_msg_state ) { @@ -206,7 +209,7 @@ void Gnutella_Analyzer::DissectMessage(char* msg) } -void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig) +void Gnutella_Analyzer::SendEvents(detail::GnutellaMsgState* p, bool is_orig) { if ( p->msg_sent ) return; @@ -317,3 +320,5 @@ void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) else if ( gnutella_binary_msg ) DeliverMessages(len, data, orig); } + +} // namespace zeek::analyzer::gnutella diff --git a/src/analyzer/protocol/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h index 9201ccadba..6e595c8932 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.h +++ b/src/analyzer/protocol/gnutella/Gnutella.h @@ -4,13 +4,15 @@ #include "analyzer/protocol/tcp/TCP.h" -#define ORIG_OK 0x1 -#define RESP_OK 0x2 +namespace zeek::analyzer::gnutella { -#define GNUTELLA_MSG_SIZE 23 -#define GNUTELLA_MAX_PAYLOAD 1024 +constexpr int ORIG_OK = 0x1; +constexpr int RESP_OK = 0x2; -namespace analyzer { namespace gnutella { +constexpr int GNUTELLA_MSG_SIZE = 23; +constexpr int GNUTELLA_MAX_PAYLOAD = 1024; + +namespace detail { class GnutellaMsgState { public: @@ -32,6 +34,7 @@ public: unsigned int payload_left; }; +} // namespace detail class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -54,7 +57,7 @@ private: void DeliverLines(int len, const u_char* data, bool orig); - void SendEvents(GnutellaMsgState* p, bool is_orig); + void SendEvents(detail::GnutellaMsgState* p, bool is_orig); void DissectMessage(char* msg); void DeliverMessages(int len, const u_char* data, bool orig); @@ -63,9 +66,16 @@ private: int new_state; int sent_establish; - GnutellaMsgState* orig_msg_state; - GnutellaMsgState* resp_msg_state; - GnutellaMsgState* ms; + detail::GnutellaMsgState* orig_msg_state; + detail::GnutellaMsgState* resp_msg_state; + detail::GnutellaMsgState* ms; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::gnutella + +namespace analyzer::gnutella { + + using GnutellaMsgState [[deprecated("Remove in v4.1. Use zeek::analyzer::gnutella::detail::GnutellaMsgState.")]] = zeek::analyzer::gnutella::detail::GnutellaMsgState; + using Gnutella_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gnutella::Gnutella_Analyzer.")]] = zeek::analyzer::gnutella::Gnutella_Analyzer; + +} // namespace analyzer::gnutella diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc index 476a8579ab..5c216cff95 100644 --- a/src/analyzer/protocol/gnutella/Plugin.cc +++ b/src/analyzer/protocol/gnutella/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Gnutella", ::analyzer::gnutella::Gnutella_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Gnutella", zeek::analyzer::gnutella::Gnutella_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Gnutella"; diff --git a/src/analyzer/protocol/gssapi/GSSAPI.cc b/src/analyzer/protocol/gssapi/GSSAPI.cc index 9fdf35be3f..8e4d69038c 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.cc +++ b/src/analyzer/protocol/gssapi/GSSAPI.cc @@ -5,7 +5,7 @@ #include "Reporter.h" #include "events.bif.h" -using namespace analyzer::gssapi; +namespace zeek::analyzer::gssapi { GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c) @@ -54,3 +54,5 @@ void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig) zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::gssapi diff --git a/src/analyzer/protocol/gssapi/GSSAPI.h b/src/analyzer/protocol/gssapi/GSSAPI.h index d230a0c951..52b286eadf 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.h +++ b/src/analyzer/protocol/gssapi/GSSAPI.h @@ -7,7 +7,7 @@ #include "gssapi_pac.h" -namespace analyzer { namespace gssapi { +namespace zeek::analyzer::gssapi { class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -31,4 +31,10 @@ protected: binpac::GSSAPI::GSSAPI_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::gssapi + +namespace analyzer::gssapi { + + using GSSAPI_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gssapi::GSSAPI_Analyzer.")]] = zeek::analyzer::gssapi::GSSAPI_Analyzer; + +} // namespace analyzer::gssapi diff --git a/src/analyzer/protocol/gssapi/Plugin.cc b/src/analyzer/protocol/gssapi/Plugin.cc index 8124f966e3..12bdccf358 100644 --- a/src/analyzer/protocol/gssapi/Plugin.cc +++ b/src/analyzer/protocol/gssapi/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("GSSAPI", ::analyzer::gssapi::GSSAPI_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("GSSAPI", zeek::analyzer::gssapi::GSSAPI_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::GSSAPI"; diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc index af24edb4b5..06ec4cfe28 100644 --- a/src/analyzer/protocol/gtpv1/GTPv1.cc +++ b/src/analyzer/protocol/gtpv1/GTPv1.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::gtpv1; +namespace zeek::analyzer::gtpv1 { GTPv1_Analyzer::GTPv1_Analyzer(zeek::Connection* conn) : Analyzer("GTPV1", conn) @@ -35,3 +35,5 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6 ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::gtpv1 diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h index ce5f46e444..e356391d9c 100644 --- a/src/analyzer/protocol/gtpv1/GTPv1.h +++ b/src/analyzer/protocol/gtpv1/GTPv1.h @@ -2,7 +2,7 @@ #include "gtpv1_pac.h" -namespace analyzer { namespace gtpv1 { +namespace zeek::analyzer::gtpv1 { class GTPv1_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -20,4 +20,10 @@ protected: binpac::GTPv1::GTPv1_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::gtpv1 + +namespace analyzer::gtpv1 { + + using GTPv1_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gtpv1::GTPv1_Analyzer.")]] = zeek::analyzer::gtpv1::GTPv1_Analyzer; + +} // namespace analyzer::gtpv1 diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc index 34fb899d40..f6c68e63d7 100644 --- a/src/analyzer/protocol/gtpv1/Plugin.cc +++ b/src/analyzer/protocol/gtpv1/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("GTPv1", ::analyzer::gtpv1::GTPv1_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("GTPv1", zeek::analyzer::gtpv1::GTPv1_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::GTPv1"; diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index ced07017f9..3ee5076c96 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -16,28 +16,29 @@ #include "events.bif.h" -using namespace analyzer::http; +namespace zeek::analyzer::http { const bool DEBUG_http = false; // The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a // message was interrupted. -enum { +enum HTTP_ExpectRequest { EXPECT_REQUEST_LINE, EXPECT_REQUEST_MESSAGE, EXPECT_REQUEST_TRAILER, EXPECT_REQUEST_NOTHING, }; -enum { +enum HTTP_ExpectReply { EXPECT_REPLY_LINE, EXPECT_REPLY_MESSAGE, EXPECT_REPLY_TRAILER, EXPECT_REPLY_NOTHING, }; -HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body) -:MIME_Entity(arg_message, parent_entity) +HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, zeek::analyzer::mime::MIME_Entity* parent_entity, + int arg_expect_body) + : zeek::analyzer::mime::MIME_Entity(arg_message, parent_entity) { http_message = arg_message; expect_body = arg_expect_body; @@ -75,7 +76,7 @@ void HTTP_Entity::EndOfData() http_message->MyHTTP_Analyzer()-> ForwardEndOfData(http_message->IsOrig()); - MIME_Entity::EndOfData(); + zeek::analyzer::mime::MIME_Entity::EndOfData(); } void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) @@ -89,7 +90,7 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) if ( end_of_data ) { // Multipart entities may have trailers - if ( content_type != mime::CONTENT_TYPE_MULTIPART ) + if ( content_type != zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) IllegalFormat("data trailing the end of entity"); return; } @@ -100,13 +101,13 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF) http_message->MyHTTP_Analyzer()->Weird("http_no_crlf_in_header_list"); header_length += len; - MIME_Entity::Deliver(len, data, trailing_CRLF); + zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); return; } // Entity body. - if ( content_type == mime::CONTENT_TYPE_MULTIPART || - content_type == mime::CONTENT_TYPE_MESSAGE ) + if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART || + content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE ) DeliverBody(len, data, trailing_CRLF); else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) @@ -188,14 +189,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, bool trailing_CRLF) { if ( encoding == GZIP || encoding == DEFLATE ) { - zip::ZIP_Analyzer::Method method = + zeek::analyzer::zip::ZIP_Analyzer::Method method = encoding == GZIP ? - zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE; + zeek::analyzer::zip::ZIP_Analyzer::GZIP : zeek::analyzer::zip::ZIP_Analyzer::DEFLATE; if ( ! zip ) { // We don't care about the direction here. - zip = new zip::ZIP_Analyzer( + zip = new zeek::analyzer::zip::ZIP_Analyzer( http_message->MyHTTP_Analyzer()->Conn(), false, method); zip->SetOutputHandler(new UncompressedOutput(this)); @@ -216,7 +217,7 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, bool trailing_CRLF body_length += 2; if ( deliver_body ) - MIME_Entity::Deliver(len, data, trailing_CRLF); + zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF); zeek::detail::Rule::PatternType rule = http_message->IsOrig() ? @@ -307,7 +308,7 @@ bool HTTP_Entity::Undelivered(int64_t len) void HTTP_Entity::SubmitData(int len, const char* buf) { if ( deliver_body ) - MIME_Entity::SubmitData(len, buf); + zeek::analyzer::mime::MIME_Entity::SubmitData(len, buf); if ( send_size && ( encoding == GZIP || encoding == DEFLATE ) ) // Auto-decompress in DeliverBody invalidates sizes derived from headers @@ -364,12 +365,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length) // expect_data_length. } -void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) +void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) { - if ( mime::istrequal(h->get_name(), "content-length") ) + if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-length") ) { zeek::data_chunk_t vt = h->get_value_token(); - if ( ! mime::is_null_data_chunk(vt) ) + if ( ! zeek::analyzer::mime::is_null_data_chunk(vt) ) { int64_t n; if ( atoi_n(vt.length, vt.data, nullptr, 10, n) ) @@ -392,7 +393,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) } // Figure out content-length for HTTP 206 Partial Content response - else if ( mime::istrequal(h->get_name(), "content-range") && + else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-range") && http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) { zeek::data_chunk_t vt = h->get_value_token(); @@ -477,7 +478,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) } } - else if ( mime::istrequal(h->get_name(), "transfer-encoding") ) + else if ( zeek::analyzer::mime::istrequal(h->get_name(), "transfer-encoding") ) { HTTP_Analyzer::HTTP_VersionNumber http_version; @@ -487,21 +488,21 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) http_version = http_message->analyzer->GetReplyVersionNumber(); zeek::data_chunk_t vt = h->get_value_token(); - if ( mime::istrequal(vt, "chunked") && + if ( zeek::analyzer::mime::istrequal(vt, "chunked") && http_version == HTTP_Analyzer::HTTP_VersionNumber{1, 1} ) chunked_transfer_state = BEFORE_CHUNK; } - else if ( mime::istrequal(h->get_name(), "content-encoding") ) + else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-encoding") ) { zeek::data_chunk_t vt = h->get_value_token(); - if ( mime::istrequal(vt, "gzip") || mime::istrequal(vt, "x-gzip") ) + if ( zeek::analyzer::mime::istrequal(vt, "gzip") || zeek::analyzer::mime::istrequal(vt, "x-gzip") ) encoding = GZIP; - if ( mime::istrequal(vt, "deflate") ) + if ( zeek::analyzer::mime::istrequal(vt, "deflate") ) encoding = DEFLATE; } - MIME_Entity::SubmitHeader(h); + zeek::analyzer::mime::MIME_Entity::SubmitHeader(h); } void HTTP_Entity::SubmitAllHeaders() @@ -513,7 +514,7 @@ void HTTP_Entity::SubmitAllHeaders() DEBUG_MSG("%.6f end of headers\n", network_time); if ( Parent() && - Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART ) + Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) { // Don't treat single \r or \n characters in the multipart body content // as lines because the MIME_Entity code will implicitly add back a @@ -537,7 +538,7 @@ void HTTP_Entity::SubmitAllHeaders() return; } - MIME_Entity::SubmitAllHeaders(); + zeek::analyzer::mime::MIME_Entity::SubmitAllHeaders(); if ( expect_body == HTTP_BODY_NOT_EXPECTED ) { @@ -545,8 +546,8 @@ void HTTP_Entity::SubmitAllHeaders() return; } - if ( content_type == mime::CONTENT_TYPE_MULTIPART || - content_type == mime::CONTENT_TYPE_MESSAGE ) + if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART || + content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE ) { // Do nothing. // Make sure that we check for multiple/message contents first, @@ -597,7 +598,7 @@ void HTTP_Entity::SubmitAllHeaders() HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, int expect_body, int64_t init_header_length) -: MIME_Message (arg_analyzer) +: zeek::analyzer::mime::MIME_Message (arg_analyzer) { analyzer = arg_analyzer; content_line = arg_cl; @@ -639,7 +640,7 @@ void HTTP_Message::Done(bool interrupted, const char* detail) if ( finished ) return; - MIME_Message::Done(); + zeek::analyzer::mime::MIME_Message::Done(); // DEBUG_MSG("%.6f HTTP message done.\n", network_time); top_level->EndOfData(); @@ -680,7 +681,7 @@ bool HTTP_Message::Undelivered(int64_t len) return false; } -void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) +void HTTP_Message::BeginEntity(zeek::analyzer::mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig); @@ -694,7 +695,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) ); } -void HTTP_Message::EndEntity(mime::MIME_Entity* entity) +void HTTP_Message::EndEntity(zeek::analyzer::mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig); @@ -714,7 +715,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) current_entity = (HTTP_Entity*) entity->Parent(); if ( entity->Parent() && - entity->Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART ) + entity->Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ) { content_line->SupressWeirds(false); content_line->SetCRLFAsEOL(); @@ -737,12 +738,12 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) } } -void HTTP_Message::SubmitHeader(mime::MIME_Header* h) +void HTTP_Message::SubmitHeader(zeek::analyzer::mime::MIME_Header* h) { MyHTTP_Analyzer()->HTTP_Header(is_orig, h); } -void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) +void HTTP_Message::SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& hlist) { if ( http_all_headers ) analyzer->EnqueueConnEvent(http_all_headers, @@ -760,7 +761,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) ); } -void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */) +void HTTP_Message::SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) { // Do nothing for now. Note that if this ever changes do something // which relies on the header list argument, that's currently not @@ -795,15 +796,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail) const char* category = ""; switch ( event_type ) { - case mime::MIME_EVENT_ILLEGAL_FORMAT: + case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT: category = "illegal format"; break; - case mime::MIME_EVENT_ILLEGAL_ENCODING: + case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING: category = "illegal encoding"; break; - case mime::MIME_EVENT_CONTENT_GAP: + case zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP: category = "content gap"; break; @@ -971,7 +972,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { if ( ! RequestExpected() ) HTTP_Event("crud_trailing_HTTP_request", - mime::to_string_val(line, end_of_line)); + zeek::analyzer::mime::to_string_val(line, end_of_line)); else { // We do see HTTP requests with a @@ -1093,7 +1094,7 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) if ( ! content_line->IsSkippedContents(seq, len) ) { if ( msg ) - msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, + msg->SubmitEvent(zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP, fmt("seq=%" PRIu64", len=%d", seq, len)); } @@ -1314,10 +1315,10 @@ bool HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) version_end = version_start + 3; if ( skip_whitespace(version_end, end_of_line) != end_of_line ) HTTP_Event("crud after HTTP version is ignored", - mime::to_string_val(line, end_of_line)); + zeek::analyzer::mime::to_string_val(line, end_of_line)); } else - HTTP_Event("bad_HTTP_version", mime::to_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(line, end_of_line)); } // NormalizeURI(line, end_of_uri); @@ -1343,7 +1344,7 @@ HTTP_Analyzer::HTTP_VersionNumber HTTP_Analyzer::HTTP_Version(int len, const cha } else { - HTTP_Event("bad_HTTP_version", mime::to_string_val(len, data)); + HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(len, data)); return {}; } } @@ -1519,20 +1520,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) // ##TODO: some server replies with an HTML document // without a status line and a MIME header, when the // request is malformed. - HTTP_Event("bad_HTTP_reply", mime::to_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_reply", zeek::analyzer::mime::to_string_val(line, end_of_line)); return 0; } SetVersion(&reply_version, HTTP_Version(end_of_line - rest, rest)); for ( ; rest < end_of_line; ++rest ) - if ( mime::is_lws(*rest) ) + if ( zeek::analyzer::mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - mime::to_string_val(line, end_of_line)); + zeek::analyzer::mime::to_string_val(line, end_of_line)); return 0; } @@ -1541,20 +1542,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) if ( rest + 3 > end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - mime::to_string_val(line, end_of_line)); + zeek::analyzer::mime::to_string_val(line, end_of_line)); return 0; } reply_code = HTTP_ReplyCode(rest); for ( rest += 3; rest < end_of_line; ++rest ) - if ( mime::is_lws(*rest) ) + if ( zeek::analyzer::mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_reason_phrase_missing", - mime::to_string_val(line, end_of_line)); + zeek::analyzer::mime::to_string_val(line, end_of_line)); // Tolerate missing reason phrase? return 1; } @@ -1601,29 +1602,29 @@ int HTTP_Analyzer::ExpectReplyMessageBody() return HTTP_BODY_EXPECTED; } -void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h) +void HTTP_Analyzer::HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h) { // To be "liberal", we only look at "keep-alive" on the client // side, and if seen assume the connection to be persistent. // This seems fairly safe - at worst, the client does indeed // send additional requests, and the server ignores them. - if ( is_orig && mime::istrequal(h->get_name(), "connection") ) + if ( is_orig && zeek::analyzer::mime::istrequal(h->get_name(), "connection") ) { - if ( mime::istrequal(h->get_value_token(), "keep-alive") ) + if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "keep-alive") ) keep_alive = 1; } if ( ! is_orig && - mime::istrequal(h->get_name(), "connection") ) + zeek::analyzer::mime::istrequal(h->get_name(), "connection") ) { - if ( mime::istrequal(h->get_value_token(), "close") ) + if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "close") ) connection_close = 1; - else if ( mime::istrequal(h->get_value_token(), "upgrade") ) + else if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "upgrade") ) upgrade_connection = true; } if ( ! is_orig && - mime::istrequal(h->get_name(), "upgrade") ) + zeek::analyzer::mime::istrequal(h->get_name(), "upgrade") ) upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length); if ( http_header ) @@ -1645,15 +1646,15 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h) if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); - auto upper_hn = mime::to_string_val(h->get_name()); + auto upper_hn = zeek::analyzer::mime::to_string_val(h->get_name()); upper_hn->ToUpper(); EnqueueConnEvent(http_header, ConnVal(), zeek::val_mgr->Bool(is_orig), - mime::to_string_val(h->get_name()), + zeek::analyzer::mime::to_string_val(h->get_name()), std::move(upper_hn), - mime::to_string_val(h->get_value()) + zeek::analyzer::mime::to_string_val(h->get_value()) ); } } @@ -1704,25 +1705,25 @@ void HTTP_Analyzer::SkipEntityData(bool is_orig) msg->SkipEntityData(); } -bool analyzer::http::is_reserved_URI_char(unsigned char ch) +bool is_reserved_URI_char(unsigned char ch) { // see RFC 3986 (definition of URI) return strchr(":/?#[]@!$&'()*+,;=", ch) != 0; } -bool analyzer::http::is_unreserved_URI_char(unsigned char ch) +bool is_unreserved_URI_char(unsigned char ch) { // see RFC 3986 (definition of URI) return isalnum(ch) != 0 || strchr("-_.!~*\'()", ch) != 0; } -void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p) +void escape_URI_char(unsigned char ch, unsigned char*& p) { *p++ = '%'; *p++ = encode_hex((ch >> 4) & 0xf); *p++ = encode_hex(ch & 0xf); } -zeek::String* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end, - zeek::analyzer::Analyzer* analyzer) +zeek::String* unescape_URI(const u_char* line, const u_char* line_end, + zeek::analyzer::Analyzer* analyzer) { zeek::byte_vec decoded_URI = new u_char[line_end - line + 1]; zeek::byte_vec URI_p = decoded_URI; @@ -1819,3 +1820,5 @@ zeek::String* analyzer::http::unescape_URI(const u_char* line, const u_char* lin return new zeek::String(true, decoded_URI, URI_p - decoded_URI); } + +} // namespace zeek::analyzer::http diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h index 874e859044..449abed5f1 100644 --- a/src/analyzer/protocol/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -11,7 +11,7 @@ #include "IPAddr.h" #include "analyzer/protocol/http/events.bif.h" -namespace analyzer { namespace http { +namespace zeek::analyzer::http { enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, @@ -27,10 +27,10 @@ class HTTP_Entity; class HTTP_Message; class HTTP_Analyzer; -class HTTP_Entity final : public mime::MIME_Entity { +class HTTP_Entity final : public zeek::analyzer::mime::MIME_Entity { public: - HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity, - int expect_body); + HTTP_Entity(HTTP_Message* msg, zeek::analyzer::mime::MIME_Entity* parent_entity, + int expect_body); ~HTTP_Entity() override { if ( zip ) @@ -58,7 +58,7 @@ protected: int64_t body_length; int64_t header_length; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; - zip::ZIP_Analyzer* zip; + zeek::analyzer::zip::ZIP_Analyzer* zip; bool deliver_body; bool is_partial_content; uint64_t offset; @@ -66,7 +66,7 @@ protected: bool send_size; // whether to send size indication to FAF std::string precomputed_file_id; - MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); } + zeek::analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); } void DeliverBody(int len, const char* data, bool trailing_CRLF); void DeliverBodyClear(int len, const char* data, bool trailing_CRLF); @@ -75,7 +75,7 @@ protected: void SetPlainDelivery(int64_t length); - void SubmitHeader(mime::MIME_Header* h) override; + void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; void SubmitAllHeaders() override; }; @@ -96,7 +96,7 @@ enum { // HTTP_Message::EndEntity -> Message::Done // HTTP_MessageDone -> {Request,Reply}Made -class HTTP_Message final : public mime::MIME_Message { +class HTTP_Message final : public zeek::analyzer::mime::MIME_Message { friend class HTTP_Entity; public: @@ -108,16 +108,16 @@ public: bool Undelivered(int64_t len); - void BeginEntity(mime::MIME_Entity* /* entity */) override; - void EndEntity(mime::MIME_Entity* entity) override; - void SubmitHeader(mime::MIME_Header* h) override; - void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */) override; + void BeginEntity(zeek::analyzer::mime::MIME_Entity* /* entity */) override; + void EndEntity(zeek::analyzer::mime::MIME_Entity* entity) override; + void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override; + void SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) override; void SubmitData(int len, const char* buf) override; bool RequestBuffer(int* plen, char** pbuf) override; void SubmitAllData(); void SubmitEvent(int event_type, const char* detail) override; - void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */); + void SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */); void SetPlainDelivery(int64_t length); void SkipEntityData(); @@ -152,7 +152,7 @@ class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer public: HTTP_Analyzer(zeek::Connection* conn); - void HTTP_Header(bool is_orig, mime::MIME_Header* h); + void HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h); void HTTP_EntityData(bool is_orig, zeek::String* entity_data); void HTTP_MessageDone(bool is_orig, HTTP_Message* message); void HTTP_Event(const char* category, const char* detail); @@ -284,4 +284,26 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end, zeek::analyzer::Analyzer* analyzer); -} } // namespace analyzer::* +} // namespace zeek::analyzer::http + +namespace analyzer::http { + + using CHUNKED_TRANSFER_STATE [[deprecated("Remove in v4.1. Use zeek::analyzer::http::CHUNKED_TRANSFER_STATE.")]] = zeek::analyzer::http::CHUNKED_TRANSFER_STATE; + constexpr auto NON_CHUNKED_TRANSFER [[deprecated("Remove in v4.1. Use zeek::analyzer::http::NON_CHUNKED_TRANSFER.")]] = zeek::analyzer::http::NON_CHUNKED_TRANSFER; + constexpr auto BEFORE_CHUNK [[deprecated("Remove in v4.1. Use zeek::analyzer::http::BEFORE_CHUNK.")]] = zeek::analyzer::http::BEFORE_CHUNK; + constexpr auto EXPECT_CHUNK_SIZE [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_SIZE.")]] = zeek::analyzer::http::EXPECT_CHUNK_SIZE; + constexpr auto EXPECT_CHUNK_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_DATA.")]] = zeek::analyzer::http::EXPECT_CHUNK_DATA; + constexpr auto EXPECT_CHUNK_DATA_CRLF [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_DATA_CRLF.")]] = zeek::analyzer::http::EXPECT_CHUNK_DATA_CRLF; + constexpr auto EXPECT_CHUNK_TRAILER [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_TRAILER.")]] = zeek::analyzer::http::EXPECT_CHUNK_TRAILER; + constexpr auto EXPECT_NOTHING [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_NOTHING.")]] = zeek::analyzer::http::EXPECT_NOTHING; + + using HTTP_Entity [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Entity.")]] = zeek::analyzer::http::HTTP_Entity; + using HTTP_Message [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Message.")]] = zeek::analyzer::http::HTTP_Message; + using HTTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Analyzer.")]] = zeek::analyzer::http::HTTP_Analyzer; + + constexpr auto is_reserved_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::is_reserved_URI_char.")]] = zeek::analyzer::http::is_reserved_URI_char; + constexpr auto is_unreserved_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::is_unreserved_URI_char.")]] = zeek::analyzer::http::is_unreserved_URI_char; + constexpr auto escape_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::escape_URI_char.")]] = zeek::analyzer::http::escape_URI_char; + constexpr auto unescape_URI [[deprecated("Remove in v4.1. Use zeek::analyzer::http::unescape_URI.")]] = zeek::analyzer::http::unescape_URI; + +} // namespace analyzer::http diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc index 1bf435ad8b..f2e4dfa4a9 100644 --- a/src/analyzer/protocol/http/Plugin.cc +++ b/src/analyzer/protocol/http/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("HTTP", ::analyzer::http::HTTP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("HTTP", zeek::analyzer::http::HTTP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::HTTP"; diff --git a/src/analyzer/protocol/http/functions.bif b/src/analyzer/protocol/http/functions.bif index 293bd34b73..e620412a83 100644 --- a/src/analyzer/protocol/http/functions.bif +++ b/src/analyzer/protocol/http/functions.bif @@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any if ( ha ) { if ( ha->IsAnalyzer("HTTP") ) - static_cast<::analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig); + static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); } @@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string const u_char* line = URI->Bytes(); const u_char* const line_end = line + URI->Len(); - return zeek::make_intrusive(::analyzer::http::unescape_URI(line, line_end, 0)); + return zeek::make_intrusive(zeek::analyzer::http::unescape_URI(line, line_end, 0)); %} diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index 6dc3ce6818..0e47358140 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -11,7 +11,7 @@ #include "events.bif.h" -using namespace analyzer::ident; +namespace zeek::analyzer::ident { Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn) @@ -255,3 +255,5 @@ void Ident_Analyzer::BadReply(int length, const char* line) did_bad_reply = true; } } + +} // namespace zeek::analyzer::ident diff --git a/src/analyzer/protocol/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h index 0fd7f3ce5c..c5ffb00494 100644 --- a/src/analyzer/protocol/ident/Ident.h +++ b/src/analyzer/protocol/ident/Ident.h @@ -5,7 +5,7 @@ #include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace ident { +namespace zeek::analyzer::ident { class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -33,4 +33,10 @@ protected: bool did_bad_reply; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ident + +namespace analyzer::ident { + +using Ident_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ident::Ident_Analyzer.")]] = zeek::analyzer::ident::Ident_Analyzer; + +} // namespace analyzer::ident diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc index e53e8942f0..54bf109a06 100644 --- a/src/analyzer/protocol/ident/Plugin.cc +++ b/src/analyzer/protocol/ident/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Ident", ::analyzer::ident::Ident_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Ident", zeek::analyzer::ident::Ident_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Ident"; diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc index caaaf1b4e5..e9cbc1e81e 100644 --- a/src/analyzer/protocol/imap/IMAP.cc +++ b/src/analyzer/protocol/imap/IMAP.cc @@ -4,7 +4,7 @@ #include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "analyzer/Manager.h" -using namespace analyzer::imap; +namespace zeek::analyzer::imap { IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn) @@ -83,3 +83,5 @@ void IMAP_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); } + +} // namespace zeek::analyzer::imap diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h index e1b03b157a..e39560ac9f 100644 --- a/src/analyzer/protocol/imap/IMAP.h +++ b/src/analyzer/protocol/imap/IMAP.h @@ -8,7 +8,7 @@ #include "imap_pac.h" -namespace analyzer { namespace imap { +namespace zeek::analyzer::imap { class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -34,4 +34,10 @@ protected: bool tls_active; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::imap + +namespace analyzer::imap { + +using IMAP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::imap::IMAP_Analyzer.")]] = zeek::analyzer::imap::IMAP_Analyzer; + +} // namespace analyzer::imap diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc index 900145a18f..2a00b7d2fe 100644 --- a/src/analyzer/protocol/imap/Plugin.cc +++ b/src/analyzer/protocol/imap/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("IMAP", zeek::analyzer::imap::IMAP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::IMAP"; diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac index 4f16af8523..0c2256d732 100644 --- a/src/analyzer/protocol/imap/imap.pac +++ b/src/analyzer/protocol/imap/imap.pac @@ -7,12 +7,13 @@ %include bro.pac %extern{ +#include "zeek-config.h" #include "Reporter.h" #include "events.bif.h" -namespace analyzer { namespace imap { class IMAP_Analyzer; } } +namespace zeek::analyzer::imap { class IMAP_Analyzer; } namespace binpac { namespace IMAP { class IMAP_Conn; } } -typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer; +using IMAPAnalyzer = zeek::analyzer::imap::IMAP_Analyzer*; #include "IMAP.h" %} diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index a5fb44c720..162959f016 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -9,9 +9,10 @@ #include "events.bif.h" -using namespace analyzer::irc; using namespace std; +namespace zeek::analyzer::irc { + IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn) { @@ -1162,8 +1163,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { orig_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED; - AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true)); - AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false)); + AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), true)); + AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), false)); } return; @@ -1222,3 +1223,5 @@ vector IRC_Analyzer::SplitWords(const string& input, char split) return words; } + +} // namespace zeek::analyzer::irc diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h index db6544ec6f..5f7b6bdfc0 100644 --- a/src/analyzer/protocol/irc/IRC.h +++ b/src/analyzer/protocol/irc/IRC.h @@ -4,7 +4,7 @@ #include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace irc { +namespace zeek::analyzer::irc { /** * \brief Main class for analyzing IRC traffic. @@ -69,4 +69,10 @@ private: bool starttls; // if true, connection has been upgraded to tls }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::irc + +namespace analyzer::irc { + +using IRC_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::irc::IRC_Analyzer.")]] = zeek::analyzer::irc::IRC_Analyzer; + +} // namespace analyzer::irc diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc index abe10f2c37..ebc66a8241 100644 --- a/src/analyzer/protocol/irc/Plugin.cc +++ b/src/analyzer/protocol/irc/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("IRC", ::analyzer::irc::IRC_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("IRC", zeek::analyzer::irc::IRC_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::IRC"; diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc index bcedc63771..51ccdc3c78 100644 --- a/src/analyzer/protocol/krb/KRB.cc +++ b/src/analyzer/protocol/krb/KRB.cc @@ -7,7 +7,7 @@ #include "types.bif.h" #include "events.bif.h" -using namespace analyzer::krb; +namespace zeek::analyzer::krb { bool KRB_Analyzer::krb_available = false; #ifdef USE_KRB5 @@ -157,3 +157,5 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ return nullptr; #endif } + +} // namespace zeek::analyzer::krb diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h index 56bc8dc208..7e72946de1 100644 --- a/src/analyzer/protocol/krb/KRB.h +++ b/src/analyzer/protocol/krb/KRB.h @@ -10,7 +10,7 @@ #include -namespace analyzer { namespace krb { +namespace zeek::analyzer::krb { class KRB_Analyzer final : public zeek::analyzer::Analyzer { @@ -43,4 +43,10 @@ private: #endif }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::krb + +namespace analyzer::krb { + +using KRB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::krb::KRB_Analyzer.")]] = zeek::analyzer::krb::KRB_Analyzer; + +} // namespace analyzer::krb diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc index 23a40dcadd..6acf7f166f 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.cc +++ b/src/analyzer/protocol/krb/KRB_TCP.cc @@ -5,7 +5,7 @@ #include "types.bif.h" #include "events.bif.h" -using namespace analyzer::krb_tcp; +namespace zeek::analyzer::krb_tcp { KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) @@ -63,3 +63,5 @@ void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::krb_tcp diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h index 7b7a4ac3d7..d8e85a6d77 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.h +++ b/src/analyzer/protocol/krb/KRB_TCP.h @@ -6,7 +6,7 @@ #include "krb_TCP_pac.h" -namespace analyzer { namespace krb_tcp { +namespace zeek::analyzer::krb_tcp { class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -34,4 +34,10 @@ protected: bool had_gap; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::krb_tcp + +namespace analyzer::krb_tcp { + +using KRB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::krb_tcp::KRB_Analyzer.")]] = zeek::analyzer::krb_tcp::KRB_Analyzer; + +} // namespace analyzer::krb_tcp diff --git a/src/analyzer/protocol/krb/Plugin.cc b/src/analyzer/protocol/krb/Plugin.cc index 86aaeffa5f..11fd9df27e 100644 --- a/src/analyzer/protocol/krb/Plugin.cc +++ b/src/analyzer/protocol/krb/Plugin.cc @@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("KRB", ::analyzer::krb::KRB_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("KRB_TCP", ::analyzer::krb_tcp::KRB_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("KRB", zeek::analyzer::krb::KRB_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("KRB_TCP", zeek::analyzer::krb_tcp::KRB_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::KRB"; config.description = "Kerberos analyzer"; diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac index 9a3b290ad1..745caceff0 100644 --- a/src/analyzer/protocol/krb/krb.pac +++ b/src/analyzer/protocol/krb/krb.pac @@ -2,12 +2,13 @@ %include bro.pac %extern{ +#include "zeek-config.h" #include "types.bif.h" #include "events.bif.h" -namespace analyzer { namespace krb { class KRB_Analyzer; } } +namespace zeek::analyzer::krb { class KRB_Analyzer; } namespace binpac { namespace KRB { class KRB_Conn; } } -typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer; +using KRBAnalyzer = zeek::analyzer::krb::KRB_Analyzer*; #include "KRB.h" %} diff --git a/src/analyzer/protocol/krb/krb_TCP.pac b/src/analyzer/protocol/krb/krb_TCP.pac index 6611a549e4..f52c07f2a0 100644 --- a/src/analyzer/protocol/krb/krb_TCP.pac +++ b/src/analyzer/protocol/krb/krb_TCP.pac @@ -2,12 +2,13 @@ %include bro.pac %extern{ +#include "zeek-config.h" #include "types.bif.h" #include "events.bif.h" -namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } } +namespace zeek::analyzer::krb_tcp { class KRB_Analyzer; } namespace binpac { namespace KRB_TCP { class KRB_Conn; } } -typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer; +using KRBTCPAnalyzer = zeek::analyzer::krb_tcp::KRB_Analyzer*; #include "KRB_TCP.h" %} diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc index c786695593..2182be23e4 100644 --- a/src/analyzer/protocol/login/Login.cc +++ b/src/analyzer/protocol/login/Login.cc @@ -15,7 +15,7 @@ #include "events.bif.h" -using namespace analyzer::login; +namespace zeek::analyzer::login { static zeek::RE_Matcher* re_skip_authentication = nullptr; static zeek::RE_Matcher* re_direct_login_prompts; @@ -633,3 +633,5 @@ zeek::RE_Matcher* init_RE(zeek::ListVal* l) return re; } + +} // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/Login.h b/src/analyzer/protocol/login/Login.h index 48c9f641d3..157e656eb8 100644 --- a/src/analyzer/protocol/login/Login.h +++ b/src/analyzer/protocol/login/Login.h @@ -4,15 +4,14 @@ #include "analyzer/protocol/tcp/TCP.h" -namespace analyzer { namespace login { +namespace zeek::analyzer::login { -typedef enum { +enum login_state { LOGIN_STATE_AUTHENTICATE, // trying to authenticate - LOGIN_STATE_LOGGED_IN, // successful authentication LOGIN_STATE_SKIP, // skip any further processing LOGIN_STATE_CONFUSED, // we're confused -} login_state; +}; // If no action by this many lines, we're definitely confused. #define MAX_AUTHENTICATE_LINES 50 @@ -83,4 +82,16 @@ protected: bool saw_ploy; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::login + +namespace analyzer::login { + + using login_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::login_state.")]] = zeek::analyzer::login::login_state; + constexpr auto LOGIN_STATE_AUTHENTICATE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_AUTHENTICATE.")]] = zeek::analyzer::login::LOGIN_STATE_AUTHENTICATE; + constexpr auto LOGIN_STATE_LOGGED_IN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_LOGGED_IN.")]] = zeek::analyzer::login::LOGIN_STATE_LOGGED_IN; + constexpr auto LOGIN_STATE_SKIP [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_SKIP.")]] = zeek::analyzer::login::LOGIN_STATE_SKIP; + constexpr auto LOGIN_STATE_CONFUSED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_CONFUSED.")]] = zeek::analyzer::login::LOGIN_STATE_CONFUSED; + + using Login_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Login_Analyzer.")]] = zeek::analyzer::login::Login_Analyzer; + +} // namespace analyzer::login diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index be5d6d608b..c49f8d717b 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -28,7 +28,7 @@ #define TELNET_IAC 255 -using namespace analyzer::login; +namespace zeek::analyzer::login { TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code) { @@ -117,6 +117,7 @@ void TelnetOption::BadOption() endp->Event(bad_option); } +namespace detail { void TelnetTerminalOption::RecvSubOption(u_char* data, int len) { @@ -379,6 +380,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) // in ex/redund-binary-opt.trace. } +} // namespace detail NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig) : zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options() @@ -405,23 +407,23 @@ TelnetOption* NVT_Analyzer::FindOption(unsigned int code) { // Maybe we haven't created this option yet. switch ( code ) { case TELNET_OPTION_BINARY: - opt = new TelnetBinaryOption(this); + opt = new detail::TelnetBinaryOption(this); break; case TELNET_OPTION_TERMINAL: - opt = new TelnetTerminalOption(this); + opt = new detail::TelnetTerminalOption(this); break; case TELNET_OPTION_ENCRYPT: - opt = new TelnetEncryptOption(this); + opt = new detail::TelnetEncryptOption(this); break; case TELNET_OPTION_AUTHENTICATE: - opt = new TelnetAuthenticateOption(this); + opt = new detail::TelnetAuthenticateOption(this); break; case TELNET_OPTION_ENVIRON: - opt = new TelnetEnvironmentOption(this); + opt = new detail::TelnetEnvironmentOption(this); break; } } @@ -734,3 +736,5 @@ void NVT_Analyzer::BadOptionTermination(unsigned int /* code */) { Event(bad_option_termination); } + +} // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/NVT.h b/src/analyzer/protocol/login/NVT.h index 4b5da50e44..c3b69b74be 100644 --- a/src/analyzer/protocol/login/NVT.h +++ b/src/analyzer/protocol/login/NVT.h @@ -11,9 +11,9 @@ #define TELNET_OPTION_ENVIRON 39 #define NUM_TELNET_OPTIONS 5 -namespace analyzer { namespace login { +ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login); -class NVT_Analyzer; +namespace zeek::analyzer::login { class TelnetOption { public: @@ -58,6 +58,8 @@ protected: int active; }; +namespace detail { + class TelnetTerminalOption final : public TelnetOption { public: explicit TelnetTerminalOption(NVT_Analyzer* arg_endp) @@ -122,6 +124,8 @@ protected: void InconsistentOption(unsigned int type) override; }; +} // namespace detail + class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: NVT_Analyzer(zeek::Connection* conn, bool orig); @@ -171,4 +175,16 @@ protected: int num_options = 0; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::login + +namespace analyzer::login { + + using TelnetOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::TelnetOption.")]] = zeek::analyzer::login::TelnetOption; + using TelnetTerminalOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetTerminalOption.")]] = zeek::analyzer::login::detail::TelnetTerminalOption; + using TelnetEncryptOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetEncryptOption.")]] = zeek::analyzer::login::detail::TelnetEncryptOption; + using TelnetAuthenticateOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetAuthenticateOption.")]] = zeek::analyzer::login::detail::TelnetAuthenticateOption; + using TelnetEnvironmentOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetEnvironmentOption.")]] = zeek::analyzer::login::detail::TelnetEnvironmentOption; + using TelnetBinaryOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetBinaryOption.")]] = zeek::analyzer::login::detail::TelnetBinaryOption; + using NVT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::NVT_Analyzer.")]] = zeek::analyzer::login::NVT_Analyzer; + +} // namespace analyzer::login diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc index 553320c1f9..fb9551f47e 100644 --- a/src/analyzer/protocol/login/Plugin.cc +++ b/src/analyzer/protocol/login/Plugin.cc @@ -14,9 +14,9 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Telnet", ::analyzer::login::Telnet_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("Rsh", ::analyzer::login::Rsh_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("Rlogin", ::analyzer::login::Rlogin_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Telnet", zeek::analyzer::login::Telnet_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Rsh", zeek::analyzer::login::Rsh_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Rlogin", zeek::analyzer::login::Rlogin_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("NVT", nullptr)); AddComponent(new zeek::analyzer::Component("Login", nullptr)); AddComponent(new zeek::analyzer::Component("Contents_Rsh", nullptr)); diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 3815f9f10a..ae687cd4e5 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -9,7 +9,7 @@ #include "events.bif.h" -using namespace analyzer::login; +namespace zeek::analyzer::login { // FIXME: this code should probably be merged with Rlogin.cc. @@ -223,3 +223,5 @@ void Rsh_Analyzer::ServerUserName(const char* s) username = new zeek::StringVal(s); } + +} // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/RSH.h b/src/analyzer/protocol/login/RSH.h index dfe8e30d3c..fe0aa16311 100644 --- a/src/analyzer/protocol/login/RSH.h +++ b/src/analyzer/protocol/login/RSH.h @@ -5,9 +5,11 @@ #include "Login.h" #include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace login { +ZEEK_FORWARD_DECLARE_NAMESPACED(Rsh_Analyzer, zeek, analyzer::login); -typedef enum { +namespace zeek::analyzer::login { + +enum rsh_state { RSH_FIRST_NULL, // waiting to see first NUL RSH_CLIENT_USER_NAME, // scanning client user name up to NUL RSH_SERVER_USER_NAME, // scanning server user name up to NUL @@ -18,9 +20,7 @@ typedef enum { RSH_PRESUMED_REJECTED, // apparently server said No Way RSH_UNKNOWN, // we don't know what state we're in -} rsh_state; - -class Rsh_Analyzer; +}; class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: @@ -55,4 +55,20 @@ public: Contents_Rsh_Analyzer* contents_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::login + +namespace analyzer::login { + + using rsh_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::rsh_state.")]] = zeek::analyzer::login::rsh_state; + constexpr auto RSH_FIRST_NULL [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_FIRST_NULL.")]] = zeek::analyzer::login::RSH_FIRST_NULL; + constexpr auto RSH_CLIENT_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_CLIENT_USER_NAME.")]] = zeek::analyzer::login::RSH_CLIENT_USER_NAME; + constexpr auto RSH_SERVER_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_SERVER_USER_NAME.")]] = zeek::analyzer::login::RSH_SERVER_USER_NAME; + constexpr auto RSH_INITIAL_CMD [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_INITIAL_CMD.")]] = zeek::analyzer::login::RSH_INITIAL_CMD; + constexpr auto RSH_LINE_MODE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_LINE_MODE.")]] = zeek::analyzer::login::RSH_LINE_MODE; + constexpr auto RSH_PRESUMED_REJECTED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_PRESUMED_REJECTED.")]] = zeek::analyzer::login::RSH_PRESUMED_REJECTED; + constexpr auto RSH_UNKNOWN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_UNKNOWN.")]] = zeek::analyzer::login::RSH_UNKNOWN; + + using Contents_Rsh_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Contents_Rsh_Analyzer.")]] = zeek::analyzer::login::Contents_Rsh_Analyzer; + using Rsh_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Rsh_Analyzer.")]] = zeek::analyzer::login::Rsh_Analyzer; + +} // namespace analyzer::login diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 5579530658..d91d685a94 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -9,7 +9,7 @@ #include "events.bif.h" -using namespace analyzer::login; +namespace zeek::analyzer::login { Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) : zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) @@ -249,3 +249,5 @@ void Rlogin_Analyzer::TerminalType(const char* s) zeek::make_intrusive(s) ); } + +} // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h index 9d9dcd0f34..c37aba1934 100644 --- a/src/analyzer/protocol/login/Rlogin.h +++ b/src/analyzer/protocol/login/Rlogin.h @@ -5,9 +5,11 @@ #include "Login.h" #include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace login { +ZEEK_FORWARD_DECLARE_NAMESPACED(Rlogin_Analyzer, zeek, analyzer::login); -typedef enum { +namespace zeek::analyzer::login { + +enum rlogin_state { RLOGIN_FIRST_NULL, // waiting to see first NUL RLOGIN_CLIENT_USER_NAME, // scanning client user name up to NUL RLOGIN_SERVER_USER_NAME, // scanning server user name up to NUL @@ -26,9 +28,7 @@ typedef enum { RLOGIN_PRESUMED_REJECTED, // apparently server said No Way RLOGIN_UNKNOWN, // we don't know what state we're in -} rlogin_state; - -class Rlogin_Analyzer; +}; class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: @@ -65,4 +65,25 @@ public: { return new Rlogin_Analyzer(conn); } }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::login + +namespace analyzer::login { + + using rlogin_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::rlogin_state.")]] = zeek::analyzer::login::rlogin_state; + constexpr auto RLOGIN_FIRST_NULL [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_FIRST_NULL.")]] = zeek::analyzer::login::RLOGIN_FIRST_NULL; + constexpr auto RLOGIN_CLIENT_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_CLIENT_USER_NAME.")]] = zeek::analyzer::login::RLOGIN_CLIENT_USER_NAME; + constexpr auto RLOGIN_SERVER_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_SERVER_USER_NAME.")]] = zeek::analyzer::login::RLOGIN_SERVER_USER_NAME; + constexpr auto RLOGIN_TERMINAL_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_TERMINAL_TYPE.")]] = zeek::analyzer::login::RLOGIN_TERMINAL_TYPE; + constexpr auto RLOGIN_SERVER_ACK [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_SERVER_ACK.")]] = zeek::analyzer::login::RLOGIN_SERVER_ACK; + constexpr auto RLOGIN_IN_BAND_CONTROL_FF2 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_IN_BAND_CONTROL_FF2.")]] = zeek::analyzer::login::RLOGIN_IN_BAND_CONTROL_FF2; + constexpr auto RLOGIN_WINDOW_CHANGE_S1 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S1.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S1; + constexpr auto RLOGIN_WINDOW_CHANGE_S2 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S2.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S2; + constexpr auto RLOGIN_WINDOW_CHANGE_REMAINDER [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_REMAINDER.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_REMAINDER; + constexpr auto RLOGIN_LINE_MODE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_LINE_MODE.")]] = zeek::analyzer::login::RLOGIN_LINE_MODE; + constexpr auto RLOGIN_PRESUMED_REJECTED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_PRESUMED_REJECTED.")]] = zeek::analyzer::login::RLOGIN_PRESUMED_REJECTED; + constexpr auto RLOGIN_UNKNOWN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_UNKNOWN.")]] = zeek::analyzer::login::RLOGIN_UNKNOWN; + + using Contents_Rlogin_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Contents_Rlogin_Analyzer.")]] = zeek::analyzer::login::Contents_Rlogin_Analyzer; + using Rlogin_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Rlogin_Analyzer.")]] = zeek::analyzer::login::Rlogin_Analyzer; + +} // namespace analyzer::login diff --git a/src/analyzer/protocol/login/Telnet.cc b/src/analyzer/protocol/login/Telnet.cc index 798c6f3e7d..6ca61a0766 100644 --- a/src/analyzer/protocol/login/Telnet.cc +++ b/src/analyzer/protocol/login/Telnet.cc @@ -7,7 +7,7 @@ #include "events.bif.h" -using namespace analyzer::login; +namespace zeek::analyzer::login { Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn) : Login_Analyzer("TELNET", conn) @@ -21,3 +21,5 @@ Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn) AddSupportAnalyzer(nvt_orig); AddSupportAnalyzer(nvt_resp); } + +} // namespace zeek::analyzer::login diff --git a/src/analyzer/protocol/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h index af28665fd7..b91877ad04 100644 --- a/src/analyzer/protocol/login/Telnet.h +++ b/src/analyzer/protocol/login/Telnet.h @@ -4,7 +4,7 @@ #include "Login.h" -namespace analyzer { namespace login { +namespace zeek::analyzer::login { class Telnet_Analyzer : public Login_Analyzer { public: @@ -15,4 +15,10 @@ public: { return new Telnet_Analyzer(conn); } }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::login + +namespace analyzer::login { + + using Telnet_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Telnet_Analyzer.")]] = zeek::analyzer::login::Telnet_Analyzer; + +} // namespace analyzer::login diff --git a/src/analyzer/protocol/login/functions.bif b/src/analyzer/protocol/login/functions.bif index 6b0e195529..3b2b0e610c 100644 --- a/src/analyzer/protocol/login/functions.bif +++ b/src/analyzer/protocol/login/functions.bif @@ -34,7 +34,7 @@ function get_login_state%(cid: conn_id%): count if ( ! la ) return zeek::val_mgr->False(); - return zeek::val_mgr->Count(int(static_cast<::analyzer::login::Login_Analyzer*>(la)->LoginState())); + return zeek::val_mgr->Count(int(static_cast(la)->LoginState())); %} ## Sets the login state of a connection with a login analyzer. @@ -58,6 +58,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! la ) return zeek::val_mgr->False(); - static_cast<::analyzer::login::Login_Analyzer*>(la)->SetLoginState(::analyzer::login::login_state(new_state)); + static_cast(la)->SetLoginState( + zeek::analyzer::login::login_state(new_state)); return zeek::val_mgr->True(); %} diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index fac89ebc64..d84c1f404a 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -19,7 +19,7 @@ // headers of form: =; =; // =; ... (so that -namespace analyzer { namespace mime { +namespace zeek::analyzer::mime { static const zeek::data_chunk_t null_data_chunk = { 0, nullptr }; @@ -439,11 +439,6 @@ zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf) return new zeek::String(true, (zeek::byte_vec) dest, j); } - -} } // namespace analyzer::* - -using namespace analyzer::mime; - MIME_Multiline::MIME_Multiline() { line = nullptr; @@ -1567,3 +1562,24 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) zeek::make_intrusive(detail) ); } + +} // namespace zeek::analyzer::mime + + +namespace analyzer::mime { + +zeek::StringVal* new_string_val(int length, const char* data) + { return zeek::analyzer::mime::to_string_val(length, data).release(); } +zeek::StringVal* new_string_val(const char* data, const char* end_of_data) + { return zeek::analyzer::mime::to_string_val(data, end_of_data).release(); } +zeek::StringVal* new_string_val(const zeek::data_chunk_t buf) + { return zeek::analyzer::mime::to_string_val(buf).release(); } + +zeek::StringValPtr to_string_val(int length, const char* data) + { return zeek::analyzer::mime::to_string_val(length, data); } +zeek::StringValPtr to_string_val(const char* data, const char* end_of_data) + { return zeek::analyzer::mime::to_string_val(data, end_of_data); } +zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf) + { return zeek::analyzer::mime::to_string_val(buf); } + +} // namespace analyzer::mime diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h index 3a9ac3edf9..7498ada5ea 100644 --- a/src/analyzer/protocol/mime/MIME.h +++ b/src/analyzer/protocol/mime/MIME.h @@ -19,7 +19,7 @@ using TableValPtr = zeek::IntrusivePtr; using StringValPtr = zeek::IntrusivePtr; } -namespace analyzer { namespace mime { +namespace zeek::analyzer::mime { // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) @@ -46,8 +46,6 @@ enum MIME_EVENT_TYPE { MIME_EVENT_OTHER, }; - - // MIME data structures. class MIME_Multiline; @@ -279,11 +277,11 @@ protected: }; extern bool is_null_data_chunk(zeek::data_chunk_t b); -[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] extern zeek::StringVal* new_string_val(int length, const char* data); -[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data); -[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]] +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf); extern zeek::StringValPtr to_string_val(int length, const char* data); extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data); @@ -304,4 +302,54 @@ extern int MIME_get_value(int len, const char* data, zeek::String*& buf, extern int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name); extern zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf); -} } // namespace analyzer::* +} // namespace zeek::analyzer::mime + +namespace analyzer::mime { + +using MIME_CONTENT_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_CONTENT_TYPE.")]] = zeek::analyzer::mime::MIME_CONTENT_TYPE; +constexpr auto CONTENT_TYPE_MULTIPART [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_MULTIPART.")]] = zeek::analyzer::mime::CONTENT_TYPE_MULTIPART; +constexpr auto CONTENT_TYPE_MESSAGE [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_MESSAGE.")]] = zeek::analyzer::mime::CONTENT_TYPE_MESSAGE; +constexpr auto CONTENT_TYPE_TEXT [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_TEXT.")]] = zeek::analyzer::mime::CONTENT_TYPE_TEXT; +constexpr auto CONTENT_TYPE_OTHER [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_OTHER.")]] = zeek::analyzer::mime::CONTENT_TYPE_OTHER; + +using MIME_EVENT_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_EVENT_TYPE.")]] = zeek::analyzer::mime::MIME_EVENT_TYPE; +constexpr auto MIME_EVENT_ILLEGAL_FORMAT [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT.")]] = zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT; +constexpr auto MIME_EVENT_ILLEGAL_ENCODING [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING.")]] = zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING; +constexpr auto MIME_EVENT_CONTENT_GAP [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP.")]] = zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP; +constexpr auto MIME_EVENT_OTHER [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_OTHER.")]] = zeek::analyzer::mime::MIME_EVENT_OTHER; + +using MIME_Multiline [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Multiline.")]] = zeek::analyzer::mime::MIME_Multiline; +using MIME_Header [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Header.")]] = zeek::analyzer::mime::MIME_Header; +using MIME_HeaderList [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_HeaderList.")]] = zeek::analyzer::mime::MIME_HeaderList; +using MIME_Entity [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Entity.")]] = zeek::analyzer::mime::MIME_Entity; +using MIME_Message [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Message.")]] = zeek::analyzer::mime::MIME_Message; +using MIME_Mail [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Mail.")]] = zeek::analyzer::mime::MIME_Mail; + +constexpr auto is_null_data_chunk [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::is_null_data_chunk.")]] = zeek::analyzer::mime::is_null_data_chunk; +constexpr auto is_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::is_lws.")]] = zeek::analyzer::mime::is_lws; +constexpr auto MIME_is_field_name_char [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_is_field_name_char.")]] = zeek::analyzer::mime::MIME_is_field_name_char; +constexpr auto MIME_count_leading_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_count_leading_lws.")]] = zeek::analyzer::mime::MIME_count_leading_lws; +constexpr auto MIME_count_trailing_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_count_trailing_lws.")]] = zeek::analyzer::mime::MIME_count_trailing_lws; +constexpr auto MIME_skip_comments [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_skip_comments.")]] = zeek::analyzer::mime::MIME_skip_comments; +constexpr auto MIME_skip_lws_comments [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_skip_lws_comments.")]] = zeek::analyzer::mime::MIME_skip_lws_comments; +constexpr auto MIME_get_token [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_token.")]] = zeek::analyzer::mime::MIME_get_token; +constexpr auto MIME_get_slash_token_pair [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_slash_token_pair.")]] = zeek::analyzer::mime::MIME_get_slash_token_pair; +constexpr auto MIME_get_value [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_value.")]] = zeek::analyzer::mime::MIME_get_value; +constexpr auto MIME_get_field_name [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_field_name.")]] = zeek::analyzer::mime::MIME_get_field_name; +constexpr auto MIME_decode_quoted_pairs [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_decode_quoted_pairs.")]] = zeek::analyzer::mime::MIME_decode_quoted_pairs; + +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringVal* new_string_val(int length, const char* data); +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data); +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf); + +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringValPtr to_string_val(int length, const char* data); +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data); +[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]] +extern zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf); + +} // namespace analyzer::mime diff --git a/src/analyzer/protocol/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc index 9becb31359..37b6fa74f3 100644 --- a/src/analyzer/protocol/modbus/Modbus.cc +++ b/src/analyzer/protocol/modbus/Modbus.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::modbus; +namespace zeek::analyzer::modbus { ModbusTCP_Analyzer::ModbusTCP_Analyzer(zeek::Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) @@ -42,3 +42,5 @@ void ModbusTCP_Analyzer::EndpointEOF(bool is_orig) TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } + +} // namespace zeek::analyzer::modbus diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h index eb8b16af63..ae1a466c61 100644 --- a/src/analyzer/protocol/modbus/Modbus.h +++ b/src/analyzer/protocol/modbus/Modbus.h @@ -3,7 +3,7 @@ #include "analyzer/protocol/tcp/TCP.h" #include "modbus_pac.h" -namespace analyzer { namespace modbus { +namespace zeek::analyzer::modbus { class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -23,4 +23,10 @@ protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::modbus + +namespace analyzer::modbus { + +using ModbusTCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::modbus::ModbusTCP_Analyzer.")]] = zeek::analyzer::modbus::ModbusTCP_Analyzer; + +} // namespace analyzer::modbus diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc index 012603f80d..4645280e64 100644 --- a/src/analyzer/protocol/modbus/Plugin.cc +++ b/src/analyzer/protocol/modbus/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("MODBUS", ::analyzer::modbus::ModbusTCP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("MODBUS", zeek::analyzer::modbus::ModbusTCP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Modbus"; diff --git a/src/analyzer/protocol/mqtt/MQTT.cc b/src/analyzer/protocol/mqtt/MQTT.cc index 5fcb859f6b..a549200317 100644 --- a/src/analyzer/protocol/mqtt/MQTT.cc +++ b/src/analyzer/protocol/mqtt/MQTT.cc @@ -7,7 +7,7 @@ #include "Scope.h" #include "mqtt_pac.h" -using namespace analyzer::MQTT; +namespace zeek::analyzer::mqtt { MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c) @@ -55,3 +55,5 @@ void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig) zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::mqtt diff --git a/src/analyzer/protocol/mqtt/MQTT.h b/src/analyzer/protocol/mqtt/MQTT.h index 828e62fa23..a150fc2c05 100644 --- a/src/analyzer/protocol/mqtt/MQTT.h +++ b/src/analyzer/protocol/mqtt/MQTT.h @@ -7,7 +7,7 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } } -namespace analyzer { namespace MQTT { +namespace zeek::analyzer::mqtt { class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -28,4 +28,10 @@ protected: }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::mqtt + +namespace analyzer::MQTT { + +using MQTT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::mqtt::MQTT_Analyzer.")]] = zeek::analyzer::mqtt::MQTT_Analyzer; + +} // namespace analyzer::mqtt diff --git a/src/analyzer/protocol/mqtt/Plugin.cc b/src/analyzer/protocol/mqtt/Plugin.cc index 26ae30ed5c..cc0b7dcb47 100644 --- a/src/analyzer/protocol/mqtt/Plugin.cc +++ b/src/analyzer/protocol/mqtt/Plugin.cc @@ -12,7 +12,7 @@ public: zeek::plugin::Configuration Configure() override { AddComponent(new zeek::analyzer::Component("MQTT", - ::analyzer::MQTT::MQTT_Analyzer::InstantiateAnalyzer)); + zeek::analyzer::mqtt::MQTT_Analyzer::InstantiateAnalyzer)); zeek::plugin::Configuration config; config.name = "Zeek::MQTT"; diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc index 2c18803bbf..0d87fe21b4 100644 --- a/src/analyzer/protocol/mysql/MySQL.cc +++ b/src/analyzer/protocol/mysql/MySQL.cc @@ -5,7 +5,7 @@ #include "Reporter.h" #include "events.bif.h" -using namespace analyzer::MySQL; +namespace zeek::analyzer::mysql { MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c) @@ -63,3 +63,5 @@ void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::mysql diff --git a/src/analyzer/protocol/mysql/MySQL.h b/src/analyzer/protocol/mysql/MySQL.h index a438470024..3bb75da40c 100644 --- a/src/analyzer/protocol/mysql/MySQL.h +++ b/src/analyzer/protocol/mysql/MySQL.h @@ -7,7 +7,7 @@ #include "mysql_pac.h" -namespace analyzer { namespace MySQL { +namespace zeek::analyzer::mysql { class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -32,4 +32,10 @@ protected: bool had_gap; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::mysql + +namespace analyzer::MySQL { + +using MySQL_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::mysql::MySQL_Analyzer.")]] = zeek::analyzer::mysql::MySQL_Analyzer; + +} // namespace analyzer::MySQL diff --git a/src/analyzer/protocol/mysql/Plugin.cc b/src/analyzer/protocol/mysql/Plugin.cc index 93a99b4d54..0712ef79e3 100644 --- a/src/analyzer/protocol/mysql/Plugin.cc +++ b/src/analyzer/protocol/mysql/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("MySQL", ::analyzer::MySQL::MySQL_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("MySQL", zeek::analyzer::mysql::MySQL_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::MySQL"; config.description = "MySQL analyzer"; diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index 3dec999fb2..b3740764c4 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -12,7 +12,6 @@ #include "consts.bif.h" using namespace std; -using namespace analyzer::ncp; #include "NCP.h" #include "Sessions.h" @@ -23,6 +22,9 @@ using namespace analyzer::ncp; uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) +namespace zeek::analyzer::ncp { +namespace detail { + NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a) : analyzer(a) { @@ -163,7 +165,9 @@ void NCP_FrameBuffer::compute_msg_length() msg_len = (msg_len << 8) | data[4+i]; } -Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* arg_session) +} // namespace detail + +Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* arg_session) : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; @@ -247,7 +251,7 @@ void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn) { - session = new NCP_Session(this); + session = new detail::NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); AddSupportAnalyzer(o_ncp); r_ncp = new Contents_NCP_Analyzer(conn, false, session); @@ -258,3 +262,5 @@ NCP_Analyzer::~NCP_Analyzer() { delete session; } + +} // namespace zeek::analyzer::ncp diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h index 89d6c6ec72..1e2e90ee88 100644 --- a/src/analyzer/protocol/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -22,7 +22,8 @@ #include "ncp_pac.h" -namespace analyzer { namespace ncp { +namespace zeek::analyzer::ncp { +namespace detail { // Create a general NCP_Session class so that it can be used in // case the RPC conversation is tunneled through other connections, @@ -82,17 +83,19 @@ protected: void compute_msg_length() override; }; +} // namespace detail + class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* session); + Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* session); ~Contents_NCP_Analyzer() override; protected: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - NCP_FrameBuffer buffer; - NCP_Session* session; + detail::NCP_FrameBuffer buffer; + detail::NCP_Session* session; // Re-sync for partial connections (or after a content gap). bool resync; @@ -109,9 +112,19 @@ public: protected: - NCP_Session* session; + detail::NCP_Session* session; Contents_NCP_Analyzer * o_ncp; Contents_NCP_Analyzer * r_ncp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ncp + +namespace analyzer::ncp { + +using NCP_Session [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::NCP_Session.")]] = zeek::analyzer::ncp::detail::NCP_Session; +using FrameBuffer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::FrameBuffer.")]] = zeek::analyzer::ncp::detail::FrameBuffer; +using NCP_FrameBuffer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::NCP_FrameBuffer.")]] = zeek::analyzer::ncp::detail::NCP_FrameBuffer; +using Contents_NCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::Contents_NCP_Analyzer.")]] = zeek::analyzer::ncp::Contents_NCP_Analyzer; +using NCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::NCP_Analyzer.")]] = zeek::analyzer::ncp::NCP_Analyzer; + +} // namespace analyzer::ncp diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc index 91ee989458..c621188d78 100644 --- a/src/analyzer/protocol/ncp/Plugin.cc +++ b/src/analyzer/protocol/ncp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("NCP", ::analyzer::ncp::NCP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("NCP", zeek::analyzer::ncp::NCP_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("Contents_NCP", nullptr)); zeek::plugin::Configuration config; diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index da789952c4..fb3c20cfb3 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -13,12 +13,13 @@ #include "events.bif.h" -using namespace analyzer::netbios_ssn; - -double netbios_ssn_session_timeout = 15.0; +constexpr double netbios_ssn_session_timeout = 15.0; #define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++; +namespace zeek::analyzer::netbios_ssn { +namespace detail { + NetbiosSSN_RawMsgHdr::NetbiosSSN_RawMsgHdr(const u_char*& data, int& len) { type = *data; ++data, --len; @@ -48,7 +49,6 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) MAKE_INT16(offset, data);; len -= 2; } - NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; @@ -161,7 +161,6 @@ void NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len, void NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len, bool is_query) { - NetbiosDGM_RawMsgHdr hdr(data, len); if ( unsigned(hdr.length-14) > unsigned(len) ) @@ -331,16 +330,17 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da zeek::make_intrusive(new zeek::String(data, len, false))); } +} // namespace detail Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig, - NetbiosSSN_Interpreter* arg_interp) + detail::NetbiosSSN_Interpreter* arg_interp) : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; msg_buf = nullptr; buf_n = buf_len = msg_size = 0; - state = NETBIOS_SSN_TYPE; + state = detail::NETBIOS_SSN_TYPE; } Contents_NetbiosSSN::~Contents_NetbiosSSN() @@ -367,10 +367,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) { zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - if ( state == NETBIOS_SSN_TYPE ) + if ( state == detail::NETBIOS_SSN_TYPE ) { type = *data; - state = NETBIOS_SSN_FLAGS; + state = detail::NETBIOS_SSN_FLAGS; ++data; --len; @@ -379,10 +379,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state == NETBIOS_SSN_FLAGS ) + if ( state == detail::NETBIOS_SSN_FLAGS ) { flags = *data; - state = NETBIOS_SSN_LEN_HI; + state = detail::NETBIOS_SSN_LEN_HI; ++data; --len; @@ -391,10 +391,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state == NETBIOS_SSN_LEN_HI ) + if ( state == detail::NETBIOS_SSN_LEN_HI ) { msg_size = (*data) << 8; - state = NETBIOS_SSN_LEN_LO; + state = detail::NETBIOS_SSN_LEN_LO; ++data; --len; @@ -403,10 +403,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state == NETBIOS_SSN_LEN_LO ) + if ( state == detail::NETBIOS_SSN_LEN_LO ) { msg_size += *data; - state = NETBIOS_SSN_BUF; + state = detail::NETBIOS_SSN_BUF; buf_n = 0; @@ -433,7 +433,7 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) return; } - if ( state != NETBIOS_SSN_BUF ) + if ( state != detail::NETBIOS_SSN_BUF ) Conn()->Internal("state inconsistency in Contents_NetbiosSSN::Deliver"); int n; @@ -450,14 +450,14 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) interp->ParseMessage(type, flags, msg_buf, msg_size, IsOrig()); buf_n = 0; - state = NETBIOS_SSN_TYPE; + state = detail::NETBIOS_SSN_TYPE; } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) { //smb_session = new SMB_Session(this); - interp = new NetbiosSSN_Interpreter(this); + interp = new detail::NetbiosSSN_Interpreter(this); orig_netbios = resp_netbios = nullptr; did_session_done = 0; @@ -538,3 +538,5 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t) t + netbios_ssn_session_timeout, true, zeek::detail::TIMER_NB_EXPIRE); } + +} // namespace zeek::analyzer::netbios_ssn diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h index a42b9dcc60..6668093b1a 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -4,11 +4,11 @@ #include "analyzer/protocol/udp/UDP.h" #include "analyzer/protocol/tcp/TCP.h" -//#include "analyzer/protocol/smb/SMB.h" -namespace analyzer { namespace netbios_ssn { +namespace zeek::analyzer::netbios_ssn { +namespace detail { -typedef enum { +enum NetbiosSSN_Opcode { NETBIOS_SSN_MSG = 0x0, NETBIOS_DGM_DIRECT_UNIQUE = 0x10, NETBIOS_DGM_DIRECT_GROUP = 0x11, @@ -22,7 +22,7 @@ typedef enum { NETBIOS_SSN_NEG_RESP = 0x83, NETBIOS_SSN_RETARG_RESP = 0x84, NETBIOS_SSN_KEEP_ALIVE = 0x85, -} NetbiosSSN_Opcode; +}; // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -60,6 +60,13 @@ struct NetbiosDGM_RawMsgHdr { uint16_t offset; }; +enum NetbiosSSN_State { + NETBIOS_SSN_TYPE, // looking for type field + NETBIOS_SSN_FLAGS, // looking for flag field + NETBIOS_SSN_LEN_HI, // looking for high-order byte of length + NETBIOS_SSN_LEN_LO, // looking for low-order byte of length + NETBIOS_SSN_BUF, // building up the message in the buffer +}; class NetbiosSSN_Interpreter { public: @@ -102,31 +109,24 @@ protected: //SMB_Session* smb_session; }; - -typedef enum { - NETBIOS_SSN_TYPE, // looking for type field - NETBIOS_SSN_FLAGS, // looking for flag field - NETBIOS_SSN_LEN_HI, // looking for high-order byte of length - NETBIOS_SSN_LEN_LO, // looking for low-order byte of length - NETBIOS_SSN_BUF, // building up the message in the buffer -} NetbiosSSN_State; +} // namespace detail // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: Contents_NetbiosSSN(zeek::Connection* conn, bool orig, - NetbiosSSN_Interpreter* interp); + detail::NetbiosSSN_Interpreter* interp); ~Contents_NetbiosSSN() override; void Flush(); // process any partially-received data - NetbiosSSN_State State() const { return state; } + detail::NetbiosSSN_State State() const { return state; } protected: void DeliverStream(int len, const u_char* data, bool orig) override; void ProcessChunk(int& len, const u_char*& data, bool orig); - NetbiosSSN_Interpreter* interp; + detail::NetbiosSSN_Interpreter* interp; unsigned int type; unsigned int flags; @@ -136,7 +136,7 @@ protected: int buf_len; // size of msg_buf int msg_size; // expected size of message - NetbiosSSN_State state; + detail::NetbiosSSN_State state; }; class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -146,7 +146,7 @@ public: void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) { return new NetbiosSSN_Analyzer(conn); } @@ -158,7 +158,7 @@ protected: void ExpireTimer(double t); - NetbiosSSN_Interpreter* interp; + detail::NetbiosSSN_Interpreter* interp; //SMB_Session* smb_session; Contents_NetbiosSSN* orig_netbios; Contents_NetbiosSSN* resp_netbios; @@ -168,4 +168,37 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); -} } // namespace analyzer::* +} // namespace zeek::analyzer::netbios_ssn + +namespace analyzer::netbios_ssn { + +using NetbiosSSN_Opcode [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Opcode.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Opcode; +constexpr auto NETBIOS_SSN_MSG [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_MSG.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_MSG; +constexpr auto NETBIOS_DGM_DIRECT_UNIQUE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_UNIQUE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_UNIQUE; +constexpr auto NETBIOS_DGM_DIRECT_GROUP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_GROUP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_GROUP; +constexpr auto NETBIOS_DGM_BROADCAST [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_BROADCAST.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_BROADCAST; +constexpr auto NETBIOS_DGM_ERROR [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_ERROR.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_ERROR; +constexpr auto NETBIOS_DGG_QUERY_REQ [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGG_QUERY_REQ.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGG_QUERY_REQ; +constexpr auto NETBIOS_DGM_POS_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_POS_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_POS_RESP; +constexpr auto NETBIOS_DGM_NEG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_NEG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_NEG_RESP; +constexpr auto NETBIOS_SSN_REQ [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_REQ.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_REQ; +constexpr auto NETBIOS_SSN_POS_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_POS_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_POS_RESP; +constexpr auto NETBIOS_SSN_NEG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_NEG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_NEG_RESP; +constexpr auto NETBIOS_SSN_RETARG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_RETARG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_RETARG_RESP; +constexpr auto NETBIOS_SSN_KEEP_ALIVE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_KEEP_ALIVE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_KEEP_ALIVE; + +using NetbiosSSN_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_RawMsgHdr.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_RawMsgHdr; +using NetbiosDGM_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosDGM_RawMsgHdr.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosDGM_RawMsgHdr; + +using NetbiosSSN_State [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_State.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_State; +constexpr auto NETBIOS_SSN_TYPE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_TYPE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_TYPE; +constexpr auto NETBIOS_SSN_FLAGS [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_FLAGS.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_FLAGS; +constexpr auto NETBIOS_SSN_LEN_HI [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_HI.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_HI; +constexpr auto NETBIOS_SSN_LEN_LO [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_LO.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_LO; +constexpr auto NETBIOS_SSN_BUF [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_BUF.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_BUF; + +using NetbiosSSN_Interpreter [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Interpreter.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Interpreter; +using Contents_NetbiosSSN [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::Contents_NetbiosSSN.")]] = zeek::analyzer::netbios_ssn::Contents_NetbiosSSN; +using NetbiosSSN_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer.")]] = zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer; + +} // namespace analyzer::netbios_ssn diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc index cc68192fcc..56b1e973f4 100644 --- a/src/analyzer/protocol/netbios/Plugin.cc +++ b/src/analyzer/protocol/netbios/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("NetbiosSSN", ::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("NetbiosSSN", zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("Contents_NetbiosSSN", nullptr)); zeek::plugin::Configuration config; diff --git a/src/analyzer/protocol/ntlm/NTLM.cc b/src/analyzer/protocol/ntlm/NTLM.cc index a521fc8c94..cb15ac5434 100644 --- a/src/analyzer/protocol/ntlm/NTLM.cc +++ b/src/analyzer/protocol/ntlm/NTLM.cc @@ -5,7 +5,7 @@ #include "Reporter.h" #include "events.bif.h" -using namespace analyzer::ntlm; +namespace zeek::analyzer::ntlm { NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c) @@ -54,3 +54,5 @@ void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig) zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::ntlm diff --git a/src/analyzer/protocol/ntlm/NTLM.h b/src/analyzer/protocol/ntlm/NTLM.h index 53d168528d..c4de65a93a 100644 --- a/src/analyzer/protocol/ntlm/NTLM.h +++ b/src/analyzer/protocol/ntlm/NTLM.h @@ -7,7 +7,7 @@ #include "ntlm_pac.h" -namespace analyzer { namespace ntlm { +namespace zeek::analyzer::ntlm { class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -31,4 +31,10 @@ protected: binpac::NTLM::NTLM_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ntlm + +namespace analyzer::ntlm { + +using NTLM_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ntlm::NTLM_Analyzer.")]] = zeek::analyzer::ntlm::NTLM_Analyzer; + +} // namespace analyzer::ntlm diff --git a/src/analyzer/protocol/ntlm/Plugin.cc b/src/analyzer/protocol/ntlm/Plugin.cc index 402665db59..12c774a32f 100644 --- a/src/analyzer/protocol/ntlm/Plugin.cc +++ b/src/analyzer/protocol/ntlm/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("NTLM", ::analyzer::ntlm::NTLM_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("NTLM", zeek::analyzer::ntlm::NTLM_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::NTLM"; diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc index a38fd8531a..df4ca6888f 100644 --- a/src/analyzer/protocol/ntp/NTP.cc +++ b/src/analyzer/protocol/ntp/NTP.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::NTP; +namespace zeek::analyzer::ntp { NTP_Analyzer::NTP_Analyzer(zeek::Connection* c) : zeek::analyzer::Analyzer("NTP", c) @@ -37,3 +37,5 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::ntp diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h index 1f38953b07..fb158a2637 100644 --- a/src/analyzer/protocol/ntp/NTP.h +++ b/src/analyzer/protocol/ntp/NTP.h @@ -7,7 +7,7 @@ #include "ntp_pac.h" -namespace analyzer { namespace NTP { +namespace zeek::analyzer::ntp { class NTP_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -26,4 +26,10 @@ protected: binpac::NTP::NTP_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ntp + +namespace analyzer::NTP { + +using NTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ntp::NTP_Analyzer.")]] = zeek::analyzer::ntp::NTP_Analyzer; + +} // namespace analyzer::NTP diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc index 4979d27eb1..c35349abcd 100644 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ b/src/analyzer/protocol/ntp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("NTP", ::analyzer::NTP::NTP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("NTP", zeek::analyzer::ntp::NTP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::NTP"; diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 32aa2adf7a..dcfa2543cd 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -14,7 +14,7 @@ #include "events.bif.h" -using namespace analyzer::pop3; +namespace zeek::analyzer::pop3 { #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, @@ -25,14 +25,13 @@ static const char* pop3_cmd_word[] = { #define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)") - POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn) { - masterState = POP3_START; - subState = POP3_WOK; - state = START; - lastState = START; + masterState = detail::POP3_START; + subState = detail::POP3_WOK; + state = detail::START; + lastState = detail::START; guessing = false; waitingForAuthentication = false; @@ -145,7 +144,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) } switch ( state ) { - case AUTH_LOGIN: + case detail::AUTH_LOGIN: // Format: Line 1 - User // Line 2 - Password if ( authLines == 1 ) @@ -156,7 +155,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) break; - case AUTH_PLAIN: + case detail::AUTH_PLAIN: { // Format: "authorization identityauthentication // identitypassword" @@ -195,7 +194,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) break; } - case AUTH_CRAM_MD5: + case detail::AUTH_CRAM_MD5: { // Format: "userpassword-hash" const char* s; const char* str = (char*) decoded->CheckString(); @@ -209,7 +208,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) break; } - case AUTH: + case detail::AUTH: break; default: @@ -268,8 +267,8 @@ void POP3_Analyzer::ProcessClientCmd() if ( ! waitingForAuthentication ) { Weird("pop3_client_command_unknown"); - if ( subState == POP3_WOK ) - subState = POP3_OK; + if ( subState == detail::POP3_WOK ) + subState = detail::POP3_OK; } return; } @@ -279,31 +278,31 @@ void POP3_Analyzer::ProcessClientCmd() const char* message = tokens.size() > 1 ? tokens[1].c_str() : ""; switch ( cmd_code ) { - case POP3_CMD_ERR: - case POP3_CMD_OK: + case detail::POP3_CMD_ERR: + case detail::POP3_CMD_OK: Weird("pop3_client_sending_server_commands"); break; - case POP3_CMD_USER: - if ( masterState == POP3_AUTHORIZATION ) + case detail::POP3_CMD_USER: + if ( masterState == detail::POP3_AUTHORIZATION ) { POP3Event(pop3_request, true, cmd, message); - state = USER; - subState = POP3_WOK; + state = detail::USER; + subState = detail::POP3_WOK; user = message; } else NotAllowed(cmd, "authorization"); break; - case POP3_CMD_PASS: - if ( masterState == POP3_AUTHORIZATION ) + case detail::POP3_CMD_PASS: + if ( masterState == detail::POP3_AUTHORIZATION ) { - if ( state == USER ) + if ( state == detail::USER ) { POP3Event(pop3_request, true, cmd, message); - state = PASS; - subState = POP3_WOK; + state = detail::PASS; + subState = detail::POP3_WOK; password = message; } else @@ -314,12 +313,12 @@ void POP3_Analyzer::ProcessClientCmd() NotAllowed(cmd, "authorization"); break; - case POP3_CMD_APOP: - if ( masterState == POP3_AUTHORIZATION ) + case detail::POP3_CMD_APOP: + if ( masterState == detail::POP3_AUTHORIZATION ) { POP3Event(pop3_request, true, cmd, message); - state = APOP; - subState = POP3_WOK; + state = detail::APOP; + subState = detail::POP3_WOK; char* arg1 = copy_string(message); char* e; @@ -333,32 +332,32 @@ void POP3_Analyzer::ProcessClientCmd() NotAllowed(cmd, "authorization"); break; - case POP3_CMD_AUTH: - if ( masterState == POP3_AUTHORIZATION ) + case detail::POP3_CMD_AUTH: + if ( masterState == detail::POP3_AUTHORIZATION ) { POP3Event(pop3_request, true, cmd, message); if ( ! *message ) { requestForMultiLine = true; - state = AUTH; - subState = POP3_WOK; + state = detail::AUTH; + subState = detail::POP3_WOK; } else { if ( strstr(message, "LOGIN") ) - state = AUTH_LOGIN; + state = detail::AUTH_LOGIN; else if ( strstr(message, "PLAIN") ) - state = AUTH_PLAIN; + state = detail::AUTH_PLAIN; else if ( strstr(message, "CRAM-MD5") ) - state = AUTH_CRAM_MD5; + state = detail::AUTH_CRAM_MD5; else { - state = AUTH; + state = detail::AUTH; POP3Event(pop3_unexpected, true, cmd, fmt("unknown AUTH method %s", message)); } - subState = POP3_WOK; + subState = detail::POP3_WOK; waitingForAuthentication = true; authLines = 0; } @@ -368,31 +367,31 @@ void POP3_Analyzer::ProcessClientCmd() "pass must follow the command 'USER'"); break; - case POP3_CMD_STAT: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_STAT: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = STAT; + subState = detail::POP3_WOK; + state = detail::STAT; } else NotAllowed(cmd, "transaction"); break; - case POP3_CMD_LIST: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_LIST: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); if ( ! *message ) { requestForMultiLine = true; - state = LIST; - subState = POP3_WOK; + state = detail::LIST; + subState = detail::POP3_WOK; } else { - state = LIST; - subState = POP3_WOK; + state = detail::LIST; + subState = detail::POP3_WOK; } } else @@ -401,148 +400,148 @@ void POP3_Analyzer::ProcessClientCmd() requestForMultiLine = true; guessing = true; - lastState = LIST; + lastState = detail::LIST; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_RETR: + case detail::POP3_CMD_RETR: requestForMultiLine = true; - if ( masterState == POP3_TRANSACTION ) + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = RETR; + subState = detail::POP3_WOK; + state = detail::RETR; } else { guessing = true; - lastState = RETR; + lastState = detail::RETR; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_DELE: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_DELE: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = DELE; + subState = detail::POP3_WOK; + state = detail::DELE; } else { guessing = true; - lastState = DELE; + lastState = detail::DELE; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_RSET: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_RSET: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = RSET; + subState = detail::POP3_WOK; + state = detail::RSET; } else { guessing = true; - lastState = RSET; + lastState = detail::RSET; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_NOOP: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_NOOP: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = NOOP; + subState = detail::POP3_WOK; + state = detail::NOOP; } else { guessing = true; - lastState = NOOP; + lastState = detail::NOOP; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_LAST: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_LAST: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = LAST; + subState = detail::POP3_WOK; + state = detail::LAST; } else { guessing = true; - lastState = LAST; + lastState = detail::LAST; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_QUIT: - if ( masterState == POP3_AUTHORIZATION || - masterState == POP3_TRANSACTION || - masterState == POP3_START ) + case detail::POP3_CMD_QUIT: + if ( masterState == detail::POP3_AUTHORIZATION || + masterState == detail::POP3_TRANSACTION || + masterState == detail::POP3_START ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = QUIT; + subState = detail::POP3_WOK; + state = detail::QUIT; } else { guessing = true; - lastState = LAST; + lastState = detail::LAST; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_TOP: + case detail::POP3_CMD_TOP: requestForMultiLine = true; - if ( masterState == POP3_TRANSACTION ) + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = TOP; + subState = detail::POP3_WOK; + state = detail::TOP; } else { guessing = true; - lastState = TOP; + lastState = detail::TOP; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_CAPA: + case detail::POP3_CMD_CAPA: POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = CAPA; + subState = detail::POP3_WOK; + state = detail::CAPA; requestForMultiLine = true; break; - case POP3_CMD_STLS: + case detail::POP3_CMD_STLS: POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = STLS; + subState = detail::POP3_WOK; + state = detail::STLS; break; - case POP3_CMD_UIDL: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_UIDL: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); if ( ! *message ) { requestForMultiLine = true; - state = UIDL; - subState = POP3_WOK; + state = detail::UIDL; + subState = detail::POP3_WOK; } else { - state = UIDL; - subState = POP3_WOK; + state = detail::UIDL; + subState = detail::POP3_WOK; } } else @@ -551,22 +550,22 @@ void POP3_Analyzer::ProcessClientCmd() requestForMultiLine = true; guessing = true; - lastState = UIDL; + lastState = detail::UIDL; NotAllowed(cmd, "transaction"); } break; - case POP3_CMD_XSENDER: - if ( masterState == POP3_TRANSACTION ) + case detail::POP3_CMD_XSENDER: + if ( masterState == detail::POP3_TRANSACTION ) { POP3Event(pop3_request, true, cmd, message); - subState = POP3_WOK; - state = LAST; + subState = detail::POP3_WOK; + state = detail::LAST; } else { guessing = true; - lastState = XSENDER; + lastState = detail::XSENDER; NotAllowed(cmd, "transaction"); } break; @@ -610,7 +609,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) } else { - if ( state == RETR || state == TOP ) + if ( state == detail::RETR || state == detail::TOP ) { int data_len = end_of_line - line; ProcessData(data_len, line); @@ -642,8 +641,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) line, length); Weird("pop3_server_command_unknown"); - if ( subState == POP3_WOK ) - subState = POP3_OK; + if ( subState == detail::POP3_WOK ) + subState = detail::POP3_OK; } return; } @@ -653,13 +652,13 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) const char* message = tokens.size() > 1 ? tokens[1].c_str() : ""; switch ( cmd_code ) { - case POP3_CMD_OK: - if ( subState == POP3_WOK ) - subState = POP3_OK; + case detail::POP3_CMD_OK: + if ( subState == detail::POP3_WOK ) + subState = detail::POP3_OK; if ( guessing ) { - masterState = POP3_TRANSACTION; + masterState = detail::POP3_TRANSACTION; guessing = false; state = lastState; POP3Event(pop3_unexpected, false, cmd, @@ -667,43 +666,43 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) } switch ( state ) { - case START: - masterState = POP3_AUTHORIZATION; + case detail::START: + masterState = detail::POP3_AUTHORIZATION; break; - case USER: - state = USER; - masterState = POP3_AUTHORIZATION; + case detail::USER: + state = detail::USER; + masterState = detail::POP3_AUTHORIZATION; ProtocolConfirmation(); break; - case PASS: - case APOP: - case NOOP: - case LAST: - case STAT: - case RSET: - case DELE: - case XSENDER: - if ( masterState == POP3_AUTHORIZATION ) + case detail::PASS: + case detail::APOP: + case detail::NOOP: + case detail::LAST: + case detail::STAT: + case detail::RSET: + case detail::DELE: + case detail::XSENDER: + if ( masterState == detail::POP3_AUTHORIZATION ) AuthSuccessfull(); - masterState = POP3_TRANSACTION; + masterState = detail::POP3_TRANSACTION; break; - case AUTH: - case AUTH_PLAIN: - case AUTH_CRAM_MD5: - case AUTH_LOGIN: + case detail::AUTH: + case detail::AUTH_PLAIN: + case detail::AUTH_CRAM_MD5: + case detail::AUTH_LOGIN: if ( requestForMultiLine == true ) multiLine = true; if ( waitingForAuthentication ) - masterState = POP3_TRANSACTION; + masterState = detail::POP3_TRANSACTION; waitingForAuthentication = false; AuthSuccessfull(); break; - case TOP: - case RETR: + case detail::TOP: + case detail::RETR: { int data_len = end_of_line - line; if ( ! mail ) @@ -715,29 +714,29 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) break; } - case CAPA: + case detail::CAPA: ProtocolConfirmation(); // Fall-through. - case UIDL: - case LIST: + case detail::UIDL: + case detail::LIST: if (requestForMultiLine == true) multiLine = true; break; - case STLS: + case detail::STLS: ProtocolConfirmation(); tls = true; StartTLS(); return; - case QUIT: - if ( masterState == POP3_AUTHORIZATION || - masterState == POP3_START ) - masterState = POP3_FINISHED; + case detail::QUIT: + if ( masterState == detail::POP3_AUTHORIZATION || + masterState == detail::POP3_START ) + masterState = detail::POP3_FINISHED; - else if ( masterState == POP3_TRANSACTION ) - masterState = POP3_UPDATE; + else if ( masterState == detail::POP3_TRANSACTION ) + masterState = detail::POP3_UPDATE; break; } @@ -749,9 +748,9 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) FinishClientCmd(); break; - case POP3_CMD_ERR: - if ( subState == POP3_WOK ) - subState = POP3_OK; + case detail::POP3_CMD_ERR: + if ( subState == detail::POP3_WOK ) + subState = detail::POP3_OK; multiLine = false; requestForMultiLine = false; @@ -759,18 +758,18 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) waitingForAuthentication = false; switch ( state ) { - case START: + case detail::START: break; - case USER: - case PASS: - case APOP: - case AUTH: - case AUTH_LOGIN: - case AUTH_PLAIN: - case AUTH_CRAM_MD5: - masterState = POP3_AUTHORIZATION; - state = START; + case detail::USER: + case detail::PASS: + case detail::APOP: + case detail::AUTH: + case detail::AUTH_LOGIN: + case detail::AUTH_PLAIN: + case detail::AUTH_CRAM_MD5: + masterState = detail::POP3_AUTHORIZATION; + state = detail::START; waitingForAuthentication = false; if ( user.size() ) @@ -778,27 +777,27 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) user.c_str(), password.c_str()); break; - case NOOP: - case LAST: - case STAT: - case RSET: - case DELE: - case LIST: - case RETR: - case UIDL: - case TOP: - case XSENDER: - masterState = POP3_TRANSACTION; + case detail::NOOP: + case detail::LAST: + case detail::STAT: + case detail::RSET: + case detail::DELE: + case detail::LIST: + case detail::RETR: + case detail::UIDL: + case detail::TOP: + case detail::XSENDER: + masterState = detail::POP3_TRANSACTION; break; - case CAPA: + case detail::CAPA: break; - case QUIT: - if ( masterState == POP3_AUTHORIZATION || - masterState == POP3_TRANSACTION || - masterState == POP3_START ) - masterState = POP3_FINISHED; + case detail::QUIT: + if ( masterState == detail::POP3_AUTHORIZATION || + masterState == detail::POP3_TRANSACTION || + masterState == detail::POP3_START ) + masterState = detail::POP3_FINISHED; break; } @@ -839,7 +838,7 @@ void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::BeginData(bool orig) { delete mail; - mail = new mime::MIME_Mail(this, orig); + mail = new zeek::analyzer::mime::MIME_Mail(this, orig); } void POP3_Analyzer::EndData() @@ -864,7 +863,7 @@ int POP3_Analyzer::ParseCmd(std::string cmd) if ( cmd.size() == 0 ) return -1; - for ( int code = POP3_CMD_OK; code < POP3_CMD_END; ++code ) + for ( int code = detail::POP3_CMD_OK; code < detail::POP3_CMD_END; ++code ) { char c = cmd.c_str()[0]; if ( c == '+' || c == '-' ) @@ -929,3 +928,5 @@ void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig, EnqueueConnEvent(event, std::move(vl)); } + +} // namespace zeek::analyzer::pop3 diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index 52d376f762..9d5fbd4f70 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -16,21 +16,22 @@ #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, -namespace analyzer { namespace pop3 { +namespace zeek::analyzer::pop3 { +namespace detail { -typedef enum { +enum POP3_Cmd { #include "POP3_cmd.def" -} POP3_Cmd; +}; -typedef enum { +enum POP3_MasterState { POP3_START, POP3_AUTHORIZATION, POP3_TRANSACTION, POP3_UPDATE, POP3_FINISHED, -} POP3_MasterState; +}; -typedef enum { +enum POP3_State { START, USER, PASS, @@ -54,12 +55,14 @@ typedef enum { XSENDER, MISC, END, -} POP3_State; +}; -typedef enum { +enum POP3_SubState { POP3_OK, POP3_WOK, -} POP3_SubState; +}; + +} // namespace detail class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -105,7 +108,7 @@ protected: void POP3Event(zeek::EventHandlerPtr event, bool is_orig, const char* arg1 = nullptr, const char* arg2 = nullptr); - mime::MIME_Mail* mail; + zeek::analyzer::mime::MIME_Mail* mail; std::list cmds; private: @@ -114,4 +117,45 @@ private: zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::pop3 + +namespace analyzer::pop3 { + +using POP3_Cmd [[deprecated("Remove in v4.1. Use zeek::analyzer::pop3::detail::POP3_Cmd.")]] = zeek::analyzer::pop3::detail::POP3_Cmd; +// These values are from a #include above + +using POP3_MasterState [[deprecated("Remove in v4.1. Use zeek::analyzer::pop3::detail::POP3_MasterState.")]] = zeek::analyzer::pop3::detail::POP3_MasterState; +constexpr auto POP3_START [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::POP3_START.")]] = zeek::analyzer::pop3::detail::POP3_START; +constexpr auto POP3_AUTHORIZATION [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::POP3_AUTHORIZATION.")]] = zeek::analyzer::pop3::detail::POP3_AUTHORIZATION; +constexpr auto POP3_TRANSACTION [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::POP3_TRANSACTION.")]] = zeek::analyzer::pop3::detail::POP3_TRANSACTION; +constexpr auto POP3_UPDATE [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::POP3_UPDATE.")]] = zeek::analyzer::pop3::detail::POP3_UPDATE; +constexpr auto POP3_FINISHED [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::POP3_FINISHED.")]] = zeek::analyzer::pop3::detail::POP3_FINISHED; + +using POP3_State [[deprecated("Remove in v4.1. Use zeek::analyzer::pop3::detail::POP3_State.")]] = zeek::analyzer::pop3::detail::POP3_State; +constexpr auto START [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::START.")]] = zeek::analyzer::pop3::detail::START; +constexpr auto USER [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::USER.")]] = zeek::analyzer::pop3::detail::USER; +constexpr auto PASS [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::PASS.")]] = zeek::analyzer::pop3::detail::PASS; +constexpr auto APOP [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::APOP.")]] = zeek::analyzer::pop3::detail::APOP; +constexpr auto AUTH [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::AUTH.")]] = zeek::analyzer::pop3::detail::AUTH; +constexpr auto AUTH_PLAIN [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::AUTH_PLAIN.")]] = zeek::analyzer::pop3::detail::AUTH_PLAIN; +constexpr auto AUTH_LOGIN [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::AUTH_LOGIN.")]] = zeek::analyzer::pop3::detail::AUTH_LOGIN; +constexpr auto AUTH_CRAM_MD5 [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::AUTH_CRAM_MD5.")]] = zeek::analyzer::pop3::detail::AUTH_CRAM_MD5; +constexpr auto NOOP [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::NOOP.")]] = zeek::analyzer::pop3::detail::NOOP; +constexpr auto LAST [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::LAST.")]] = zeek::analyzer::pop3::detail::LAST; +constexpr auto STAT [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::STAT.")]] = zeek::analyzer::pop3::detail::STAT; +constexpr auto LIST [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::LIST.")]] = zeek::analyzer::pop3::detail::LIST; +constexpr auto RETR [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::RETR.")]] = zeek::analyzer::pop3::detail::RETR; +constexpr auto DELE [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::DELE.")]] = zeek::analyzer::pop3::detail::DELE; +constexpr auto UIDL [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::UIDL.")]] = zeek::analyzer::pop3::detail::UIDL; +constexpr auto TOP [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::TOP.")]] = zeek::analyzer::pop3::detail::TOP; +constexpr auto QUIT [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::QUIT.")]] = zeek::analyzer::pop3::detail::QUIT; +constexpr auto RSET [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::RSET.")]] = zeek::analyzer::pop3::detail::RSET; +constexpr auto CAPA [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::CAPA.")]] = zeek::analyzer::pop3::detail::CAPA; +constexpr auto STLS [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::STLS.")]] = zeek::analyzer::pop3::detail::STLS; +constexpr auto XSENDER [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::XSENDER.")]] = zeek::analyzer::pop3::detail::XSENDER; +constexpr auto MISC [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::MISC.")]] = zeek::analyzer::pop3::detail::MISC; +constexpr auto END [[deprecated("Remove in v4.1. Uze zeek::analyzer::pop3::detail::END.")]] = zeek::analyzer::pop3::detail::END; + +using POP3_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::pop3::POP3_Analyzer.")]] = zeek::analyzer::pop3::POP3_Analyzer; + +} // namespace analyzer::pop3 diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc index 96a202c28d..c30d39b422 100644 --- a/src/analyzer/protocol/pop3/Plugin.cc +++ b/src/analyzer/protocol/pop3/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("POP3", ::analyzer::pop3::POP3_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("POP3", zeek::analyzer::pop3::POP3_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::POP3"; diff --git a/src/analyzer/protocol/radius/Plugin.cc b/src/analyzer/protocol/radius/Plugin.cc index fb561d8002..59de16e915 100644 --- a/src/analyzer/protocol/radius/Plugin.cc +++ b/src/analyzer/protocol/radius/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("RADIUS", ::analyzer::RADIUS::RADIUS_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("RADIUS", zeek::analyzer::radius::RADIUS_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::RADIUS"; diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc index 2a3de1d6b8..44ff6dbffc 100644 --- a/src/analyzer/protocol/radius/RADIUS.cc +++ b/src/analyzer/protocol/radius/RADIUS.cc @@ -6,7 +6,7 @@ #include "events.bif.h" -using namespace analyzer::RADIUS; +namespace zeek::analyzer::radius { RADIUS_Analyzer::RADIUS_Analyzer(zeek::Connection* c) : zeek::analyzer::Analyzer("RADIUS", c) @@ -38,3 +38,5 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::radius diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h index b76ebd7630..bb2ae72f49 100644 --- a/src/analyzer/protocol/radius/RADIUS.h +++ b/src/analyzer/protocol/radius/RADIUS.h @@ -4,12 +4,11 @@ #include "events.bif.h" - #include "analyzer/protocol/udp/UDP.h" #include "radius_pac.h" -namespace analyzer { namespace RADIUS { +namespace zeek::analyzer::radius { class RADIUS_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -28,4 +27,10 @@ protected: binpac::RADIUS::RADIUS_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::radius + +namespace analyzer::RADIUS { + +using RADIUS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::radius::RADIUS_Analyzer.")]] = zeek::analyzer::radius::RADIUS_Analyzer; + +} // namespace analyzer::RADIUS diff --git a/src/analyzer/protocol/rdp/Plugin.cc b/src/analyzer/protocol/rdp/Plugin.cc index 61f2a02832..e557782114 100644 --- a/src/analyzer/protocol/rdp/Plugin.cc +++ b/src/analyzer/protocol/rdp/Plugin.cc @@ -10,8 +10,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("RDP", ::analyzer::rdp::RDP_Analyzer::InstantiateAnalyzer)); - AddComponent(new zeek::analyzer::Component("RDPEUDP", ::analyzer::rdpeudp::RDP_Analyzer::InstantiateAnalyzer)); + AddComponent(new zeek::analyzer::Component("RDP", zeek::analyzer::rdp::RDP_Analyzer::InstantiateAnalyzer)); + AddComponent(new zeek::analyzer::Component("RDPEUDP", zeek::analyzer::rdpeudp::RDP_Analyzer::InstantiateAnalyzer)); zeek::plugin::Configuration config; config.name = "Zeek::RDP"; diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index 9df3af7b98..a5e594ad4b 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -4,7 +4,7 @@ #include "events.bif.h" #include "types.bif.h" -using namespace analyzer::rdp; +namespace zeek::analyzer::rdp { RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c) @@ -99,3 +99,5 @@ void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::rdp diff --git a/src/analyzer/protocol/rdp/RDP.h b/src/analyzer/protocol/rdp/RDP.h index bfb5d01a9b..a6f3a0ba3c 100644 --- a/src/analyzer/protocol/rdp/RDP.h +++ b/src/analyzer/protocol/rdp/RDP.h @@ -5,7 +5,7 @@ #include "analyzer/protocol/pia/PIA.h" #include "rdp_pac.h" -namespace analyzer { namespace rdp { +namespace zeek::analyzer::rdp { class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -29,4 +29,10 @@ protected: zeek::analyzer::pia::PIA_TCP *pia; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::rdp + +namespace analyzer::rdp { + +using RDP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rdp::RDP_Analyzer.")]] = zeek::analyzer::rdp::RDP_Analyzer; + +} // namespace analyzer::rdp diff --git a/src/analyzer/protocol/rdp/RDPEUDP.cc b/src/analyzer/protocol/rdp/RDPEUDP.cc index e1238161a6..76845a3d09 100644 --- a/src/analyzer/protocol/rdp/RDPEUDP.cc +++ b/src/analyzer/protocol/rdp/RDPEUDP.cc @@ -3,7 +3,7 @@ #include "events.bif.h" #include "rdpeudp_pac.h" -using namespace analyzer::rdpeudp; +namespace zeek::analyzer::rdpeudp { RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) : zeek::analyzer::Analyzer("RDPEUDP", c) @@ -35,3 +35,5 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::rdpeudp diff --git a/src/analyzer/protocol/rdp/RDPEUDP.h b/src/analyzer/protocol/rdp/RDPEUDP.h index e692c32acc..39ba432ac4 100644 --- a/src/analyzer/protocol/rdp/RDPEUDP.h +++ b/src/analyzer/protocol/rdp/RDPEUDP.h @@ -4,7 +4,8 @@ #include "analyzer/protocol/udp/UDP.h" #include "rdpeudp_pac.h" -namespace analyzer { namespace rdpeudp { +namespace zeek::analyzer::rdpeudp { + class RDP_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -21,4 +22,10 @@ protected: binpac::RDPEUDP::RDPEUDP_Conn* interp; }; -} } +} // namespace zeek::analyzer::rdpeudp + +namespace analyzer::rdpeudp { + +using RDP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rdpeudp::RDP_Analyzer.")]] = zeek::analyzer::rdpeudp::RDP_Analyzer; + +} // namespace analyzer::rdpeudp diff --git a/src/analyzer/protocol/rfb/Plugin.cc b/src/analyzer/protocol/rfb/Plugin.cc index 917135552b..00dd18b06c 100644 --- a/src/analyzer/protocol/rfb/Plugin.cc +++ b/src/analyzer/protocol/rfb/Plugin.cc @@ -10,7 +10,7 @@ public: zeek::plugin::Configuration Configure() override { AddComponent(new zeek::analyzer::Component("RFB", - ::analyzer::rfb::RFB_Analyzer::InstantiateAnalyzer)); + zeek::analyzer::rfb::RFB_Analyzer::InstantiateAnalyzer)); zeek::plugin::Configuration config; config.name = "Zeek::RFB"; diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc index f77f64a864..79cd66f38d 100644 --- a/src/analyzer/protocol/rfb/RFB.cc +++ b/src/analyzer/protocol/rfb/RFB.cc @@ -6,12 +6,10 @@ #include "events.bif.h" -using namespace analyzer::rfb; +namespace zeek::analyzer::rfb { RFB_Analyzer::RFB_Analyzer(zeek::Connection* c) - -: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) - + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) { interp = new binpac::RFB::RFB_Conn(this); had_gap = false; @@ -76,3 +74,5 @@ void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::rfb diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h index c2db6b31ee..12585943cc 100644 --- a/src/analyzer/protocol/rfb/RFB.h +++ b/src/analyzer/protocol/rfb/RFB.h @@ -2,12 +2,11 @@ #include "events.bif.h" - #include "analyzer/protocol/tcp/TCP.h" #include "rfb_pac.h" -namespace analyzer { namespace rfb { +namespace zeek::analyzer::rfb { class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { @@ -35,4 +34,10 @@ protected: }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::rfb + +namespace analyzer::rfb { + +using RFB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rfb::RFB_Analyzer.")]] = zeek::analyzer::rfb::RFB_Analyzer; + +} // namespace analyzer::rfb diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index af30ee359a..93800cdc07 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -13,7 +13,8 @@ #include "events.bif.h" -using namespace analyzer::rpc; +namespace zeek::analyzer::rpc { +namespace detail { bool MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { @@ -280,8 +281,10 @@ zeek::RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n, return rep; } +} // namespace detail + MOUNT_Analyzer::MOUNT_Analyzer(zeek::Connection* conn) - : RPC_Analyzer("MOUNT", conn, new MOUNT_Interp(this)) + : RPC_Analyzer("MOUNT", conn, new detail::MOUNT_Interp(this)) { orig_rpc = resp_rpc = nullptr; } @@ -298,3 +301,5 @@ void MOUNT_Analyzer::Init() AddSupportAnalyzer(resp_rpc); } } + +} // namespace zeek::analyzer::rpc diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h index 0019354987..ad6a62e74e 100644 --- a/src/analyzer/protocol/rpc/MOUNT.h +++ b/src/analyzer/protocol/rpc/MOUNT.h @@ -4,7 +4,8 @@ #include "RPC.h" -namespace analyzer { namespace rpc { +namespace zeek::analyzer::rpc { +namespace detail { class MOUNT_Interp : public RPC_Interpreter { public: @@ -37,6 +38,8 @@ protected: zeek::RecordValPtr mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status); }; +} // namespace detail + class MOUNT_Analyzer : public RPC_Analyzer { public: explicit MOUNT_Analyzer(zeek::Connection* conn); @@ -46,5 +49,11 @@ public: { return new MOUNT_Analyzer(conn); } }; +} // namespace zeek::analyzer::rpc -} } // namespace analyzer::* +namespace analyzer::rpc { + +using MOUNT_Interp [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::MOUNT_Interp.")]] = zeek::analyzer::rpc::detail::MOUNT_Interp; +using MOUNT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::MOUNT_Analyzer.")]] = zeek::analyzer::rpc::MOUNT_Analyzer; + +} // namespace analyzer::rpc diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 84ed067d49..20f35221f2 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -13,7 +13,8 @@ #include "events.bif.h" -using namespace analyzer::rpc; +namespace zeek::analyzer::rpc { +namespace detail { bool NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { @@ -816,9 +817,10 @@ zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) return zeek::val_mgr->Bool(extract_XDR_uint32(buf, n)); } +} // namespace detail NFS_Analyzer::NFS_Analyzer(zeek::Connection* conn) - : RPC_Analyzer("NFS", conn, new NFS_Interp(this)) + : RPC_Analyzer("NFS", conn, new detail::NFS_Interp(this)) { orig_rpc = resp_rpc = nullptr; } @@ -835,3 +837,5 @@ void NFS_Analyzer::Init() AddSupportAnalyzer(resp_rpc); } } + +} // namespace zeek::analyzer::rpc diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h index 2f0bac4ae6..92b6e9962d 100644 --- a/src/analyzer/protocol/rpc/NFS.h +++ b/src/analyzer/protocol/rpc/NFS.h @@ -5,7 +5,8 @@ #include "RPC.h" #include "NetVar.h" -namespace analyzer { namespace rpc { +namespace zeek::analyzer::rpc { +namespace detail { class NFS_Interp : public RPC_Interpreter { public: @@ -79,6 +80,8 @@ protected: zeek::ValPtr ExtractBool(const u_char*& buf, int& n); }; +} // namespace detail + class NFS_Analyzer : public RPC_Analyzer { public: explicit NFS_Analyzer(zeek::Connection* conn); @@ -88,5 +91,11 @@ public: { return new NFS_Analyzer(conn); } }; +} // namespace zeek::analyzer::rpc -} } // namespace analyzer::* +namespace analyzer::rpc { + +using NFS_Interp [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::NFS_Interp.")]] = zeek::analyzer::rpc::detail::NFS_Interp; +using NFS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::NFS_Analyzer.")]] = zeek::analyzer::rpc::NFS_Analyzer; + +} // namespace analyzer::rpc diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc index 39ee57d14d..8e23d746ec 100644 --- a/src/analyzer/protocol/rpc/Plugin.cc +++ b/src/analyzer/protocol/rpc/Plugin.cc @@ -14,9 +14,9 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("NFS", ::analyzer::rpc::NFS_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("MOUNT", ::analyzer::rpc::MOUNT_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("Portmapper", ::analyzer::rpc::Portmapper_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("NFS", zeek::analyzer::rpc::NFS_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("MOUNT", zeek::analyzer::rpc::MOUNT_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Portmapper", zeek::analyzer::rpc::Portmapper_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("Contents_RPC", nullptr)); AddComponent(new zeek::analyzer::Component("Contents_NFS", nullptr)); diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index bbbc8b151f..8f23aab824 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -9,8 +9,6 @@ #include "zeek-config.h" -using namespace analyzer::rpc; - #define PMAPPROC_NULL 0 #define PMAPPROC_SET 1 #define PMAPPROC_UNSET 2 @@ -18,6 +16,9 @@ using namespace analyzer::rpc; #define PMAPPROC_DUMP 4 #define PMAPPROC_CALLIT 5 +namespace zeek::analyzer::rpc { +namespace detail { + bool PortmapperInterp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100000 ) @@ -289,8 +290,10 @@ void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifE analyzer->EnqueueConnEvent(f, std::move(vl)); } +} // namespace detail + Portmapper_Analyzer::Portmapper_Analyzer(zeek::Connection* conn) -: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this)) +: RPC_Analyzer("PORTMAPPER", conn, new detail::PortmapperInterp(this)) { orig_rpc = resp_rpc = nullptr; } @@ -311,3 +314,5 @@ void Portmapper_Analyzer::Init() AddSupportAnalyzer(resp_rpc); } } + +} // namespace zeek::analyzer::rpc diff --git a/src/analyzer/protocol/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h index 5a8be03d6b..6fae3b8e40 100644 --- a/src/analyzer/protocol/rpc/Portmap.h +++ b/src/analyzer/protocol/rpc/Portmap.h @@ -4,7 +4,8 @@ #include "RPC.h" -namespace analyzer { namespace rpc { +namespace zeek::analyzer::rpc { +namespace detail { class PortmapperInterp : public RPC_Interpreter { public: @@ -24,6 +25,8 @@ protected: zeek::ValPtr ExtractCallItRequest(const u_char*& buf, int& len); }; +} // namespace detail + class Portmapper_Analyzer : public RPC_Analyzer { public: explicit Portmapper_Analyzer(zeek::Connection* conn); @@ -34,4 +37,11 @@ public: { return new Portmapper_Analyzer(conn); } }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::detail + +namespace analyzer::rpc { + +using PortmapperInterp [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::PortmapperInterp.")]] = zeek::analyzer::rpc::detail::PortmapperInterp; +using Portmapper_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::Portmapper_Analyzer.")]] = zeek::analyzer::rpc::Portmapper_Analyzer; + +} // namespace analyzer::rpc diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 93a61e0a69..4daf70b756 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -14,8 +14,6 @@ #include -using namespace analyzer::rpc; - namespace { // local namespace const bool DEBUG_rpc_resync = false; } @@ -25,6 +23,8 @@ namespace { // local namespace // TODO: make this configurable #define MAX_RPC_LEN 65536 +namespace zeek::analyzer::rpc { +namespace detail { RPC_CallInfo::RPC_CallInfo(uint32_t arg_xid, const u_char*& buf, int& n, double arg_start_time, double arg_last_time, int arg_rpc_len) { @@ -412,8 +412,10 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) return (expected == processed); } +} // namespace detail + Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, - RPC_Interpreter* arg_interp) + detail::RPC_Interpreter* arg_interp) : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; @@ -721,7 +723,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) } RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn, - RPC_Interpreter* arg_interp) + detail::RPC_Interpreter* arg_interp) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), interp(arg_interp), orig_rpc(), resp_rpc() { @@ -737,7 +739,7 @@ RPC_Analyzer::~RPC_Analyzer() } void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = std::min(len, caplen); @@ -766,3 +768,5 @@ void RPC_Analyzer::ExpireTimer(double /* t */) Event(connection_timeout); zeek::sessions->Remove(Conn()); } + +} // namespace zeek::analyzer::rpc diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index bd71e2087f..590be7a236 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -5,7 +5,8 @@ #include "analyzer/protocol/tcp/TCP.h" #include "NetVar.h" -namespace analyzer { namespace rpc { +namespace zeek::analyzer::rpc { +namespace detail { enum { RPC_CALL = 0, @@ -183,10 +184,12 @@ protected: }; +} // namespace detail + /* Support Analyzer for reassembling RPC-over-TCP messages */ class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: - Contents_RPC(zeek::Connection* conn, bool orig, RPC_Interpreter* interp); + Contents_RPC(zeek::Connection* conn, bool orig, detail::RPC_Interpreter* interp); ~Contents_RPC() override; protected: @@ -217,10 +220,10 @@ protected: state = WAIT_FOR_MESSAGE; } - RPC_Interpreter* interp; + detail::RPC_Interpreter* interp; - RPC_Reasm_Buffer marker_buf; // reassembles the 32bit RPC-over-TCP marker - RPC_Reasm_Buffer msg_buf; // reassembles RPC messages + detail::RPC_Reasm_Buffer marker_buf; // reassembles the 32bit RPC-over-TCP marker + detail::RPC_Reasm_Buffer msg_buf; // reassembles RPC messages state_t state; double start_time; @@ -233,7 +236,7 @@ protected: class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: RPC_Analyzer(const char* name, zeek::Connection* conn, - RPC_Interpreter* arg_interp); + detail::RPC_Interpreter* arg_interp); ~RPC_Analyzer() override; void Done() override; @@ -244,10 +247,42 @@ protected: void ExpireTimer(double t); - RPC_Interpreter* interp; + detail::RPC_Interpreter* interp; Contents_RPC* orig_rpc; Contents_RPC* resp_rpc; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::rpc + +namespace analyzer::rpc { + +constexpr auto RPC_CALL [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_CALL.")]] = zeek::analyzer::rpc::detail::RPC_CALL; +constexpr auto RPC_REPLY [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_REPLY.")]] = zeek::analyzer::rpc::detail::RPC_REPLY; +constexpr auto RPC_MSG_ACCEPTED [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_MSG_ACCEPTED.")]] = zeek::analyzer::rpc::detail::RPC_MSG_ACCEPTED; +constexpr auto RPC_MSG_DENIED [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_MSG_DENIED.")]] = zeek::analyzer::rpc::detail::RPC_MSG_DENIED; +constexpr auto RPC_SUCCESS [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_SUCCESS.")]] = zeek::analyzer::rpc::detail::RPC_SUCCESS; +constexpr auto RPC_PROG_UNAVAIL [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_PROG_UNAVAIL.")]] = zeek::analyzer::rpc::detail::RPC_PROG_UNAVAIL; +constexpr auto RPC_PROG_MISMATCH [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_PROG_MISMATCH.")]] = zeek::analyzer::rpc::detail::RPC_PROG_MISMATCH; +constexpr auto RPC_PROC_UNAVAIL [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_PROC_UNAVAIL.")]] = zeek::analyzer::rpc::detail::RPC_PROC_UNAVAIL; +constexpr auto RPC_GARBAGE_ARGS [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_GARBAGE_ARGS.")]] = zeek::analyzer::rpc::detail::RPC_GARBAGE_ARGS; +constexpr auto RPC_SYSTEM_ERR [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_SYSTEM_ERR.")]] = zeek::analyzer::rpc::detail::RPC_SYSTEM_ERR; +constexpr auto RPC_MISMATCH [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_MISMATCH.")]] = zeek::analyzer::rpc::detail::RPC_MISMATCH; +constexpr auto RPC_AUTH_ERROR [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_ERROR.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_ERROR; +constexpr auto RPC_AUTH_BADCRED [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_BADCRED.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_BADCRED; +constexpr auto RPC_AUTH_REJECTEDCRED [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_REJECTEDCRED.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_REJECTEDCRED; +constexpr auto RPC_AUTH_BADVERF [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_BADVERF.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_BADVERF; +constexpr auto RPC_AUTH_REJECTEDVERF [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_REJECTEDVERF.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_REJECTEDVERF; +constexpr auto RPC_AUTH_TOOWEAK [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_TOOWEAK.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_TOOWEAK; +constexpr auto RPC_AUTH_NULL [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_NULL.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_NULL; +constexpr auto RPC_AUTH_UNIX [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_UNIX.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_UNIX; +constexpr auto RPC_AUTH_SHORT [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_SHORT.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_SHORT; +constexpr auto RPC_AUTH_DES [[deprecated("Remove in v4.1. Uze zeek::analyzer::rpc::detail::RPC_AUTH_DES.")]] = zeek::analyzer::rpc::detail::RPC_AUTH_DES; + +using RPC_CallInfo [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::RPC_CallInfo.")]] = zeek::analyzer::rpc::detail::RPC_CallInfo; +using RPC_Interpreter [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::RPC_Interpreter.")]] = zeek::analyzer::rpc::detail::RPC_Interpreter; +using RPC_Reasm_Buffer [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::detail::RPC_Reasm_Buffer.")]] = zeek::analyzer::rpc::detail::RPC_Reasm_Buffer; +using Contents_RPC [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::Contents_RPC.")]] = zeek::analyzer::rpc::Contents_RPC; +using RPC_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::RPC_Analyzer.")]] = zeek::analyzer::rpc::RPC_Analyzer; + +} // namespace analyzer::rpc diff --git a/src/analyzer/protocol/rpc/XDR.cc b/src/analyzer/protocol/rpc/XDR.cc index 1eddf96a04..8d4e4eb7f0 100644 --- a/src/analyzer/protocol/rpc/XDR.cc +++ b/src/analyzer/protocol/rpc/XDR.cc @@ -8,9 +8,7 @@ #include "events.bif.h" -using namespace analyzer::rpc; - -uint32_t analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) +uint32_t zeek::analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) { if ( ! buf ) return 0; @@ -32,7 +30,7 @@ uint32_t analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) return bits32; } -uint64_t analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) +uint64_t zeek::analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -46,7 +44,7 @@ uint64_t analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) return (uhi << 32) + ulo; } -double analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) +double zeek::analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -60,7 +58,7 @@ double analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) return double(uhi) + double(ulo) / 1e9; } -const u_char* analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) +const u_char* zeek::analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) { n = int(extract_XDR_uint32(buf, len)); if ( ! buf ) @@ -84,7 +82,7 @@ const u_char* analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, in return opaque; } -const u_char* analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) +const u_char* zeek::analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) { if ( ! buf ) return nullptr; @@ -103,7 +101,7 @@ const u_char* analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& l } -uint32_t analyzer::rpc::skip_XDR_opaque_auth(const u_char*& buf, int& len) +uint32_t zeek::analyzer::rpc::skip_XDR_opaque_auth(const u_char*& buf, int& len) { uint32_t auth_flavor = extract_XDR_uint32(buf, len); if ( ! buf ) diff --git a/src/analyzer/protocol/rpc/XDR.h b/src/analyzer/protocol/rpc/XDR.h index 9fa7f80faf..b39558ef92 100644 --- a/src/analyzer/protocol/rpc/XDR.h +++ b/src/analyzer/protocol/rpc/XDR.h @@ -7,7 +7,7 @@ #include "util.h" -namespace analyzer { namespace rpc { +namespace zeek::analyzer::rpc { extern uint32_t extract_XDR_uint32(const u_char*& buf, int& len); extern uint64_t extract_XDR_uint64(const u_char*& buf, int& len); @@ -17,4 +17,15 @@ extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len, extern const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n); extern uint32_t skip_XDR_opaque_auth(const u_char*& buf, int& len); -} } // namespace analyzer::* +} // namespace zeek::analyzer::rpc + +namespace analyzer::rpc { + +constexpr auto extract_XDR_uint32 [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::extract_XDR_uint32.")]] = zeek::analyzer::rpc::extract_XDR_uint32; +constexpr auto extract_XDR_uint64 [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::extract_XDR_uint64.")]] = zeek::analyzer::rpc::extract_XDR_uint64; +constexpr auto extract_XDR_time [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::extract_XDR_time.")]] = zeek::analyzer::rpc::extract_XDR_time; +constexpr auto extract_XDR_opaque [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::extract_XDR_opaque.")]] = zeek::analyzer::rpc::extract_XDR_opaque; +constexpr auto extract_XDR_opaque_fixed [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::extract_XDR_opaque_fixed.")]] = zeek::analyzer::rpc::extract_XDR_opaque_fixed; +constexpr auto skip_XDR_opaque_auth [[deprecated("Remove in v4.1. Use zeek::analyzer::rpc::skip_XDR_opaque_auth.")]] = zeek::analyzer::rpc::skip_XDR_opaque_auth; + +} // namespace analyzer::rpc diff --git a/src/analyzer/protocol/sip/Plugin.cc b/src/analyzer/protocol/sip/Plugin.cc index 5332357877..0e0177d644 100644 --- a/src/analyzer/protocol/sip/Plugin.cc +++ b/src/analyzer/protocol/sip/Plugin.cc @@ -12,7 +12,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SIP", ::analyzer::SIP::SIP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SIP", zeek::analyzer::sip::SIP_Analyzer::Instantiate)); // We don't fully support SIP-over-TCP yet, so we don't activate this component. // AddComponent(new zeek::analyzer::Component("SIP_TCP", ::analyzer::sip_tcp::SIP_Analyzer::Instantiate)); diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc index 7c7ff312f3..36136b6e13 100644 --- a/src/analyzer/protocol/sip/SIP.cc +++ b/src/analyzer/protocol/sip/SIP.cc @@ -2,7 +2,7 @@ #include "events.bif.h" -using namespace analyzer::SIP; +namespace zeek::analyzer::sip { SIP_Analyzer::SIP_Analyzer(zeek::Connection* c) : zeek::analyzer::Analyzer("SIP", c) @@ -42,3 +42,5 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::sip diff --git a/src/analyzer/protocol/sip/SIP.h b/src/analyzer/protocol/sip/SIP.h index 2f1149346a..8c83b246bd 100644 --- a/src/analyzer/protocol/sip/SIP.h +++ b/src/analyzer/protocol/sip/SIP.h @@ -5,7 +5,7 @@ #include "analyzer/protocol/udp/UDP.h" #include "sip_pac.h" -namespace analyzer { namespace SIP { +namespace zeek::analyzer::sip{ class SIP_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -25,4 +25,10 @@ protected: binpac::SIP::SIP_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::sip + +namespace analyzer::SIP { + +using SIP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::sip::SIP_Analyzer.")]] = zeek::analyzer::sip::SIP_Analyzer; + +} // namespace analyzer::SIP diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc index e3e9e2e9c0..f86092307b 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.cc +++ b/src/analyzer/protocol/sip/SIP_TCP.cc @@ -7,7 +7,7 @@ #include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" -using namespace analyzer::sip_tcp; +namespace zeek::analyzer::sip_tcp { SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) @@ -65,3 +65,5 @@ void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::sip_tcp diff --git a/src/analyzer/protocol/sip/SIP_TCP.h b/src/analyzer/protocol/sip/SIP_TCP.h index 3e64bf07a9..f04afb93bf 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.h +++ b/src/analyzer/protocol/sip/SIP_TCP.h @@ -9,7 +9,7 @@ #include "sip_TCP_pac.h" -namespace analyzer { namespace sip_tcp { +namespace zeek::analyzer::sip_tcp { class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -31,4 +31,10 @@ protected: bool had_gap; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::sip_tcp + +namespace analyzer::sip_tcp { + +using SIP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::sip_tcp::SIP_Analyzer.")]] = zeek::analyzer::sip_tcp::SIP_Analyzer; + +} // namespace analyzer::sip_tcp diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc index ece3394433..5cdeff29ef 100644 --- a/src/analyzer/protocol/smb/Plugin.cc +++ b/src/analyzer/protocol/smb/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SMB", ::analyzer::smb::SMB_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SMB", zeek::analyzer::smb::SMB_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("Contents_SMB", nullptr)); zeek::plugin::Configuration config; diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index 0dfbc4ebf8..18fdd76579 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -1,6 +1,6 @@ #include "SMB.h" -using namespace analyzer::smb; +namespace zeek::analyzer::smb { // This was 1<<17 originally but was changed due to larger messages // being seen. @@ -85,3 +85,5 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) NeedResync(); } } + +} // namespace zeek::analyzer::smb diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h index 28037a7e18..7b041de2f6 100644 --- a/src/analyzer/protocol/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -3,7 +3,7 @@ #include "analyzer/protocol/tcp/TCP.h" #include "smb_pac.h" -namespace analyzer { namespace smb { +namespace zeek::analyzer::smb { class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -31,4 +31,10 @@ protected: bool need_sync; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::smb + +namespace analyzer::smb { + +using SMB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::smb::SMB_Analyzer.")]] = zeek::analyzer::smb::SMB_Analyzer; + +} // namespace analyzer::smb diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index fe8bb9c9da..7326210ae4 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -5,7 +5,7 @@ refine connection SMB_Conn += { %member{ map tree_is_pipe_map; - map fid_to_analyzer_map; + map fid_to_analyzer_map; %} %cleanup{ @@ -44,13 +44,13 @@ refine connection SMB_Conn += { function forward_dce_rpc(pipe_data: bytestring, fid: uint64, is_orig: bool): bool %{ - analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc = nullptr; + zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc = nullptr; auto it = fid_to_analyzer_map.find(fid); if ( it == fid_to_analyzer_map.end() ) { auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn()); - pipe_dcerpc = static_cast(tmp_analyzer); + pipe_dcerpc = static_cast(tmp_analyzer); if ( pipe_dcerpc ) { diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index 1d472a6300..152fd5966a 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SMTP", ::analyzer::smtp::SMTP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SMTP", zeek::analyzer::smtp::SMTP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::SMTP"; diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index c5a7b2ef09..bd12d4d4be 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -12,8 +12,6 @@ #include "events.bif.h" -using namespace analyzer::smtp; - #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, @@ -26,14 +24,16 @@ static const char* unknown_cmd = "(UNKNOWN)"; #define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : unknown_cmd) +namespace zeek::analyzer::smtp { + SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = false; expect_recver = true; - state = SMTP_CONNECTED; + state = detail::SMTP_CONNECTED; last_replied_cmd = -1; - first_cmd = SMTP_CMD_CONN_ESTABLISHMENT; + first_cmd = detail::SMTP_CMD_CONN_ESTABLISHMENT; pending_reply = 0; // Some clients appear to assume pipelining is always enabled @@ -90,7 +90,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) Unexpected(is_orig, "content gap", buf_len, buf); - if ( state == SMTP_IN_DATA ) + if ( state == detail::SMTP_IN_DATA ) { // Record the SMTP data gap and terminate the // ongoing mail transaction. @@ -113,7 +113,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) // Missing either the sender's packets or their replies // (e.g. code 354) is critical, so we set state to SMTP_AFTER_GAP // in both cases - state = SMTP_AFTER_GAP; + state = detail::SMTP_AFTER_GAP; } void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) @@ -121,7 +121,7 @@ void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // If an TLS transaction has been initiated, forward to child and abort. - if ( state == SMTP_IN_TLS ) + if ( state == detail::SMTP_IN_TLS ) { ForwardStream(length, line, orig); return; @@ -176,7 +176,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { int cmd_code = -1; - if ( state == SMTP_AFTER_GAP ) + if ( state == detail::SMTP_AFTER_GAP ) { // Don't know whether it is a command line or // a data line. @@ -186,18 +186,18 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) new zeek::String((const u_char *) line, length, true); } - else if ( state == SMTP_IN_DATA && line[0] == '.' && length == 1 ) + else if ( state == detail::SMTP_IN_DATA && line[0] == '.' && length == 1 ) { cmd = "."; cmd_len = 1; - cmd_code = SMTP_CMD_END_OF_DATA; + cmd_code = detail::SMTP_CMD_END_OF_DATA; NewCmd(cmd_code); expect_sender = false; expect_recver = true; } - else if ( state == SMTP_IN_DATA ) + else if ( state == detail::SMTP_IN_DATA ) { // Check "." for end of data. expect_recver = false; // ?? MAY server respond to mail data? @@ -227,11 +227,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) } } - else if ( state == SMTP_IN_AUTH ) + else if ( state == detail::SMTP_IN_AUTH ) { cmd = "***"; cmd_len = 2; - cmd_code = SMTP_CMD_AUTH_ANSWER; + cmd_code = detail::SMTP_CMD_AUTH_ANSWER; NewCmd(cmd_code); } @@ -262,7 +262,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) // turn calls BeginData() and EndData(), and // RequestEvent() in different orders for the // two commands. - if ( cmd_code == SMTP_CMD_END_OF_DATA ) + if ( cmd_code == detail::SMTP_CMD_END_OF_DATA ) UpdateState(cmd_code, 0, orig); if ( smtp_request ) @@ -273,7 +273,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) RequestEvent(cmd_len, cmd, data_len, line); } - if ( cmd_code != SMTP_CMD_END_OF_DATA ) + if ( cmd_code != detail::SMTP_CMD_END_OF_DATA ) UpdateState(cmd_code, 0, orig); } } @@ -336,11 +336,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { int cmd_code = last_replied_cmd; switch ( cmd_code ) { - case SMTP_CMD_CONN_ESTABLISHMENT: + case detail::SMTP_CMD_CONN_ESTABLISHMENT: cmd = ">"; break; - case SMTP_CMD_END_OF_DATA: + case detail::SMTP_CMD_END_OF_DATA: cmd = "."; break; @@ -361,7 +361,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) } // Process SMTP extensions, e.g. PIPELINING. - if ( last_replied_cmd == SMTP_CMD_EHLO && reply_code == 250 ) + if ( last_replied_cmd == detail::SMTP_CMD_EHLO && reply_code == 250 ) { const char* ext; int ext_len; @@ -399,7 +399,7 @@ void SMTP_Analyzer::StartTLS() { // STARTTLS was succesful. Remove SMTP support analyzers, add SSL // analyzer, and throw event signifying the change. - state = SMTP_IN_TLS; + state = detail::SMTP_IN_TLS; expect_sender = expect_recver = true; RemoveSupportAnalyzer(cl_orig); @@ -429,9 +429,9 @@ void SMTP_Analyzer::StartTLS() void SMTP_Analyzer::NewReply(int reply_code, bool orig) { - if ( state == SMTP_AFTER_GAP && reply_code > 0 ) + if ( state == detail::SMTP_AFTER_GAP && reply_code > 0 ) { - state = SMTP_GAP_RECOVERY; + state = detail::SMTP_GAP_RECOVERY; RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, ""); /* if ( line_after_gap ) @@ -469,21 +469,21 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) { int st = state; - if ( st == SMTP_QUIT && reply_code == 0 ) + if ( st == detail::SMTP_QUIT && reply_code == 0 ) UnexpectedCommand(cmd_code, reply_code); switch ( cmd_code ) { - case SMTP_CMD_CONN_ESTABLISHMENT: + case detail::SMTP_CMD_CONN_ESTABLISHMENT: switch ( reply_code ) { case 0: - if ( st != SMTP_CONNECTED ) + if ( st != detail::SMTP_CONNECTED ) { // Impossible state, because the command // CONN_ESTABLISHMENT should only appear // in the very beginning. UnexpectedCommand(cmd_code, reply_code); } - state = SMTP_INITIATED; + state = detail::SMTP_INITIATED; break; case 220: @@ -491,7 +491,7 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) case 421: case 554: - state = SMTP_NOT_AVAILABLE; + state = detail::SMTP_NOT_AVAILABLE; break; default: @@ -500,13 +500,13 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_EHLO: - case SMTP_CMD_HELO: + case detail::SMTP_CMD_EHLO: + case detail::SMTP_CMD_HELO: switch ( reply_code ) { case 0: - if ( st != SMTP_INITIATED ) + if ( st != detail::SMTP_INITIATED ) UnexpectedCommand(cmd_code, reply_code); - state = SMTP_READY; + state = detail::SMTP_READY; break; case 250: @@ -517,7 +517,7 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) case 501: case 504: case 550: - state = SMTP_INITIATED; + state = detail::SMTP_INITIATED; break; default: @@ -526,15 +526,15 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_MAIL: - case SMTP_CMD_SEND: - case SMTP_CMD_SOML: - case SMTP_CMD_SAML: + case detail::SMTP_CMD_MAIL: + case detail::SMTP_CMD_SEND: + case detail::SMTP_CMD_SOML: + case detail::SMTP_CMD_SAML: switch ( reply_code ) { case 0: - if ( st != SMTP_READY ) + if ( st != detail::SMTP_READY ) UnexpectedCommand(cmd_code, reply_code); - state = SMTP_MAIL_OK; + state = detail::SMTP_MAIL_OK; break; case 250: @@ -549,8 +549,8 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) case 550: case 552: case 553: - if ( state != SMTP_IN_DATA ) - state = SMTP_READY; + if ( state != detail::SMTP_IN_DATA ) + state = detail::SMTP_READY; break; default: @@ -559,12 +559,12 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_RCPT: + case detail::SMTP_CMD_RCPT: switch ( reply_code ) { case 0: - if ( st != SMTP_MAIL_OK && st != SMTP_RCPT_OK ) + if ( st != detail::SMTP_MAIL_OK && st != detail::SMTP_RCPT_OK ) UnexpectedCommand(cmd_code, reply_code); - state = SMTP_RCPT_OK; + state = detail::SMTP_RCPT_OK; break; case 250: @@ -591,10 +591,10 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_DATA: + case detail::SMTP_CMD_DATA: switch ( reply_code ) { case 0: - if ( state != SMTP_RCPT_OK ) + if ( state != detail::SMTP_RCPT_OK ) UnexpectedCommand(cmd_code, reply_code); BeginData(orig); break; @@ -603,9 +603,9 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) break; case 421: - if ( state == SMTP_IN_DATA ) + if ( state == detail::SMTP_IN_DATA ) EndData(); - state = SMTP_QUIT; + state = detail::SMTP_QUIT; break; case 500: @@ -613,27 +613,27 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) case 503: case 451: case 554: - if ( state == SMTP_IN_DATA ) + if ( state == detail::SMTP_IN_DATA ) EndData(); - state = SMTP_READY; + state = detail::SMTP_READY; break; default: UnexpectedReply(cmd_code, reply_code); - if ( state == SMTP_IN_DATA ) + if ( state == detail::SMTP_IN_DATA ) EndData(); - state = SMTP_READY; + state = detail::SMTP_READY; break; } break; - case SMTP_CMD_END_OF_DATA: + case detail::SMTP_CMD_END_OF_DATA: switch ( reply_code ) { case 0: - if ( st != SMTP_IN_DATA ) + if ( st != detail::SMTP_IN_DATA ) UnexpectedCommand(cmd_code, reply_code); EndData(); - state = SMTP_AFTER_DATA; + state = detail::SMTP_AFTER_DATA; break; case 250: @@ -652,13 +652,13 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } if ( reply_code > 0 ) - state = SMTP_READY; + state = detail::SMTP_READY; break; - case SMTP_CMD_RSET: + case detail::SMTP_CMD_RSET: switch ( reply_code ) { case 0: - state = SMTP_READY; + state = detail::SMTP_READY; break; case 250: @@ -671,10 +671,10 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) break; - case SMTP_CMD_QUIT: + case detail::SMTP_CMD_QUIT: switch ( reply_code ) { case 0: - state = SMTP_QUIT; + state = detail::SMTP_QUIT; break; case 221: @@ -687,8 +687,8 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) break; - case SMTP_CMD_AUTH: - if ( st != SMTP_READY ) + case detail::SMTP_CMD_AUTH: + if ( st != detail::SMTP_READY ) UnexpectedCommand(cmd_code, reply_code); switch ( reply_code ) { @@ -697,11 +697,11 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) break; case 334: - state = SMTP_IN_AUTH; + state = detail::SMTP_IN_AUTH; break; case 235: - state = SMTP_INITIATED; + state = detail::SMTP_INITIATED; break; case 432: @@ -713,13 +713,13 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) case 535: case 538: default: - state = SMTP_INITIATED; + state = detail::SMTP_INITIATED; break; } break; - case SMTP_CMD_AUTH_ANSWER: - if ( st != SMTP_IN_AUTH ) + case detail::SMTP_CMD_AUTH_ANSWER: + if ( st != detail::SMTP_IN_AUTH ) UnexpectedCommand(cmd_code, reply_code); switch ( reply_code ) { @@ -728,19 +728,19 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) break; case 334: - state = SMTP_IN_AUTH; + state = detail::SMTP_IN_AUTH; break; case 235: case 535: default: - state = SMTP_INITIATED; + state = detail::SMTP_INITIATED; break; } break; - case SMTP_CMD_TURN: - if ( st != SMTP_READY ) + case detail::SMTP_CMD_TURN: + if ( st != detail::SMTP_READY ) UnexpectedCommand(cmd_code, reply_code); switch ( reply_code ) { @@ -752,7 +752,7 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) // flip-side orig_is_sender = ! orig_is_sender; - state = SMTP_CONNECTED; + state = detail::SMTP_CONNECTED; expect_sender = false; expect_recver = true; break; @@ -763,9 +763,9 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_STARTTLS: - case SMTP_CMD_X_ANONYMOUSTLS: - if ( st != SMTP_READY ) + case detail::SMTP_CMD_STARTTLS: + case detail::SMTP_CMD_X_ANONYMOUSTLS: + if ( st != detail::SMTP_READY ) UnexpectedCommand(cmd_code, reply_code); switch ( reply_code ) { @@ -784,16 +784,16 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) } break; - case SMTP_CMD_VRFY: - case SMTP_CMD_EXPN: - case SMTP_CMD_HELP: - case SMTP_CMD_NOOP: + case detail::SMTP_CMD_VRFY: + case detail::SMTP_CMD_EXPN: + case detail::SMTP_CMD_HELP: + case detail::SMTP_CMD_NOOP: // These commands do not affect state. // ?? However, later we may want to add reply // and state check code. default: - if ( st == SMTP_GAP_RECOVERY && reply_code == 354 ) + if ( st == detail::SMTP_GAP_RECOVERY && reply_code == 354 ) { BeginData(orig); } @@ -805,10 +805,10 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) // of data line might have been lost due to gaps in trace). Note, // BeginData() won't be called till the next DATA command. #if 0 - if ( state == SMTP_IN_DATA && reply_code >= 400 ) + if ( state == detail::SMTP_IN_DATA && reply_code >= 400 ) { EndData(); - state = SMTP_READY; + state = detail::SMTP_READY; } #endif } @@ -839,10 +839,10 @@ int SMTP_Analyzer::ParseCmd(int cmd_len, const char* cmd) // special case because we cannot define our usual macros with "-" if ( istrequal(cmd, "X-ANONYMOUSTLS", cmd_len) ) - return SMTP_CMD_X_ANONYMOUSTLS; + return detail::SMTP_CMD_X_ANONYMOUSTLS; - for ( int code = SMTP_CMD_EHLO; code < SMTP_CMD_LAST; ++code ) - if ( istrequal(cmd, smtp_cmd_word[code - SMTP_CMD_EHLO], cmd_len) ) + for ( int code = detail::SMTP_CMD_EHLO; code < detail::SMTP_CMD_LAST; ++code ) + if ( istrequal(cmd, smtp_cmd_word[code - detail::SMTP_CMD_EHLO], cmd_len) ) return code; return -1; @@ -919,7 +919,7 @@ void SMTP_Analyzer::ProcessData(int length, const char* line) void SMTP_Analyzer::BeginData(bool orig) { - state = SMTP_IN_DATA; + state = detail::SMTP_IN_DATA; skip_data = false; // reset the flag at the beginning of the mail if ( mail != nullptr ) { @@ -928,7 +928,7 @@ void SMTP_Analyzer::BeginData(bool orig) delete mail; } - mail = new mime::MIME_Mail(this, orig); + mail = new zeek::analyzer::mime::MIME_Mail(this, orig); } void SMTP_Analyzer::EndData() @@ -942,3 +942,5 @@ void SMTP_Analyzer::EndData() mail = nullptr; } } + +} // namespace zeek::analyzer::smtp diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h index 08d9ff9430..7dcb22a979 100644 --- a/src/analyzer/protocol/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -11,14 +11,15 @@ #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, -namespace analyzer { namespace smtp { +namespace zeek::analyzer::smtp { +namespace detail { -typedef enum { +enum SMTP_Cmd { #include "SMTP_cmd.def" -} SMTP_Cmd; +}; // State is updated on every SMTP reply. -typedef enum { +enum SMTP_State { SMTP_CONNECTED, // 0: before the opening message SMTP_INITIATED, // 1: after opening message 220, EHLO/HELO expected SMTP_NOT_AVAILABLE, // 2: after opening message 554, etc. @@ -32,8 +33,9 @@ typedef enum { SMTP_QUIT, // 10: after QUIT SMTP_AFTER_GAP, // 11: after a gap is detected SMTP_GAP_RECOVERY, // 12: after the first reply after a gap -} SMTP_State; +}; +} // namespace detail class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -87,11 +89,34 @@ protected: zeek::String* line_after_gap; // last line before the first reply // after a gap - mime::MIME_Mail* mail; + zeek::analyzer::mime::MIME_Mail* mail; private: zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::smtp + +namespace analyzer::smtp { + +using SMTP_Cmd [[deprecated("Remove in v4.1. Use zeek::analyzer::smtp::detail::SMTP_Cmd.")]] = zeek::analyzer::smtp::detail::SMTP_Cmd; +// The values from SMTP_Cmd come from a #include +using SMTP_State [[deprecated("Remove in v4.1. Use zeek::analyzer::smtp::detail::SMTP_State.")]] = zeek::analyzer::smtp::detail::SMTP_State; +constexpr auto SMTP_CONNECTED [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_CONNECTED.")]] = zeek::analyzer::smtp::detail::SMTP_CONNECTED; +constexpr auto SMTP_INITIATED [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_INITIATED.")]] = zeek::analyzer::smtp::detail::SMTP_INITIATED; +constexpr auto SMTP_NOT_AVAILABLE [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_NOT_AVAILABLE.")]] = zeek::analyzer::smtp::detail::SMTP_NOT_AVAILABLE; +constexpr auto SMTP_READY [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_READY.")]] = zeek::analyzer::smtp::detail::SMTP_READY; +constexpr auto SMTP_MAIL_OK [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_MAIL_OK.")]] = zeek::analyzer::smtp::detail::SMTP_MAIL_OK; +constexpr auto SMTP_RCPT_OK [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_RCPT_OK.")]] = zeek::analyzer::smtp::detail::SMTP_RCPT_OK; +constexpr auto SMTP_IN_DATA [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_IN_DATA.")]] = zeek::analyzer::smtp::detail::SMTP_IN_DATA; +constexpr auto SMTP_AFTER_DATA [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_AFTER_DATA.")]] = zeek::analyzer::smtp::detail::SMTP_AFTER_DATA; +constexpr auto SMTP_IN_AUTH [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_IN_AUTH.")]] = zeek::analyzer::smtp::detail::SMTP_IN_AUTH; +constexpr auto SMTP_IN_TLS [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_IN_TLS.")]] = zeek::analyzer::smtp::detail::SMTP_IN_TLS; +constexpr auto SMTP_QUIT [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_QUIT.")]] = zeek::analyzer::smtp::detail::SMTP_QUIT; +constexpr auto SMTP_AFTER_GAP [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_AFTER_GAP.")]] = zeek::analyzer::smtp::detail::SMTP_AFTER_GAP; +constexpr auto SMTP_GAP_RECOVERY [[deprecated("Remove in v4.1. Uze zeek::analyzer::smtp::detail::SMTP_GAP_RECOVERY.")]] = zeek::analyzer::smtp::detail::SMTP_GAP_RECOVERY; + +using SMTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::smtp::SMTP_Analyzer.")]] = zeek::analyzer::smtp::SMTP_Analyzer; + +} // namespace analyzer::smtp diff --git a/src/analyzer/protocol/smtp/functions.bif b/src/analyzer/protocol/smtp/functions.bif index efc577f2f6..f25738f863 100644 --- a/src/analyzer/protocol/smtp/functions.bif +++ b/src/analyzer/protocol/smtp/functions.bif @@ -12,6 +12,6 @@ function skip_smtp_data%(c: connection%): any %{ zeek::analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) - static_cast<::analyzer::smtp::SMTP_Analyzer*>(sa)->SkipData(); + static_cast(sa)->SkipData(); return nullptr; %} diff --git a/src/analyzer/protocol/snmp/Plugin.cc b/src/analyzer/protocol/snmp/Plugin.cc index 4100dc679c..6e388b5731 100644 --- a/src/analyzer/protocol/snmp/Plugin.cc +++ b/src/analyzer/protocol/snmp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SNMP", ::analyzer::snmp::SNMP_Analyzer::InstantiateAnalyzer)); + AddComponent(new zeek::analyzer::Component("SNMP", zeek::analyzer::snmp::SNMP_Analyzer::InstantiateAnalyzer)); zeek::plugin::Configuration config; config.name = "Zeek::SNMP"; diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc index 2687823ac0..2d3aae5888 100644 --- a/src/analyzer/protocol/snmp/SNMP.cc +++ b/src/analyzer/protocol/snmp/SNMP.cc @@ -6,7 +6,7 @@ #include "types.bif.h" #include "events.bif.h" -using namespace analyzer::snmp; +namespace zeek::analyzer::snmp { SNMP_Analyzer::SNMP_Analyzer(zeek::Connection* conn) : Analyzer("SNMP", conn) @@ -39,3 +39,5 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::snmp diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h index 5521a81964..3a609db8ae 100644 --- a/src/analyzer/protocol/snmp/SNMP.h +++ b/src/analyzer/protocol/snmp/SNMP.h @@ -4,7 +4,7 @@ #include "snmp_pac.h" -namespace analyzer { namespace snmp { +namespace zeek::analyzer::snmp { class SNMP_Analyzer final : public zeek::analyzer::Analyzer { @@ -25,4 +25,10 @@ protected: binpac::SNMP::SNMP_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::snmp + +namespace analyzer::snmp { + +using SNMP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::snmp::SNMP_Analyzer.")]] = zeek::analyzer::snmp::SNMP_Analyzer; + +} // namespace analyzer::snmp diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc index 7d4290a844..851ac5a5a4 100644 --- a/src/analyzer/protocol/socks/Plugin.cc +++ b/src/analyzer/protocol/socks/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SOCKS", ::analyzer::socks::SOCKS_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SOCKS", zeek::analyzer::socks::SOCKS_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::SOCKS"; diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc index cf894238d6..437b05b8ab 100644 --- a/src/analyzer/protocol/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::socks; +namespace zeek::analyzer::socks { SOCKS_Analyzer::SOCKS_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn) @@ -90,3 +90,5 @@ void SOCKS_Analyzer::Undelivered(uint64_t seq, int len, bool orig) zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::socks diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h index ac5e215f77..9e5346ff4c 100644 --- a/src/analyzer/protocol/socks/SOCKS.h +++ b/src/analyzer/protocol/socks/SOCKS.h @@ -11,7 +11,7 @@ namespace binpac { } } -namespace analyzer { namespace socks { +namespace zeek::analyzer::socks { class SOCKS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -37,4 +37,10 @@ protected: binpac::SOCKS::SOCKS_Conn* interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::socks + +namespace analyzer::socks { + +using SOCKS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::socks::SOCKS_Analyzer.")]] = zeek::analyzer::socks::SOCKS_Analyzer; + +} // namespace analyzer::socks diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 01b801eec3..fa341cbab1 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -40,7 +40,7 @@ refine connection SOCKS_Conn += { array_to_string(${request.user})); } - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -62,7 +62,7 @@ refine connection SOCKS_Conn += { } bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} @@ -115,7 +115,7 @@ refine connection SOCKS_Conn += { zeek::val_mgr->Port(${request.port}, TRANSPORT_TCP), zeek::val_mgr->EmptyString()); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -155,7 +155,7 @@ refine connection SOCKS_Conn += { zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP)); bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 6040fcc213..a63553d805 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SSH", ::analyzer::SSH::SSH_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SSH", zeek::analyzer::ssh::SSH_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::SSH"; diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index 6219847390..34d4bd97a5 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -9,7 +9,7 @@ #include "types.bif.h" #include "events.bif.h" -using namespace analyzer::SSH; +namespace zeek::analyzer::ssh { SSH_Analyzer::SSH_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c) @@ -175,3 +175,5 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) } } } + +} // namespace zeek::analyzer::ssh diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h index 12ffcf88f1..42647d2b06 100644 --- a/src/analyzer/protocol/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -7,41 +7,47 @@ #include "analyzer/protocol/tcp/TCP.h" #include "ssh_pac.h" -namespace analyzer { - namespace SSH { - class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { +namespace zeek::analyzer::ssh { - public: - explicit SSH_Analyzer(zeek::Connection* conn); - ~SSH_Analyzer() override; +class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { - // Overriden from Analyzer. - void Done() override; - void DeliverStream(int len, const u_char* data, bool orig) override; - void Undelivered(uint64_t seq, int len, bool orig) override; +public: + explicit SSH_Analyzer(zeek::Connection* conn); + ~SSH_Analyzer() override; - // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. - void EndpointEOF(bool is_orig) override; + // Overriden from Analyzer. + void Done() override; + void DeliverStream(int len, const u_char* data, bool orig) override; + void Undelivered(uint64_t seq, int len, bool orig) override; - static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) - { return new SSH_Analyzer(conn); } + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. + void EndpointEOF(bool is_orig) override; - protected: - binpac::SSH::SSH_Conn* interp; + static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) + { return new SSH_Analyzer(conn); } - void ProcessEncrypted(int len, bool orig); - void ProcessEncryptedSegment(int len, bool orig); +protected: + binpac::SSH::SSH_Conn* interp; - bool had_gap; + void ProcessEncrypted(int len, bool orig); + void ProcessEncryptedSegment(int len, bool orig); - // Packet analysis stuff - bool auth_decision_made; - bool skipped_banner; - bool saw_encrypted_client_data; + bool had_gap; - int service_accept_size; - int userauth_failure_size; + // Packet analysis stuff + bool auth_decision_made; + bool skipped_banner; + bool saw_encrypted_client_data; - }; - } -} + int service_accept_size; + int userauth_failure_size; + +}; + +} // namespace zeek::analyzer::ssh + +namespace analyzer::SSH { + +using SSH_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ssh::SSH_Analyzer.")]] = zeek::analyzer::ssh::SSH_Analyzer; + +} // namespace analyzer::SSH diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc index fca05e0c54..f62e21dbce 100644 --- a/src/analyzer/protocol/ssl/DTLS.cc +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -8,7 +8,7 @@ #include "dtls_pac.h" #include "tls-handshake_pac.h" -using namespace analyzer::dtls; +namespace zeek::analyzer::dtls { DTLS_Analyzer::DTLS_Analyzer(zeek::Connection* c) : zeek::analyzer::Analyzer("DTLS", c) @@ -69,3 +69,5 @@ void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, ui ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } + +} // namespace zeek::analyzer::dtls diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h index 20d38ae62c..84e3402b5a 100644 --- a/src/analyzer/protocol/ssl/DTLS.h +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -5,10 +5,9 @@ #include "analyzer/protocol/udp/UDP.h" namespace binpac { namespace DTLS { class SSL_Conn; } } - namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } -namespace analyzer { namespace dtls { +namespace zeek::analyzer::dtls { class DTLS_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -32,4 +31,10 @@ protected: binpac::TLSHandshake::Handshake_Conn* handshake_interp; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::dtls + +namespace analyzer::dtls { + +using DTLS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dtls::DTLS_Analyzer.")]] = zeek::analyzer::dtls::DTLS_Analyzer; + +} // namespace analyzer::dtls diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc index 61adb16442..4faaff8889 100644 --- a/src/analyzer/protocol/ssl/Plugin.cc +++ b/src/analyzer/protocol/ssl/Plugin.cc @@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SSL", ::analyzer::ssl::SSL_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("DTLS", ::analyzer::dtls::DTLS_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SSL", zeek::analyzer::ssl::SSL_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("DTLS", zeek::analyzer::dtls::DTLS_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::SSL"; diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index a502b2959f..d922e98003 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -8,7 +8,7 @@ #include "ssl_pac.h" #include "tls-handshake_pac.h" -using namespace analyzer::ssl; +namespace zeek::analyzer::ssl { SSL_Analyzer::SSL_Analyzer(zeek::Connection* c) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c) @@ -90,3 +90,5 @@ void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) had_gap = true; interp->NewGap(orig, len); } + +} // namespace zeek::analyzer::ssl diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 1201373bec..820b741a21 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -8,7 +8,7 @@ namespace binpac { namespace SSL { class SSL_Conn; } } namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } -namespace analyzer { namespace ssl { +namespace zeek::analyzer::ssl { class SSL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -38,4 +38,10 @@ protected: }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::ssl + +namespace analyzer::ssl { + +using SSL_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ssl::SSL_Analyzer.")]] = zeek::analyzer::ssl::SSL_Analyzer; + +} // namespace analyzer::ssl diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index b2aa34d5c5..05dd3b7d06 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -6,8 +6,8 @@ %extern{ #include "events.bif.h" -namespace analyzer { namespace dtls { class DTLS_Analyzer; } } -typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer; +namespace zeek::analyzer::dtls { class DTLS_Analyzer; } +using DTLSAnalyzer = zeek::analyzer::dtls::DTLS_Analyzer*; #include "DTLS.h" #include "consts.bif.h" diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif index 99112e3c19..a7f01a9c4c 100644 --- a/src/analyzer/protocol/ssl/functions.bif +++ b/src/analyzer/protocol/ssl/functions.bif @@ -13,6 +13,6 @@ function set_ssl_established%(c: connection%): any %{ zeek::analyzer::Analyzer* sa = c->FindAnalyzer("SSL"); if ( sa ) - static_cast<::analyzer::ssl::SSL_Analyzer*>(sa)->StartEncryption(); + static_cast(sa)->StartEncryption(); return nullptr; %} diff --git a/src/analyzer/protocol/ssl/ssl.pac b/src/analyzer/protocol/ssl/ssl.pac index e7bf1bf23e..7269d2514f 100644 --- a/src/analyzer/protocol/ssl/ssl.pac +++ b/src/analyzer/protocol/ssl/ssl.pac @@ -12,8 +12,8 @@ #include "Desc.h" #include "events.bif.h" -namespace analyzer { namespace ssl { class SSL_Analyzer; } } -typedef analyzer::ssl::SSL_Analyzer* SSLAnalyzer; +namespace zeek::analyzer::ssl { class SSL_Analyzer; } +using SSLAnalyzer = zeek::analyzer::ssl::SSL_Analyzer*; #include "SSL.h" %} diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc index 4ae18015aa..744a74b328 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Syslog", ::analyzer::syslog::Syslog_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Syslog", zeek::analyzer::syslog::Syslog_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Syslog"; diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc index 5ecb7ee042..91edc9a77a 100644 --- a/src/analyzer/protocol/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/Syslog.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::syslog; +namespace zeek::analyzer::syslog { Syslog_Analyzer::Syslog_Analyzer(zeek::Connection* conn) : Analyzer("SYSLOG", conn) @@ -93,3 +93,5 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint // zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } + +} // namespace zeek::analyzer::syslog diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h index c45c6bd27c..ec9ac6485d 100644 --- a/src/analyzer/protocol/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/Syslog.h @@ -6,7 +6,7 @@ #include "syslog_pac.h" -namespace analyzer { namespace syslog { +namespace zeek::analyzer::syslog { class Syslog_Analyzer : public zeek::analyzer::Analyzer { public: @@ -45,4 +45,11 @@ protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; // -} } // namespace analyzer::* + +} // namespace zeek::analyzer::syslog + +namespace analyzer::syslog { + +using Syslog_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::syslog::Syslog_Analyzer.")]] = zeek::analyzer::syslog::Syslog_Analyzer; + +} // namespace analyzer::syslog diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc index 02fbc94d31..d28adc9760 100644 --- a/src/analyzer/protocol/teredo/Plugin.cc +++ b/src/analyzer/protocol/teredo/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("Teredo", ::analyzer::teredo::Teredo_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("Teredo", zeek::analyzer::teredo::Teredo_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Teredo"; diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc index 036bcad99c..e7dc96b16a 100644 --- a/src/analyzer/protocol/teredo/Teredo.cc +++ b/src/analyzer/protocol/teredo/Teredo.cc @@ -9,13 +9,9 @@ #include "events.bif.h" -using namespace analyzer::teredo; +namespace zeek::analyzer::teredo { -void Teredo_Analyzer::Done() - { - Analyzer::Done(); - Event(udp_session_done); - } +namespace detail { bool TeredoEncapsulation::DoParse(const u_char* data, int& len, bool found_origin, bool found_auth) @@ -134,6 +130,14 @@ zeek::RecordValPtr TeredoEncapsulation::BuildVal(const zeek::IP_Hdr* inner) cons return teredo_hdr; } +} // namespace detail + +void Teredo_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { @@ -144,7 +148,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, else valid_resp = false; - TeredoEncapsulation te(this); + detail::TeredoEncapsulation te(this); if ( ! te.Parse(data, len) ) { @@ -230,3 +234,5 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, zeek::sessions->DoNextInnerPacket(network_time, nullptr, inner, e, ec); } + +} // namespace zeek::analyzer::teredo diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h index 4a956e957b..96cabef2e4 100644 --- a/src/analyzer/protocol/teredo/Teredo.h +++ b/src/analyzer/protocol/teredo/Teredo.h @@ -4,7 +4,7 @@ #include "NetVar.h" #include "Reporter.h" -namespace analyzer { namespace teredo { +namespace zeek::analyzer::teredo { class Teredo_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -50,6 +50,8 @@ protected: bool valid_resp; }; +namespace detail { + class TeredoEncapsulation { public: explicit TeredoEncapsulation(const Teredo_Analyzer* ta) @@ -86,4 +88,13 @@ protected: const Teredo_Analyzer* analyzer; }; -} } // namespace analyzer::* +} // namespace detail + +} // namespace zeek::analyzer::teredo + +namespace analyzer::teredo { + +using Teredo_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::teredo::Teredo_Analyzer.")]] = zeek::analyzer::teredo::Teredo_Analyzer; +using TeredoEncapsulation [[deprecated("Remove in v4.1. Use zeek::analyzer::teredo::detail::TeredoEncapsulation.")]] = zeek::analyzer::teredo::detail::TeredoEncapsulation; + +} // namespace analyzer::teredo diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc index 370475444f..dbaf45b856 100644 --- a/src/analyzer/protocol/vxlan/Plugin.cc +++ b/src/analyzer/protocol/vxlan/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("VXLAN", zeek::analyzer::vxlan::VXLAN_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::VXLAN"; diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 8112773152..9e42ad1dc5 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -16,7 +16,7 @@ extern "C" { #include } -using namespace analyzer::vxlan; +namespace zeek::analyzer::vxlan { void VXLAN_Analyzer::Done() { @@ -107,3 +107,5 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, zeek::EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); zeek::sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); } + +} // namespace zeek::analyzer::vxlan diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h index afbad5bdf1..7d86fa9193 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.h +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -4,7 +4,7 @@ #include "analyzer/Analyzer.h" -namespace analyzer { namespace vxlan { +namespace zeek::analyzer::vxlan { class VXLAN_Analyzer final : public zeek::analyzer::Analyzer { public: @@ -21,4 +21,10 @@ public: { return new VXLAN_Analyzer(conn); } }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::vxlan + +namespace analyzer::vxlan { + +using VXLAN_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::vxlan::VXLAN_Analyzer.")]] = zeek::analyzer::vxlan::VXLAN_Analyzer; + +} // namespace analyzer::vxlan diff --git a/src/analyzer/protocol/xmpp/Plugin.cc b/src/analyzer/protocol/xmpp/Plugin.cc index 649cf97576..ba767339c9 100644 --- a/src/analyzer/protocol/xmpp/Plugin.cc +++ b/src/analyzer/protocol/xmpp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("XMPP", ::analyzer::xmpp::XMPP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("XMPP", zeek::analyzer::xmpp::XMPP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::XMPP"; diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc index cf64e85b89..c3919b2b0f 100644 --- a/src/analyzer/protocol/xmpp/XMPP.cc +++ b/src/analyzer/protocol/xmpp/XMPP.cc @@ -4,7 +4,7 @@ #include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "analyzer/Manager.h" -using namespace analyzer::xmpp; +namespace zeek::analyzer::xmpp { XMPP_Analyzer::XMPP_Analyzer(zeek::Connection* conn) : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("XMPP", conn) @@ -83,3 +83,5 @@ void XMPP_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); } + +} // namespace zeek::analyzer::xmpp diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h index bc829efcd9..fc9ad7742b 100644 --- a/src/analyzer/protocol/xmpp/XMPP.h +++ b/src/analyzer/protocol/xmpp/XMPP.h @@ -6,7 +6,7 @@ #include "xmpp_pac.h" -namespace analyzer { namespace xmpp { +namespace zeek::analyzer::xmpp { class XMPP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: @@ -32,4 +32,10 @@ protected: bool tls_active; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::xmpp + +namespace analyzer::xmpp { + +using XMPP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::xmpp::XMPP_Analyzer.")]] = zeek::analyzer::xmpp::XMPP_Analyzer; + +} // namespace analyzer::xmpp diff --git a/src/analyzer/protocol/xmpp/xmpp.pac b/src/analyzer/protocol/xmpp/xmpp.pac index 79e5159914..e735b5ecec 100644 --- a/src/analyzer/protocol/xmpp/xmpp.pac +++ b/src/analyzer/protocol/xmpp/xmpp.pac @@ -11,9 +11,9 @@ #include "Reporter.h" #include "events.bif.h" -namespace analyzer { namespace xmpp { class XMPP_Analyzer; } } +namespace zeek::analyzer::xmpp { class XMPP_Analyzer; } namespace binpac { namespace XMPP { class XMPP_Conn; } } -typedef analyzer::xmpp::XMPP_Analyzer* XMPPAnalyzer; +using XMPPAnalyzer = zeek::analyzer::xmpp::XMPP_Analyzer*; #include "XMPP.h" %} diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc index 0c3fb1ead9..7fe335e80e 100644 --- a/src/analyzer/protocol/zip/ZIP.cc +++ b/src/analyzer/protocol/zip/ZIP.cc @@ -2,7 +2,7 @@ #include "ZIP.h" -using namespace analyzer::zip; +namespace zeek::analyzer::zip { ZIP_Analyzer::ZIP_Analyzer(zeek::Connection* conn, bool orig, Method arg_method) : zeek::analyzer::tcp::TCP_SupportAnalyzer("ZIP", conn, orig) @@ -113,3 +113,5 @@ void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } } } + +} // namespace zeek::analyzer::zip diff --git a/src/analyzer/protocol/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h index 2ea31878a7..8ccf99a0cb 100644 --- a/src/analyzer/protocol/zip/ZIP.h +++ b/src/analyzer/protocol/zip/ZIP.h @@ -7,7 +7,7 @@ #include "zlib.h" #include "analyzer/protocol/tcp/TCP.h" -namespace analyzer { namespace zip { +namespace zeek::analyzer::zip { class ZIP_Analyzer final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: @@ -27,4 +27,10 @@ protected: Method method; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::zip + +namespace analyzer::zip { + +using ZIP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::zip::ZIP_Analyzer.")]] = zeek::analyzer::zip::ZIP_Analyzer; + +} // namespace analyzer::zip