Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move the remainder of the analyzers to zeek namespaces

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-08-04 10:27:41 -07:00
parent 914ffcadae
commit 715ca6549b
170 changed files with 1971 additions and 1085 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/analyzer/Manager.cc
View file

@ -475,14 +475,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
tcp->AddChildPacketAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn));
tcp->AddChildPacketAnalyzer(new zeek::analyzer::conn_size::ConnSize_Analyzer(conn));
}
else
{
if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
root->AddChildAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn));
root->AddChildAnalyzer(new zeek::analyzer::conn_size::ConnSize_Analyzer(conn));
}
if ( pia )

4
src/analyzer/protocol/ayiya/AYIYA.cc
View file

@ -2,7 +2,7 @@
#include "AYIYA.h"
#include "Func.h"
using namespace analyzer::ayiya;
namespace zeek::analyzer::ayiya {
AYIYA_Analyzer::AYIYA_Analyzer(zeek::Connection* conn)
: Analyzer("AYIYA", conn)
@ -34,3 +34,5 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
} // namespace zeek::analyzer::ayiya

8
src/analyzer/protocol/ayiya/AYIYA.h
View file

@ -2,7 +2,7 @@
#include "ayiya_pac.h"
namespace analyzer { namespace ayiya {
namespace zeek::analyzer::ayiya {
class AYIYA_Analyzer final : public zeek::analyzer::Analyzer {
public:
@ -20,4 +20,8 @@ protected:
binpac::AYIYA::AYIYA_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ayiya
namespace analyzer::ayiya {
using AYIYA_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ayiya::AYIYA_Analyzer.")]] = zeek::analyzer::ayiya::AYIYA_Analyzer;
}

2
src/analyzer/protocol/ayiya/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("AYIYA", zeek::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::AYIYA";

4
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -5,7 +5,7 @@
#include "events.bif.h"
using namespace analyzer::bittorrent;
namespace zeek::analyzer::bittorrent {
BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
@ -124,3 +124,5 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg));
}
} // namespace zeek::analyzer::bittorrent

10
src/analyzer/protocol/bittorrent/BitTorrent.h
View file

@ -6,7 +6,7 @@
#include "bittorrent_pac.h"
namespace analyzer { namespace bittorrent {
namespace zeek::analyzer::bittorrent {
class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -29,4 +29,10 @@ protected:
uint64_t stream_len_orig, stream_len_resp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::bittorrent
namespace analyzer::bittorrent {
using BitTorrent_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::BitTorrent_Analyzer.")]] = zeek::analyzer::bittorrent::BitTorrent_Analyzer;
}

107
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -13,7 +13,7 @@
# define FMT_INT "%" PRId64
# define FMT_UINT "%" PRIu64
using namespace analyzer::bittorrent;
namespace zeek::analyzer::bittorrent {
static zeek::TableTypePtr bt_tracker_headers;
static zeek::RecordTypePtr bittorrent_peer;
@ -40,14 +40,14 @@ BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
keep_alive = false;
req_state = BTT_REQ_GET;
req_state = detail::BTT_REQ_GET;
req_buf[sizeof(req_buf) - 1] = 0;
req_buf_pos = req_buf;
req_buf_len = 0;
req_val_uri = nullptr;
req_val_headers = new zeek::TableVal(bt_tracker_headers);
res_state = BTT_RES_STATUS;
res_state = detail::BTT_RES_STATUS;
res_allow_blank_line = false;
res_buf[sizeof(res_buf) - 1] = 0;
res_buf_pos = res_buf;
@ -130,9 +130,9 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
req_buf_pos = lf + 1;
if ( req_state == BTT_REQ_DONE && keep_alive )
if ( req_state == detail::BTT_REQ_DONE && keep_alive )
{
req_state = BTT_REQ_GET;
req_state = detail::BTT_REQ_GET;
req_buf_len -= (req_buf_pos - req_buf);
memmove(req_buf, req_buf_pos, req_buf_len);
req_buf_pos = req_buf;
@ -146,7 +146,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
if ( stop_resp )
return;
if ( res_state == BTT_RES_DONE )
if ( res_state == detail::BTT_RES_DONE )
// We are done already, i.e. state != 200.
return;
@ -163,7 +163,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
while ( true )
{
while ( res_state != BTT_RES_BODY &&
while ( res_state != detail::BTT_RES_BODY &&
res_buf_pos < res_buf + res_buf_len )
{
char* lf = strchr(res_buf_pos, '\n');
@ -181,17 +181,17 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
res_buf_pos = lf + 1;
}
if ( res_state != BTT_RES_BODY ||
if ( res_state != detail::BTT_RES_BODY ||
res_buf_pos >= res_buf + res_buf_len )
break;
ResponseBody();
if ( res_state != BTT_RES_DONE ||
if ( res_state != detail::BTT_RES_DONE ||
res_status != 200 || ! keep_alive )
break;
res_state = BTT_RES_STATUS;
res_state = detail::BTT_RES_STATUS;
res_allow_blank_line = true;
res_buf_len -= res_buf_pos - res_buf;
memmove(res_buf, res_buf_pos, res_buf_len);
@ -228,9 +228,9 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
benc_stack.clear();
benc_count.clear();
benc_state = BENC_STATE_EMPTY;
benc_state = detail::BENC_STATE_EMPTY;
benc_raw = nullptr;
benc_raw_type = BENC_TYPE_NONE;
benc_raw_type = detail::BENC_TYPE_NONE;
benc_raw_len = 0;
benc_key = nullptr;
benc_key_len = 0;
@ -267,7 +267,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
}
switch ( req_state ) {
case BTT_REQ_GET:
case detail::BTT_REQ_GET:
{
regmatch_t match[1];
if ( regexec(&r_get, line, 1, match, 0) )
@ -293,16 +293,16 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
RequestGet(&line[match[0].rm_eo]);
req_state = BTT_REQ_HEADER;
req_state = detail::BTT_REQ_HEADER;
}
break;
case BTT_REQ_HEADER:
case detail::BTT_REQ_HEADER:
{
if ( ! *line )
{
EmitRequest();
req_state = BTT_REQ_DONE;
req_state = detail::BTT_REQ_DONE;
break;
}
@ -319,7 +319,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
}
break;
case BTT_REQ_DONE:
case detail::BTT_REQ_DONE:
if ( *line )
{
auto msg = fmt("Got post request data: %s\n", line);
@ -370,7 +370,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
}
switch ( res_state ) {
case BTT_RES_STATUS:
case detail::BTT_RES_STATUS:
{
if ( res_allow_blank_line && ! *line )
{
@ -390,11 +390,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
}
ResponseStatus(&line[match[0].rm_eo]);
res_state = BTT_RES_HEADER;
res_state = detail::BTT_RES_HEADER;
}
break;
case BTT_RES_HEADER:
case detail::BTT_RES_HEADER:
if ( ! *line )
{
if ( res_status != 200 )
@ -408,10 +408,10 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
);
res_val_headers = nullptr;
res_buf_pos = res_buf + res_buf_len;
res_state = BTT_RES_DONE;
res_state = detail::BTT_RES_DONE;
}
else
res_state = BTT_RES_BODY;
res_state = detail::BTT_RES_BODY;
break;
}
@ -465,7 +465,8 @@ void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value,
}
void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
enum btt_benc_types type, int value_len, char* value)
detail::BTT_BencTypes type,
int value_len, char* value)
{
if ( name_len == 5 && ! strncmp(name, "peers", 5) )
{
@ -494,7 +495,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
}
void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
enum btt_benc_types type, bro_int_t value)
detail::BTT_BencTypes type, bro_int_t value)
{
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value);
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name);
@ -508,7 +509,7 @@ void BitTorrentTracker_Analyzer::ResponseBody(void)
switch ( ResponseParseBenc() ) {
case 0:
EmitResponse();
res_state = BTT_RES_DONE;
res_state = detail::BTT_RES_DONE;
break;
case -1: // parsing failed
@ -540,7 +541,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
--len, ++res_buf_pos )
{
switch ( benc_state ) {
case BENC_STATE_EMPTY:
case detail::BENC_STATE_EMPTY:
{
switch ( res_buf_pos[0] ) {
case 'd':
@ -548,7 +549,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
case 0: break;
case 1:
benc_raw = res_buf_pos;
benc_raw_type = BENC_TYPE_DIR;
benc_raw_type = detail::BENC_TYPE_DIR;
/* fall through */
default:
VIOLATION_IF(benc_stack.back() == 'd' &&
@ -569,7 +570,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
case 1:
benc_raw = res_buf_pos;
benc_raw_type = BENC_TYPE_LIST;
benc_raw_type = detail::BENC_TYPE_LIST;
/* fall through */
default:
@ -590,10 +591,10 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
! (benc_count.back() % 2),
"BitTorrentTracker: directory key is not a string but an int")
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
benc_state = BENC_STATE_INT1;
benc_state = detail::BENC_STATE_INT1;
break;
case 'e':
@ -603,7 +604,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
benc_count.back() % 2,
"BitTorrentTracker: directory has an odd count of members")
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
if ( benc_stack.size() == 2 )
@ -615,7 +616,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
benc_key_len = 0;
benc_raw = nullptr;
benc_raw_len = 0;
benc_raw_type = BENC_TYPE_NONE;
benc_raw_type = detail::BENC_TYPE_NONE;
}
benc_stack.pop_back();
@ -635,11 +636,11 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
VIOLATION_IF(! benc_stack.size(),
"BitTorrentTracker: not a bencoded directory (first char: [0-9])")
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
benc_strlen = res_buf_pos;
benc_state = BENC_STATE_STR1;
benc_state = detail::BENC_STATE_STR1;
break;
default:
@ -648,28 +649,28 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
}
break;
case BENC_STATE_INT1:
case detail::BENC_STATE_INT1:
benc_int = res_buf_pos;
if ( res_buf_pos[0] == '-' )
{
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
benc_state = BENC_STATE_INT2;
benc_state = detail::BENC_STATE_INT2;
break;
}
case BENC_STATE_INT2:
case detail::BENC_STATE_INT2:
VIOLATION_IF(res_buf_pos[0] < '0' ||
res_buf_pos[0] > '9',
"BitTorrentTracker: no valid bencoding")
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
benc_state = BENC_STATE_INT3;
benc_state = detail::BENC_STATE_INT3;
break;
case BENC_STATE_INT3:
case detail::BENC_STATE_INT3:
if ( res_buf_pos[0] == 'e' )
{
if ( sscanf(benc_int, FMT_INT,
@ -678,7 +679,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
if ( benc_stack.size() == 1 )
{
ResponseBenc(benc_key_len,
benc_key, BENC_TYPE_INT,
benc_key, detail::BENC_TYPE_INT,
benc_int_val);
benc_key = nullptr;
benc_key_len = 0;
@ -688,7 +689,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
VIOLATION_IF(1, "BitTorrentTracker: no valid bencoding")
INC_COUNT
benc_state = BENC_STATE_EMPTY;
benc_state = detail::BENC_STATE_EMPTY;
}
else
@ -696,16 +697,16 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
res_buf_pos[0] > '9',
"BitTorrentTracker: no valid bencoding");
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
break;
case BENC_STATE_STR1:
case detail::BENC_STATE_STR1:
switch ( res_buf_pos[0] ) {
case '0': case '1': case '2': case '3': case '4':
case '5': case '6': case '7': case '8': case '9':
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
break;
@ -724,10 +725,10 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
benc_key_len = benc_str_len;
}
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
++benc_raw_len;
benc_state = BENC_STATE_STR2;
benc_state = detail::BENC_STATE_STR2;
break;
default:
@ -735,14 +736,14 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
}
break;
case BENC_STATE_STR2:
case detail::BENC_STATE_STR2:
if ( benc_str_have < benc_str_len )
{
unsigned int seek =
std::min(len, benc_str_len - benc_str_have);
benc_str_have += seek;
if ( benc_raw_type != BENC_TYPE_NONE )
if ( benc_raw_type != detail::BENC_TYPE_NONE )
benc_raw_len += seek;
res_buf_pos += seek - 1;
@ -755,7 +756,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
benc_key != benc_str )
{
ResponseBenc(benc_key_len, benc_key,
BENC_TYPE_STR,
detail::BENC_TYPE_STR,
benc_str_len, benc_str);
benc_key_len = 0;
benc_key = nullptr;
@ -768,7 +769,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
}
INC_COUNT
benc_state = BENC_STATE_EMPTY;
benc_state = detail::BENC_STATE_EMPTY;
}
break;
}
@ -794,3 +795,5 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
res_val_peers = nullptr;
res_val_benc = nullptr;
}
} // namespace zeek::analyzer::bittorrent

60
src/analyzer/protocol/bittorrent/BitTorrentTracker.h
View file

@ -8,13 +8,15 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
namespace analyzer { namespace bittorrent {
namespace zeek::analyzer::bittorrent {
// If the following is defined, then the analyzer will store all of
// the headers seen in tracker messages.
//#define BTTRACKER_STORE_HEADERS 1
enum btt_states {
namespace detail {
enum BTT_States {
BTT_REQ_GET,
BTT_REQ_HEADER,
BTT_REQ_DONE,
@ -22,19 +24,19 @@ enum btt_states {
BTT_RES_STATUS,
BTT_RES_HEADER,
BTT_RES_BODY,
BTT_RES_DONE,
BTT_RES_DONE
};
// "benc" = Bencode ("Bee-Encode"), per http://en.wikipedia.org/wiki/Bencode
enum btt_benc_types {
enum BTT_BencTypes {
BENC_TYPE_INT = 0,
BENC_TYPE_STR = 1,
BENC_TYPE_DIR = 2,
BENC_TYPE_LIST = 3,
BENC_TYPE_NONE = 10,
BENC_TYPE_NONE = 10
};
enum btt_benc_states {
enum BTT_BencStates {
BENC_STATE_EMPTY,
BENC_STATE_INT1,
BENC_STATE_INT2,
@ -43,6 +45,8 @@ enum btt_benc_states {
BENC_STATE_STR2,
};
} // namespace detail
class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit BitTorrentTracker_Analyzer(zeek::Connection* conn);
@ -75,9 +79,9 @@ protected:
void ResponseHeader(char* name, char* value)
{ ParseHeader(name, value, false); }
void ResponseBody();
void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
void ResponseBenc(int name_len, char* name, detail::BTT_BencTypes type,
int value_len, char* value);
void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
void ResponseBenc(int name_len, char* name, detail::BTT_BencTypes type,
bro_int_t value);
int ResponseParseBenc();
void EmitResponse();
@ -88,7 +92,7 @@ protected:
bool keep_alive;
// Request.
enum btt_states req_state;
detail::BTT_States req_state;
char req_buf[BTTRACKER_BUF];
char* req_buf_pos;
unsigned int req_buf_len;
@ -96,7 +100,7 @@ protected:
zeek::TableVal* req_val_headers;
// Response.
enum btt_states res_state;
detail::BTT_States res_state;
bool res_allow_blank_line;
char res_buf[BTTRACKER_BUF];
char* res_buf_pos;
@ -108,10 +112,10 @@ protected:
std::vector<char> benc_stack;
std::vector<unsigned int> benc_count;
enum btt_benc_states benc_state;
detail::BTT_BencStates benc_state;
char* benc_raw;
enum btt_benc_types benc_raw_type;
detail::BTT_BencTypes benc_raw_type;
unsigned int benc_raw_len;
char* benc_key;
@ -129,4 +133,34 @@ protected:
bool stop_orig, stop_resp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::bittorrent
namespace analyzer::bittorrent {
using btt_states [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_States.")]] = zeek::analyzer::bittorrent::detail::BTT_States;
constexpr auto BTT_REQ_GET [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_GET.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_GET;
constexpr auto BTT_REQ_HEADER [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_HEADER.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_HEADER;
constexpr auto BTT_REQ_DONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_REQ_DONE.")]] = zeek::analyzer::bittorrent::detail::BTT_REQ_DONE;
constexpr auto BTT_RES_STATUS [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_STATUS.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_STATUS;
constexpr auto BTT_RES_HEADER [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_HEADER.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_HEADER;
constexpr auto BTT_RES_BODY [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_BODY.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_BODY;
constexpr auto BTT_RES_DONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_RES_DONE.")]] = zeek::analyzer::bittorrent::detail::BTT_RES_DONE;
using btt_benc_types [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_BencTypes.")]] = zeek::analyzer::bittorrent::detail::BTT_BencTypes;
constexpr auto BENC_TYPE_INT [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_INT.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_INT;
constexpr auto BENC_TYPE_STR [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_STR.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_STR;
constexpr auto BENC_TYPE_DIR [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_DIR.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_DIR;
constexpr auto BENC_TYPE_LIST [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_LIST.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_LIST;
constexpr auto BENC_TYPE_NONE [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_TYPE_NONE.")]] = zeek::analyzer::bittorrent::detail::BENC_TYPE_NONE;
using btt_benc_states [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BTT_BencStates.")]] = zeek::analyzer::bittorrent::detail::BTT_BencStates;
constexpr auto BENC_STATE_EMPTY [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_EMPTY.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_EMPTY;
constexpr auto BENC_STATE_INT1 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT1.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT1;
constexpr auto BENC_STATE_INT2 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT2.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT2;
constexpr auto BENC_STATE_INT3 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_INT3.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_INT3;
constexpr auto BENC_STATE_STR1 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_STR1.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_STR1;
constexpr auto BENC_STATE_STR2 [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::detail::BENC_STATE_STR2.")]] = zeek::analyzer::bittorrent::detail::BENC_STATE_STR2;
using BitTorrentTracker_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer.")]] = zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer;
}

4
src/analyzer/protocol/bittorrent/Plugin.cc
View file

@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("BitTorrent", ::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("BitTorrent", zeek::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("BitTorrentTracker", zeek::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::BitTorrent";

4
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -10,7 +10,7 @@
#include "events.bif.h"
using namespace analyzer::conn_size;
namespace zeek::analyzer::conn_size {
ConnSize_Analyzer::ConnSize_Analyzer(zeek::Connection* c)
: Analyzer("CONNSIZE", c),
@ -205,3 +205,5 @@ void ConnSize_Analyzer::FlipRoles()
orig_pkts = resp_pkts;
resp_pkts = tmp;
}
} // namespace zeek::analyzer::conn_size

8
src/analyzer/protocol/conn-size/ConnSize.h
View file

@ -6,7 +6,7 @@
#include "analyzer/Analyzer.h"
#include "NetVar.h"
namespace analyzer { namespace conn_size {
namespace zeek::analyzer::conn_size {
class ConnSize_Analyzer : public zeek::analyzer::Analyzer {
public:
@ -50,4 +50,8 @@ protected:
double duration_thresh;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::conn_size
namespace analyzer::conn_size {
using ConnSize_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::conn_size::ConnSize_Analyzer.")]] = zeek::analyzer::conn_size::ConnSize_Analyzer;
}

2
src/analyzer/protocol/conn-size/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ConnSize", zeek::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ConnSize";

12
src/analyzer/protocol/conn-size/functions.bif
View file

@ -37,7 +37,7 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
if ( ! a )
return zeek::val_mgr->False();
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return zeek::val_mgr->True();
%}
@ -61,7 +61,7 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
if ( ! a )
return zeek::val_mgr->False();
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return zeek::val_mgr->True();
%}
@ -83,7 +83,7 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
if ( ! a )
return zeek::val_mgr->False();
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return zeek::val_mgr->True();
%}
@ -105,7 +105,7 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
if ( ! a )
return zeek::val_mgr->Count(0);
return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
return zeek::val_mgr->Count(static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%}
## Gets the current packet threshold size for a connection.
@ -124,7 +124,7 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
if ( ! a )
return zeek::val_mgr->Count(0);
return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
return zeek::val_mgr->Count(static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%}
## Gets the current duration threshold size for a connection.
@ -141,5 +141,5 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval
if ( ! a )
return zeek::make_intrusive<zeek::IntervalVal>(0.0);
return zeek::make_intrusive<zeek::IntervalVal>(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold());
return zeek::make_intrusive<zeek::IntervalVal>(static_cast<zeek::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold());
%}

7
src/analyzer/protocol/dce-rpc/DCE_RPC.cc
View file

@ -1,6 +1,7 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek-config.h"
#include "DCE_RPC.h"
#include <stdlib.h>
#include <string>
@ -8,9 +9,7 @@
using namespace std;
#include "DCE_RPC.h"
using namespace analyzer::dce_rpc;
namespace zeek::analyzer::dce_rpc {
DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
@ -65,3 +64,5 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
} // namespace zeek::analyzer::dce_rpc

8
src/analyzer/protocol/dce-rpc/DCE_RPC.h
View file

@ -9,7 +9,7 @@
#include "dce_rpc_pac.h"
namespace analyzer { namespace dce_rpc {
namespace zeek::analyzer::dce_rpc {
class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -32,4 +32,8 @@ protected:
binpac::DCE_RPC::DCE_RPC_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::dce_rpc
namespace analyzer::dce_rpc {
using DCE_RPC_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dce_rpc::DCE_RPC_Analyzer.")]] = zeek::analyzer::dce_rpc::DCE_RPC_Analyzer;
}

2
src/analyzer/protocol/dce-rpc/Plugin.cc
View file

@ -12,7 +12,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DCE_RPC", zeek::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DCE_RPC";

4
src/analyzer/protocol/dhcp/DHCP.cc
View file

@ -3,7 +3,7 @@
#include "events.bif.h"
#include "types.bif.h"
using namespace analyzer::dhcp;
namespace zeek::analyzer::dhcp {
DHCP_Analyzer::DHCP_Analyzer(zeek::Connection* conn)
: Analyzer("DHCP", conn)
@ -36,3 +36,5 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
}
}
} // namespace zeek::analyzer::dhcp

8
src/analyzer/protocol/dhcp/DHCP.h
View file

@ -4,7 +4,7 @@
#include "dhcp_pac.h"
namespace analyzer { namespace dhcp {
namespace zeek::analyzer::dhcp {
class DHCP_Analyzer final : public zeek::analyzer::Analyzer {
public:
@ -22,4 +22,8 @@ protected:
binpac::DHCP::DHCP_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::dhcp
namespace analyzer::dhcp {
using DHCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dhcp::DHCP_Analyzer.")]] = zeek::analyzer::dhcp::DHCP_Analyzer;
}

2
src/analyzer/protocol/dhcp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DHCP", zeek::analyzer::dhcp::DHCP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DHCP";

19
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -100,19 +100,19 @@
#include "Reporter.h"
#include "events.bif.h"
using namespace analyzer::dnp3;
constexpr unsigned int PSEUDO_LENGTH_INDEX = 2; // index of len field of DNP3 Pseudo Link Layer
constexpr unsigned int PSEUDO_CONTROL_FIELD_INDEX = 3; // index of ctrl field of DNP3 Pseudo Link Layer
constexpr unsigned int PSEUDO_TRANSPORT_INDEX = 10; // index of DNP3 Pseudo Transport Layer
constexpr unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-layer byte.
constexpr unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer
constexpr unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer
const unsigned int PSEUDO_LENGTH_INDEX = 2; // index of len field of DNP3 Pseudo Link Layer
const unsigned int PSEUDO_CONTROL_FIELD_INDEX = 3; // index of ctrl field of DNP3 Pseudo Link Layer
const unsigned int PSEUDO_TRANSPORT_INDEX = 10; // index of DNP3 Pseudo Transport Layer
const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-layer byte.
const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer
const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer
namespace zeek::analyzer::dnp3 {
namespace detail {
bool DNP3_Base::crc_table_initialized = false;
unsigned int DNP3_Base::crc_table[256];
DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
@ -385,6 +385,7 @@ unsigned int DNP3_Base::CalcCRC(int len, const u_char* data)
return ~crc & 0xFFFF;
}
} // namespace detail
DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(zeek::Connection* c)
: DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c)
{
@ -456,3 +457,5 @@ void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ui
throw;
}
}
} // namespace zeek::analyzer::dnp3

19
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -6,7 +6,9 @@
#include "dnp3_pac.h"
namespace analyzer { namespace dnp3 {
namespace zeek::analyzer::dnp3 {
namespace detail {
class DNP3_Base {
public:
@ -61,7 +63,9 @@ protected:
Endpoint resp_state;
};
class DNP3_TCP_Analyzer : public DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
} // namespace detail
class DNP3_TCP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DNP3_TCP_Analyzer(zeek::Connection* conn);
~DNP3_TCP_Analyzer() override;
@ -75,7 +79,7 @@ public:
{ return new DNP3_TCP_Analyzer(conn); }
};
class DNP3_UDP_Analyzer : public DNP3_Base, public zeek::analyzer::Analyzer {
class DNP3_UDP_Analyzer : public detail::DNP3_Base, public zeek::analyzer::Analyzer {
public:
explicit DNP3_UDP_Analyzer(zeek::Connection* conn);
~DNP3_UDP_Analyzer() override;
@ -88,4 +92,11 @@ public:
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::dnp3
namespace analyzer::dnp3 {
using DNP3_Base [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::detail::DNP3_Base.")]] = zeek::analyzer::dnp3::detail::DNP3_Base;
using DNP3_TCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::DNP3_TCP_Analyzer.")]] = zeek::analyzer::dnp3::DNP3_TCP_Analyzer;
using DNP3_UDP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dnp3::DNP3_UDP_Analyzer.")]] = zeek::analyzer::dnp3::DNP3_UDP_Analyzer;
}

4
src/analyzer/protocol/dnp3/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNP3_TCP", zeek::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNP3_UDP", zeek::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DNP3";

241
src/analyzer/protocol/dns/DNS.cc
View file

@ -17,7 +17,9 @@
#include "events.bif.h"
using namespace analyzer::dns;
namespace zeek::analyzer::dns {
namespace detail {
DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
{
@ -27,7 +29,7 @@ DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
{
int hdr_len = sizeof(DNS_RawMsgHdr);
int hdr_len = sizeof(detail::DNS_RawMsgHdr);
if ( len < hdr_len )
{
@ -35,7 +37,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
return;
}
DNS_MsgInfo msg((DNS_RawMsgHdr*) data, is_query);
detail::DNS_MsgInfo msg((detail::DNS_RawMsgHdr*) data, is_query);
if ( first_message && msg.QR && is_query == 1 )
{
@ -76,7 +78,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
return;
}
if ( ! ParseAnswers(&msg, msg.ancount, DNS_ANSWER,
if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER,
data, len, msg_start) )
{
EndMessage(&msg);
@ -107,7 +109,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
}
msg.skip_event = skip_auth;
if ( ! ParseAnswers(&msg, msg.nscount, DNS_AUTHORITY,
if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY,
data, len, msg_start) )
{
EndMessage(&msg);
@ -122,7 +124,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
}
msg.skip_event = skip_addl;
if ( ! ParseAnswers(&msg, msg.arcount, DNS_ADDITIONAL,
if ( ! ParseAnswers(&msg, msg.arcount, detail::DNS_ADDITIONAL,
data, len, msg_start) )
{
EndMessage(&msg);
@ -132,7 +134,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
EndMessage(&msg);
}
void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg)
{
if ( dns_end )
analyzer->EnqueueConnEvent(dns_end,
@ -141,7 +143,7 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
);
}
bool DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len,
const u_char* msg_start)
{
@ -152,7 +154,7 @@ bool DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg,
return n == 0;
}
bool DNS_Interpreter::ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType atype,
bool DNS_Interpreter::ParseAnswers(detail::DNS_MsgInfo* msg, int n, detail::DNS_AnswerType atype,
const u_char*& data, int& len,
const u_char* msg_start)
{
@ -164,7 +166,7 @@ bool DNS_Interpreter::ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType atype
return n == 0;
}
bool DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len,
const u_char* msg_start)
{
@ -217,7 +219,7 @@ bool DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len,
const u_char* msg_start)
{
@ -239,7 +241,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
// re-interpreted by other, more adventurous RR types.
msg->query_name = zeek::make_intrusive<zeek::StringVal>(new zeek::String(name, name_end - name, true));
msg->atype = RR_Type(ExtractShort(data, len));
msg->atype = detail::RR_Type(ExtractShort(data, len));
msg->aclass = ExtractShort(data, len);
msg->ttl = ExtractLong(data, len);
@ -252,54 +254,54 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
bool status;
switch ( msg->atype ) {
case TYPE_A:
case detail::TYPE_A:
status = ParseRR_A(msg, data, len, rdlength);
break;
case TYPE_A6:
case TYPE_AAAA:
case detail::TYPE_A6:
case detail::TYPE_AAAA:
status = ParseRR_AAAA(msg, data, len, rdlength);
break;
case TYPE_NS:
case TYPE_CNAME:
case TYPE_PTR:
case detail::TYPE_NS:
case detail::TYPE_CNAME:
case detail::TYPE_PTR:
status = ParseRR_Name(msg, data, len, rdlength, msg_start);
break;
case TYPE_SOA:
case detail::TYPE_SOA:
status = ParseRR_SOA(msg, data, len, rdlength, msg_start);
break;
case TYPE_WKS:
case detail::TYPE_WKS:
status = ParseRR_WKS(msg, data, len, rdlength);
break;
case TYPE_HINFO:
case detail::TYPE_HINFO:
status = ParseRR_HINFO(msg, data, len, rdlength);
break;
case TYPE_MX:
case detail::TYPE_MX:
status = ParseRR_MX(msg, data, len, rdlength, msg_start);
break;
case TYPE_TXT:
case detail::TYPE_TXT:
status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
break;
case TYPE_SPF:
case detail::TYPE_SPF:
status = ParseRR_SPF(msg, data, len, rdlength, msg_start);
break;
case TYPE_CAA:
case detail::TYPE_CAA:
status = ParseRR_CAA(msg, data, len, rdlength, msg_start);
break;
case TYPE_NBS:
case detail::TYPE_NBS:
status = ParseRR_NBS(msg, data, len, rdlength, msg_start);
break;
case TYPE_SRV:
case detail::TYPE_SRV:
if ( ntohs(analyzer->Conn()->RespPort()) == 137 )
{
// This is an NBSTAT (NetBIOS NODE STATUS) record.
@ -313,31 +315,31 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
break;
case TYPE_EDNS:
case detail::TYPE_EDNS:
status = ParseRR_EDNS(msg, data, len, rdlength, msg_start);
break;
case TYPE_TSIG:
case detail::TYPE_TSIG:
status = ParseRR_TSIG(msg, data, len, rdlength, msg_start);
break;
case TYPE_RRSIG:
case detail::TYPE_RRSIG:
status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start);
break;
case TYPE_DNSKEY:
case detail::TYPE_DNSKEY:
status = ParseRR_DNSKEY(msg, data, len, rdlength, msg_start);
break;
case TYPE_NSEC:
case detail::TYPE_NSEC:
status = ParseRR_NSEC(msg, data, len, rdlength, msg_start);
break;
case TYPE_NSEC3:
case detail::TYPE_NSEC3:
status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start);
break;
case TYPE_DS:
case detail::TYPE_DS:
status = ParseRR_DS(msg, data, len, rdlength, msg_start);
break;
@ -518,7 +520,7 @@ uint32_t DNS_Interpreter::ExtractLong(const u_char*& data, int& len)
return val;
}
bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_Name(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -538,17 +540,17 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
zeek::EventHandlerPtr reply_event;
switch ( msg->atype ) {
case TYPE_NS:
case detail::TYPE_NS:
reply_event = dns_NS_reply;
break;
case TYPE_CNAME:
case TYPE_AAAA:
case TYPE_A6:
case detail::TYPE_CNAME:
case detail::TYPE_AAAA:
case detail::TYPE_A6:
reply_event = dns_CNAME_reply;
break;
case TYPE_PTR:
case detail::TYPE_PTR:
reply_event = dns_PTR_reply;
break;
@ -568,7 +570,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -623,7 +625,7 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_MX(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -653,7 +655,7 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_NBS(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_NBS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -662,7 +664,7 @@ bool DNS_Interpreter::ParseRR_NBS(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_SRV(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -696,7 +698,7 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_EDNS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -721,14 +723,14 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
// TODO: Implement additional option codes
switch ( option_code )
{
case TYPE_ECS:
case detail::TYPE_ECS:
{
// must be 4 bytes + variable number of octets for address
if ( option_len <= 4 ) {
break;
}
EDNS_ECS opt{};
detail::EDNS_ECS opt{};
uint16_t ecs_family = ExtractShort(data, option_len);
uint16_t source_scope = ExtractShort(data, option_len);
opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff;
@ -893,7 +895,7 @@ zeek::String* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int
return rval;
}
bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -918,7 +920,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
if ( dns_TSIG_addl )
{
TSIG_DATA tsig;
detail::TSIG_DATA tsig;
tsig.alg_name =
new zeek::String(alg_name, alg_name_end - alg_name, true);
tsig.sig = request_MAC;
@ -938,7 +940,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -973,42 +975,42 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
return false;
int sig_len = rdlength - ((data - data_start) + 18);
DNSSEC_Algo dsa = DNSSEC_Algo(algo);
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(algo);
zeek::String* sign = ExtractStream(data, len, sig_len);
switch ( dsa ) {
case RSA_MD5:
case detail::RSA_MD5:
analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", fmt("%d", algo));
break;
case Diffie_Hellman:
case detail::Diffie_Hellman:
break;
case DSA_SHA1:
case detail::DSA_SHA1:
break;
case Elliptic_Curve:
case detail::Elliptic_Curve:
break;
case RSA_SHA1:
case detail::RSA_SHA1:
break;
case DSA_NSEC3_SHA1:
case detail::DSA_NSEC3_SHA1:
break;
case RSA_SHA1_NSEC3_SHA1:
case detail::RSA_SHA1_NSEC3_SHA1:
break;
case RSA_SHA256:
case detail::RSA_SHA256:
break;
case RSA_SHA512:
case detail::RSA_SHA512:
break;
case GOST_R_34_10_2001:
case detail::GOST_R_34_10_2001:
break;
case ECDSA_curveP256withSHA256:
case detail::ECDSA_curveP256withSHA256:
break;
case ECDSA_curveP384withSHA384:
case detail::ECDSA_curveP384withSHA384:
break;
case Indirect:
case detail::Indirect:
analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", fmt("%d", algo));
break;
case PrivateDNS:
case detail::PrivateDNS:
analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", fmt("%d", algo));
break;
case PrivateOID:
case detail::PrivateOID:
analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", fmt("%d", algo));
break;
default:
@ -1018,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
if ( dns_RRSIG )
{
RRSIG_DATA rrsig;
detail::RRSIG_DATA rrsig;
rrsig.type_covered = type_covered;
rrsig.algorithm = algo;
rrsig.labels = lab;
@ -1040,7 +1042,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1059,7 +1061,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
auto proto_algo = ExtractShort(data, len);
unsigned int dprotocol = (proto_algo >> 8) & 0xff;
unsigned int dalgorithm = proto_algo & 0xff;
DNSSEC_Algo dsa = DNSSEC_Algo(dalgorithm);
detail::DNSSEC_Algo dsa = detail::DNSSEC_Algo(dalgorithm);
//Evaluating the size of remaining bytes for Public Key
zeek::String* key = ExtractStream(data, len, rdlength - 4);
@ -1077,38 +1079,38 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol));
switch ( dsa ) {
case RSA_MD5:
case detail::RSA_MD5:
analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", fmt("%d", dalgorithm));
break;
case Diffie_Hellman:
case detail::Diffie_Hellman:
break;
case DSA_SHA1:
case detail::DSA_SHA1:
break;
case Elliptic_Curve:
case detail::Elliptic_Curve:
break;
case RSA_SHA1:
case detail::RSA_SHA1:
break;
case DSA_NSEC3_SHA1:
case detail::DSA_NSEC3_SHA1:
break;
case RSA_SHA1_NSEC3_SHA1:
case detail::RSA_SHA1_NSEC3_SHA1:
break;
case RSA_SHA256:
case detail::RSA_SHA256:
break;
case RSA_SHA512:
case detail::RSA_SHA512:
break;
case GOST_R_34_10_2001:
case detail::GOST_R_34_10_2001:
break;
case ECDSA_curveP256withSHA256:
case detail::ECDSA_curveP256withSHA256:
break;
case ECDSA_curveP384withSHA384:
case detail::ECDSA_curveP384withSHA384:
break;
case Indirect:
case detail::Indirect:
analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", fmt("%d", dalgorithm));
break;
case PrivateDNS:
case detail::PrivateDNS:
analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", fmt("%d", dalgorithm));
break;
case PrivateOID:
case detail::PrivateOID:
analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", fmt("%d", dalgorithm));
break;
default:
@ -1118,7 +1120,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
if ( dns_DNSKEY )
{
DNSKEY_DATA dnskey;
detail::DNSKEY_DATA dnskey;
dnskey.dflags = dflags;
dnskey.dalgorithm = dalgorithm;
dnskey.dprotocol = dprotocol;
@ -1135,7 +1137,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_NSEC(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1187,7 +1189,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1252,7 +1254,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
if ( dns_NSEC3 )
{
NSEC3_DATA nsec3;
detail::NSEC3_DATA nsec3;
nsec3.nsec_flags = nsec_flags;
nsec3.nsec_hash_algo = hash_algo;
nsec3.nsec_iter = iter;
@ -1273,7 +1275,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1292,19 +1294,19 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
uint32_t ds_algo_dtype = ExtractShort(data, len);
unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff;
unsigned int ds_dtype = ds_algo_dtype & 0xff;
DNSSEC_Digest ds_digest_type = DNSSEC_Digest(ds_dtype);
detail::DNSSEC_Digest ds_digest_type = detail::DNSSEC_Digest(ds_dtype);
zeek::String* ds_digest = ExtractStream(data, len, rdlength - 4);
switch ( ds_digest_type ) {
case SHA1:
case detail::SHA1:
break;
case SHA256:
case detail::SHA256:
break;
case GOST_R_34_11_94:
case detail::GOST_R_34_11_94:
break;
case SHA384:
case detail::SHA384:
break;
case analyzer::dns::reserved:
case detail::reserved:
analyzer->Weird("DNSSEC_DS_ResrevedDigestType", fmt("%d", ds_dtype));
break;
default:
@ -1314,7 +1316,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
if ( dns_DS )
{
DS_DATA ds;
detail::DS_DATA ds;
ds.key_tag = ds_key_tag;
ds.algorithm = ds_algo;
ds.digest_type = ds_dtype;
@ -1331,7 +1333,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength)
{
if ( rdlength != 4 )
@ -1353,7 +1355,7 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_AAAA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength)
{
uint32_t addr[4];
@ -1364,7 +1366,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
if ( len < 0 )
{
if ( msg->atype == TYPE_AAAA )
if ( msg->atype == detail::TYPE_AAAA )
analyzer->Weird("DNS_AAAA_neg_length");
else
analyzer->Weird("DNS_A6_neg_length");
@ -1373,7 +1375,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
}
zeek::EventHandlerPtr event;
if ( msg->atype == TYPE_AAAA )
if ( msg->atype == detail::TYPE_AAAA )
event = dns_AAAA_reply;
else
event = dns_A6_reply;
@ -1389,7 +1391,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_WKS(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_WKS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength)
{
data += rdlength;
@ -1398,7 +1400,7 @@ bool DNS_Interpreter::ParseRR_WKS(DNS_MsgInfo* msg,
return true;
}
bool DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_HINFO(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength)
{
data += rdlength;
@ -1435,7 +1437,7 @@ extract_char_string(zeek::analyzer::Analyzer* analyzer,
return rval;
}
bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_TXT(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1463,7 +1465,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
return rdlength == 0;
}
bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_SPF(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1491,7 +1493,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
return rdlength == 0;
}
bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
@ -1540,13 +1542,13 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
}
void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg,
zeek::EventHandlerPtr event,
const u_char*& data, int& len,
zeek::String* question_name,
zeek::String* original_name)
{
RR_Type qtype = RR_Type(ExtractShort(data, len));
detail::RR_Type qtype = detail::RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len);
assert(event);
@ -1561,7 +1563,6 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
);
}
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
{
//### Need to fix alignment if hdr is misaligned (not on a short
@ -1585,7 +1586,7 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
id = ntohs(hdr->id);
is_query = arg_is_query;
atype = TYPE_ALL;
atype = detail::TYPE_ALL;
aclass = 0;
ttl = 0;
@ -1795,15 +1796,17 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
return r;
}
} // namespace detail
Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig,
DNS_Interpreter* arg_interp)
detail::DNS_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{
interp = arg_interp;
msg_buf = nullptr;
buf_n = buf_len = msg_size = 0;
state = DNS_LEN_HI;
state = detail::DNS_LEN_HI;
}
Contents_DNS::~Contents_DNS()
@ -1829,10 +1832,10 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
{
if ( state == DNS_LEN_HI )
if ( state == detail::DNS_LEN_HI )
{
msg_size = (*data) << 8;
state = DNS_LEN_LO;
state = detail::DNS_LEN_LO;
++data;
--len;
@ -1841,10 +1844,10 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state == DNS_LEN_LO )
if ( state == detail::DNS_LEN_LO )
{
msg_size += *data;
state = DNS_MESSAGE_BUFFER;
state = detail::DNS_MESSAGE_BUFFER;
buf_n = 0;
@ -1869,7 +1872,7 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state != DNS_MESSAGE_BUFFER )
if ( state != detail::DNS_MESSAGE_BUFFER )
Conn()->Internal("state inconsistency in Contents_DNS::DeliverStream");
int n;
@ -1886,13 +1889,13 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
ForwardPacket(msg_size, msg_buf, orig, -1, nullptr, 0);
buf_n = 0;
state = DNS_LEN_HI;
state = detail::DNS_LEN_HI;
}
DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
{
interp = new DNS_Interpreter(this);
interp = new detail::DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = nullptr;
if ( Conn()->ConnTransport() == TRANSPORT_TCP )
@ -1963,3 +1966,5 @@ void DNS_Analyzer::ExpireTimer(double t)
t + dns_session_timeout, true,
zeek::detail::TIMER_DNS_EXPIRE);
}
} // namespace zeek::analyzer::dns

229
src/analyzer/protocol/dns/DNS.h
View file

@ -5,9 +5,10 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "binpac_bro.h"
namespace analyzer { namespace dns {
namespace zeek::analyzer::dns {
namespace detail {
typedef enum {
enum DNS_Opcode {
DNS_OP_QUERY = 0, ///< standard query
DNS_OP_IQUERY = 1, ///< reverse query
@ -20,18 +21,18 @@ typedef enum {
NETBIOS_RELEASE = 6,
NETBIOS_WACK = 7, // wait for ACK
NETBIOS_REFRESH = 8,
} DNS_Opcode;
};
typedef enum {
enum DNS_Code {
DNS_CODE_OK = 0, ///< no error
DNS_CODE_FORMAT_ERR = 1, ///< format error
DNS_CODE_SERVER_FAIL = 2, ///< server failure
DNS_CODE_NAME_ERR = 3, ///< no such domain
DNS_CODE_NOT_IMPL = 4, ///< not implemented
DNS_CODE_REFUSED = 5, ///< refused
} DNS_Code;
};
typedef enum {
enum RR_Type {
TYPE_A = 1, ///< host address
TYPE_NS = 2, ///< authoritative name server
TYPE_CNAME = 5, ///< canonical name
@ -69,21 +70,21 @@ typedef enum {
TYPE_ALL = 255,
TYPE_WINS = 65281, ///< Microsoft's WINS RR
TYPE_WINSR = 65282, ///< Microsoft's WINS-R RR
} RR_Type;
};
#define DNS_CLASS_IN 1
#define DNS_CLASS_ANY 255
typedef enum {
enum DNS_AnswerType {
DNS_QUESTION,
DNS_ANSWER,
DNS_AUTHORITY,
DNS_ADDITIONAL,
} DNS_AnswerType;
};
// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
// DNS EDNS0 Option Codes (OPT)
typedef enum {
enum EDNS_OPT_Type {
TYPE_LLQ = 1, ///< https://www.iana.org/go/draft-sekar-dns-llq-06
TYPE_UL = 2, ///< http://files.dns-sd.org/draft-sekar-dns-ul.txt
TYPE_NSID = 3, ///< RFC5001
@ -101,9 +102,9 @@ typedef enum {
TYPE_CLIENT_TAG = 16, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags
TYPE_SERVER_TAG = 17, ///< https://www.iana.org/go/draft-bellis-dnsop-edns-tags
TYPE_DEVICE_ID = 26946 ///< https://docs.umbrella.com/developer/networkdevices-api/identifying-dns-traffic2
} EDNS_OPT_Type;
};
typedef enum {
enum DNSSEC_Algo {
reserved0 = 0,
RSA_MD5 = 1, ///< [RFC2537] NOT RECOMMENDED
Diffie_Hellman = 2, ///< [RFC2539]
@ -121,15 +122,15 @@ typedef enum {
PrivateDNS = 253, ///< OPTIONAL
PrivateOID = 254, ///< OPTIONAL
reserved255 = 255,
} DNSSEC_Algo;
};
typedef enum {
enum DNSSEC_Digest {
reserved = 0,
SHA1 = 1, ///< [RFC3110] MANDATORY
SHA256 = 2,
GOST_R_34_11_94 = 3,
SHA384 = 4,
} DNSSEC_Digest;
};
struct DNS_RawMsgHdr {
unsigned short id;
@ -258,7 +259,6 @@ public:
///< for forward lookups
};
class DNS_Interpreter {
public:
explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer);
@ -268,18 +268,19 @@ public:
void Timeout() { }
protected:
void EndMessage(DNS_MsgInfo* msg);
void EndMessage(detail::DNS_MsgInfo* msg);
bool ParseQuestions(DNS_MsgInfo* msg,
bool ParseQuestions(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len,
const u_char* start);
bool ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType answer_type,
bool ParseAnswers(detail::DNS_MsgInfo* msg, int n,
detail::DNS_AnswerType answer_type,
const u_char*& data, int& len,
const u_char* start);
bool ParseQuestion(DNS_MsgInfo* msg,
bool ParseQuestion(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, const u_char* start);
bool ParseAnswer(DNS_MsgInfo* msg,
bool ParseAnswer(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, const u_char* start);
u_char* ExtractName(const u_char*& data, int& len,
@ -295,63 +296,63 @@ protected:
zeek::String* ExtractStream(const u_char*& data, int& len, int sig_len);
bool ParseRR_Name(DNS_MsgInfo* msg,
bool ParseRR_Name(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_SOA(DNS_MsgInfo* msg,
bool ParseRR_SOA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_MX(DNS_MsgInfo* msg,
bool ParseRR_MX(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_NBS(DNS_MsgInfo* msg,
bool ParseRR_NBS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_SRV(DNS_MsgInfo* msg,
bool ParseRR_SRV(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_EDNS(DNS_MsgInfo* msg,
bool ParseRR_EDNS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_EDNS_ECS(DNS_MsgInfo* msg,
bool ParseRR_EDNS_ECS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_A(DNS_MsgInfo* msg,
bool ParseRR_A(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength);
bool ParseRR_AAAA(DNS_MsgInfo* msg,
bool ParseRR_AAAA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength);
bool ParseRR_WKS(DNS_MsgInfo* msg,
bool ParseRR_WKS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength);
bool ParseRR_HINFO(DNS_MsgInfo* msg,
bool ParseRR_HINFO(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength);
bool ParseRR_TXT(DNS_MsgInfo* msg,
bool ParseRR_TXT(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_SPF(DNS_MsgInfo* msg,
bool ParseRR_SPF(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_CAA(DNS_MsgInfo* msg,
bool ParseRR_CAA(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_TSIG(DNS_MsgInfo* msg,
bool ParseRR_TSIG(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_RRSIG(DNS_MsgInfo* msg,
bool ParseRR_RRSIG(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_DNSKEY(DNS_MsgInfo* msg,
bool ParseRR_DNSKEY(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_NSEC(DNS_MsgInfo* msg,
bool ParseRR_NSEC(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_NSEC3(DNS_MsgInfo* msg,
bool ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
bool ParseRR_DS(DNS_MsgInfo* msg,
bool ParseRR_DS(detail::DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
void SendReplyOrRejectEvent(DNS_MsgInfo* msg, zeek::EventHandlerPtr event,
void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, zeek::EventHandlerPtr event,
const u_char*& data, int& len,
zeek::String* question_name,
zeek::String* original_name);
@ -360,35 +361,36 @@ protected:
bool first_message;
};
typedef enum {
enum TCP_DNS_state {
DNS_LEN_HI, ///< looking for the high-order byte of the length
DNS_LEN_LO, ///< looking for the low-order byte of the length
DNS_MESSAGE_BUFFER, ///< building up the message in the buffer
} TCP_DNS_state;
};
} // namespace detail
// Support analyzer which chunks the TCP stream into "packets".
// ### This should be merged with TCP_Contents_RPC.
class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_DNS(zeek::Connection* c, bool orig, DNS_Interpreter* interp);
Contents_DNS(zeek::Connection* c, bool orig, detail::DNS_Interpreter* interp);
~Contents_DNS() override;
void Flush(); ///< process any partially-received data
TCP_DNS_state State() const { return state; }
detail::TCP_DNS_state State() const { return state; }
protected:
void DeliverStream(int len, const u_char* data, bool orig) override;
void ProcessChunk(int& len, const u_char*& data, bool orig);
DNS_Interpreter* interp;
detail::DNS_Interpreter* interp;
u_char* msg_buf;
int buf_n; ///< number of bytes in msg_buf
int buf_len; ///< size of msg_buf
int msg_size; ///< expected size of message
TCP_DNS_state state;
detail::TCP_DNS_state state;
};
// Works for both TCP and UDP.
@ -410,9 +412,134 @@ public:
{ return new DNS_Analyzer(conn); }
protected:
DNS_Interpreter* interp;
detail::DNS_Interpreter* interp;
Contents_DNS* contents_dns_orig;
Contents_DNS* contents_dns_resp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::dns
namespace analyzer::dns {
using DNS_Opcode [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Opcode.")]] = zeek::analyzer::dns::detail::DNS_Opcode;
constexpr auto DNS_OP_QUERY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_QUERY.")]] = zeek::analyzer::dns::detail::DNS_OP_QUERY;
constexpr auto DNS_OP_IQUERY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_IQUERY.")]] = zeek::analyzer::dns::detail::DNS_OP_IQUERY;
constexpr auto DNS_OP_SERVER_STATUS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_OP_SERVER_STATUS.")]] = zeek::analyzer::dns::detail::DNS_OP_SERVER_STATUS;
constexpr auto NETBIOS_REGISTRATION [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_REGISTRATION.")]] = zeek::analyzer::dns::detail::NETBIOS_REGISTRATION;
constexpr auto NETBIOS_RELEASE [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_RELEASE.")]] = zeek::analyzer::dns::detail::NETBIOS_RELEASE;
constexpr auto NETBIOS_WACK [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_WACK.")]] = zeek::analyzer::dns::detail::NETBIOS_WACK;
constexpr auto NETBIOS_REFRESH [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NETBIOS_REFRESH.")]] = zeek::analyzer::dns::detail::NETBIOS_REFRESH;
using DNS_Code [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Code.")]] = zeek::analyzer::dns::detail::DNS_Code;
constexpr auto DNS_CODE_OK [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_OK.")]] = zeek::analyzer::dns::detail::DNS_CODE_OK;
constexpr auto DNS_CODE_FORMAT_ERR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_FORMAT_ERR.")]] = zeek::analyzer::dns::detail::DNS_CODE_FORMAT_ERR;
constexpr auto DNS_CODE_SERVER_FAIL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_SERVER_FAIL.")]] = zeek::analyzer::dns::detail::DNS_CODE_SERVER_FAIL;
constexpr auto DNS_CODE_NAME_ERR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_NAME_ERR.")]] = zeek::analyzer::dns::detail::DNS_CODE_NAME_ERR;
constexpr auto DNS_CODE_NOT_IMPL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_NOT_IMPL.")]] = zeek::analyzer::dns::detail::DNS_CODE_NOT_IMPL;
constexpr auto DNS_CODE_REFUSED [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_CODE_REFUSED.")]] = zeek::analyzer::dns::detail::DNS_CODE_REFUSED;
using RR_Type [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RR_Type.")]] = zeek::analyzer::dns::detail::RR_Type;
constexpr auto TYPE_A [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_A.")]] = zeek::analyzer::dns::detail::TYPE_A;
constexpr auto TYPE_NS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NS.")]] = zeek::analyzer::dns::detail::TYPE_NS;
constexpr auto TYPE_CNAME [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CNAME.")]] = zeek::analyzer::dns::detail::TYPE_CNAME;
constexpr auto TYPE_SOA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SOA.")]] = zeek::analyzer::dns::detail::TYPE_SOA;
constexpr auto TYPE_WKS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WKS.")]] = zeek::analyzer::dns::detail::TYPE_WKS;
constexpr auto TYPE_PTR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PTR.")]] = zeek::analyzer::dns::detail::TYPE_PTR;
constexpr auto TYPE_HINFO [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_HINFO.")]] = zeek::analyzer::dns::detail::TYPE_HINFO;
constexpr auto TYPE_MX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_MX.")]] = zeek::analyzer::dns::detail::TYPE_MX;
constexpr auto TYPE_TXT [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TXT.")]] = zeek::analyzer::dns::detail::TYPE_TXT;
constexpr auto TYPE_SIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SIG.")]] = zeek::analyzer::dns::detail::TYPE_SIG;
constexpr auto TYPE_KEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KEY.")]] = zeek::analyzer::dns::detail::TYPE_KEY;
constexpr auto TYPE_PX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PX.")]] = zeek::analyzer::dns::detail::TYPE_PX;
constexpr auto TYPE_AAAA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_AAAA.")]] = zeek::analyzer::dns::detail::TYPE_AAAA;
constexpr auto TYPE_NBS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NBS.")]] = zeek::analyzer::dns::detail::TYPE_NBS;
constexpr auto TYPE_SRV [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SRV.")]] = zeek::analyzer::dns::detail::TYPE_SRV;
constexpr auto TYPE_NAPTR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NAPTR.")]] = zeek::analyzer::dns::detail::TYPE_NAPTR;
constexpr auto TYPE_KX [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KX.")]] = zeek::analyzer::dns::detail::TYPE_KX;
constexpr auto TYPE_CERT [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CERT.")]] = zeek::analyzer::dns::detail::TYPE_CERT;
constexpr auto TYPE_A6 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_A6.")]] = zeek::analyzer::dns::detail::TYPE_A6;
constexpr auto TYPE_DNAME [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DNAME.")]] = zeek::analyzer::dns::detail::TYPE_DNAME;
constexpr auto TYPE_EDNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_EDNS.")]] = zeek::analyzer::dns::detail::TYPE_EDNS;
constexpr auto TYPE_TKEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TKEY.")]] = zeek::analyzer::dns::detail::TYPE_TKEY;
constexpr auto TYPE_TSIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TSIG.")]] = zeek::analyzer::dns::detail::TYPE_TSIG;
constexpr auto TYPE_CAA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CAA.")]] = zeek::analyzer::dns::detail::TYPE_CAA;
constexpr auto TYPE_RRSIG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_RRSIG.")]] = zeek::analyzer::dns::detail::TYPE_RRSIG;
constexpr auto TYPE_NSEC [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSEC.")]] = zeek::analyzer::dns::detail::TYPE_NSEC;
constexpr auto TYPE_DNSKEY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DNSKEY.")]] = zeek::analyzer::dns::detail::TYPE_DNSKEY;
constexpr auto TYPE_DS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DS.")]] = zeek::analyzer::dns::detail::TYPE_DS;
constexpr auto TYPE_NSEC3 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSEC3.")]] = zeek::analyzer::dns::detail::TYPE_NSEC3;
constexpr auto TYPE_SPF [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SPF.")]] = zeek::analyzer::dns::detail::TYPE_SPF;
constexpr auto TYPE_AXFR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_AXFR.")]] = zeek::analyzer::dns::detail::TYPE_AXFR;
constexpr auto TYPE_ALL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ALL.")]] = zeek::analyzer::dns::detail::TYPE_ALL;
constexpr auto TYPE_WINS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WINS.")]] = zeek::analyzer::dns::detail::TYPE_WINS;
constexpr auto TYPE_WINSR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_WINSR.")]] = zeek::analyzer::dns::detail::TYPE_WINSR;
using DNS_AnswerType [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_AnswerType.")]] = zeek::analyzer::dns::detail::DNS_AnswerType;
constexpr auto DNS_QUESTION [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_QUESTION.")]] = zeek::analyzer::dns::detail::DNS_QUESTION;
constexpr auto DNS_ANSWER [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_ANSWER.")]] = zeek::analyzer::dns::detail::DNS_ANSWER;
constexpr auto DNS_AUTHORITY [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_AUTHORITY.")]] = zeek::analyzer::dns::detail::DNS_AUTHORITY;
constexpr auto DNS_ADDITIONAL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_ADDITIONAL.")]] = zeek::analyzer::dns::detail::DNS_ADDITIONAL;
using EDNS_OPT_Type [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_OPT_Type.")]] = zeek::analyzer::dns::detail::EDNS_OPT_Type;
constexpr auto TYPE_LLQ [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_LLQ.")]] = zeek::analyzer::dns::detail::TYPE_LLQ;
constexpr auto TYPE_UL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_UL.")]] = zeek::analyzer::dns::detail::TYPE_UL;
constexpr auto TYPE_NSID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_NSID.")]] = zeek::analyzer::dns::detail::TYPE_NSID;
constexpr auto TYPE_DAU [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DAU.")]] = zeek::analyzer::dns::detail::TYPE_DAU;
constexpr auto TYPE_DHU [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DHU.")]] = zeek::analyzer::dns::detail::TYPE_DHU;
constexpr auto TYPE_N3U [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_N3U.")]] = zeek::analyzer::dns::detail::TYPE_N3U;
constexpr auto TYPE_ECS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ECS.")]] = zeek::analyzer::dns::detail::TYPE_ECS;
constexpr auto TYPE_EXPIRE [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_EXPIRE.")]] = zeek::analyzer::dns::detail::TYPE_EXPIRE;
constexpr auto TYPE_TCP_KA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_TCP_KA.")]] = zeek::analyzer::dns::detail::TYPE_TCP_KA;
constexpr auto TYPE_PAD [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_PAD.")]] = zeek::analyzer::dns::detail::TYPE_PAD;
constexpr auto TYPE_CHAIN [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CHAIN.")]] = zeek::analyzer::dns::detail::TYPE_CHAIN;
constexpr auto TYPE_KEY_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_KEY_TAG.")]] = zeek::analyzer::dns::detail::TYPE_KEY_TAG;
constexpr auto TYPE_ERROR [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_ERROR.")]] = zeek::analyzer::dns::detail::TYPE_ERROR;
constexpr auto TYPE_CLIENT_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_CLIENT_TAG.")]] = zeek::analyzer::dns::detail::TYPE_CLIENT_TAG;
constexpr auto TYPE_SERVER_TAG [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_SERVER_TAG.")]] = zeek::analyzer::dns::detail::TYPE_SERVER_TAG;
constexpr auto TYPE_DEVICE_ID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TYPE_DEVICE_ID.")]] = zeek::analyzer::dns::detail::TYPE_DEVICE_ID;
using DNSSEC_Algo [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSSEC_Algo.")]] = zeek::analyzer::dns::detail::DNSSEC_Algo;
constexpr auto reserved0 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved0.")]] = zeek::analyzer::dns::detail::reserved0;
constexpr auto RSA_MD5 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_MD5.")]] = zeek::analyzer::dns::detail::RSA_MD5;
constexpr auto Diffie_Hellman [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Diffie_Hellman.")]] = zeek::analyzer::dns::detail::Diffie_Hellman;
constexpr auto DSA_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DSA_SHA1.")]] = zeek::analyzer::dns::detail::DSA_SHA1;
constexpr auto Elliptic_Curve [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Elliptic_Curve.")]] = zeek::analyzer::dns::detail::Elliptic_Curve;
constexpr auto RSA_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA1.")]] = zeek::analyzer::dns::detail::RSA_SHA1;
constexpr auto DSA_NSEC3_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DSA_NSEC3_SHA1.")]] = zeek::analyzer::dns::detail::DSA_NSEC3_SHA1;
constexpr auto RSA_SHA1_NSEC3_SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA1_NSEC3_SHA1.")]] = zeek::analyzer::dns::detail::RSA_SHA1_NSEC3_SHA1;
constexpr auto RSA_SHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA256.")]] = zeek::analyzer::dns::detail::RSA_SHA256;
constexpr auto RSA_SHA512 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RSA_SHA512.")]] = zeek::analyzer::dns::detail::RSA_SHA512;
constexpr auto GOST_R_34_10_2001 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::GOST_R_34_10_2001.")]] = zeek::analyzer::dns::detail::GOST_R_34_10_2001;
constexpr auto ECDSA_curveP256withSHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::ECDSA_curveP256withSHA256.")]] = zeek::analyzer::dns::detail::ECDSA_curveP256withSHA256;
constexpr auto ECDSA_curveP384withSHA384 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::ECDSA_curveP384withSHA384.")]] = zeek::analyzer::dns::detail::ECDSA_curveP384withSHA384;
constexpr auto Indirect [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::Indirect.")]] = zeek::analyzer::dns::detail::Indirect;
constexpr auto PrivateDNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::PrivateDNS.")]] = zeek::analyzer::dns::detail::PrivateDNS;
constexpr auto PrivateOID [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::PrivateOID.")]] = zeek::analyzer::dns::detail::PrivateOID;
constexpr auto reserved255 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved255.")]] = zeek::analyzer::dns::detail::reserved255;
using DNSSEC_Digest [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSSEC_Digest.")]] = zeek::analyzer::dns::detail::DNSSEC_Digest;
constexpr auto reserved [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::reserved.")]] = zeek::analyzer::dns::detail::reserved;
constexpr auto SHA1 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA1.")]] = zeek::analyzer::dns::detail::SHA1;
constexpr auto SHA256 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA256.")]] = zeek::analyzer::dns::detail::SHA256;
constexpr auto GOST_R_34_11_94 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::GOST_R_34_11_94.")]] = zeek::analyzer::dns::detail::GOST_R_34_11_94;
constexpr auto SHA384 [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::SHA384.")]] = zeek::analyzer::dns::detail::SHA384;
using DNS_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_RawMsgHdr.")]] = zeek::analyzer::dns::detail::DNS_RawMsgHdr;
using EDNS_ADDITIONAL [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_ADDITIONAL.")]] = zeek::analyzer::dns::detail::EDNS_ADDITIONAL;
using EDNS_ECS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::EDNS_ECS.")]] = zeek::analyzer::dns::detail::EDNS_ECS;
using TSIG_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TSIG_DATA.")]] = zeek::analyzer::dns::detail::TSIG_DATA;
using RRSIG_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::RRSIG_DATA.")]] = zeek::analyzer::dns::detail::RRSIG_DATA;
using DNSKEY_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNSKEY_DATA.")]] = zeek::analyzer::dns::detail::DNSKEY_DATA;
using NSEC3_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::NSEC3_DATA.")]] = zeek::analyzer::dns::detail::NSEC3_DATA;
using DS_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DS_DATA.")]] = zeek::analyzer::dns::detail::DS_DATA;
using DNS_MsgInfo [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_MsgInfo.")]] = zeek::analyzer::dns::detail::DNS_MsgInfo;
using TCP_DNS_state [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::TCP_DNS_state.")]] = zeek::analyzer::dns::detail::TCP_DNS_state;
constexpr auto DNS_LEN_HI [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_LEN_HI.")]] = zeek::analyzer::dns::detail::DNS_LEN_HI;
constexpr auto DNS_LEN_LO [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_LEN_LO.")]] = zeek::analyzer::dns::detail::DNS_LEN_LO;
constexpr auto DNS_MESSAGE_BUFFER [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_MESSAGE_BUFFER.")]] = zeek::analyzer::dns::detail::DNS_MESSAGE_BUFFER;
using DNS_Interpreter [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::detail::DNS_Interpreter.")]] = zeek::analyzer::dns::detail::DNS_Interpreter;
using Contents_DNS [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::Contents_DNS.")]] = zeek::analyzer::dns::Contents_DNS;
using DNS_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::dns::DNS_Analyzer.")]] = zeek::analyzer::dns::DNS_Analyzer;
} // namespace analyzer::dns

2
src/analyzer/protocol/dns/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("DNS", ::analyzer::dns::DNS_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNS", zeek::analyzer::dns::DNS_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_DNS", nullptr));
zeek::plugin::Configuration config;

4
src/analyzer/protocol/file/File.cc
View file

@ -9,7 +9,7 @@
#include "events.bif.h"
using namespace analyzer::file;
namespace zeek::analyzer::file {
File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
: TCP_ApplicationAnalyzer(name, conn)
@ -87,3 +87,5 @@ void File_Analyzer::Identify()
zeek::make_intrusive<zeek::StringVal>(match)
);
}
} // namespace zeek::analyzer::file

12
src/analyzer/protocol/file/File.h
View file

@ -6,7 +6,7 @@
#include <string>
namespace analyzer { namespace file {
namespace zeek::analyzer::file {
class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -51,4 +51,12 @@ public:
{ return new FTP_Data(conn); }
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::file
namespace analyzer::file {
using File_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::file::File_Analyzer.")]] = zeek::analyzer::file::File_Analyzer;
using IRC_Data [[deprecated("Remove in v4.1. Use zeek::analyzer::file::IRC_Data.")]] = zeek::analyzer::file::IRC_Data;
using FTP_Data [[deprecated("Remove in v4.1. Use zeek::analyzer::file::FTP_Data.")]] = zeek::analyzer::file::FTP_Data;
} // namespace analyzer::file

4
src/analyzer/protocol/file/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("FTP_Data", ::analyzer::file::FTP_Data::Instantiate));
AddComponent(new zeek::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
AddComponent(new zeek::analyzer::Component("FTP_Data", zeek::analyzer::file::FTP_Data::Instantiate));
AddComponent(new zeek::analyzer::Component("IRC_Data", zeek::analyzer::file::IRC_Data::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::File";

4
src/analyzer/protocol/finger/Finger.cc
View file

@ -11,7 +11,7 @@
#include "events.bif.h"
using namespace analyzer::finger;
namespace zeek::analyzer::finger {
Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
@ -91,3 +91,5 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
);
}
}
} // namespace zeek::analyzer::finger

10
src/analyzer/protocol/finger/Finger.h
View file

@ -5,7 +5,7 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "analyzer/protocol/tcp/ContentLine.h"
namespace analyzer { namespace finger {
namespace zeek::analyzer::finger {
class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -25,4 +25,10 @@ protected:
int did_deliver;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::finger
namespace analyzer::finger {
using Finger_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::finger::Finger_Analyzer.")]] = zeek::analyzer::finger::Finger_Analyzer;
} // namespace analyzer::finger

2
src/analyzer/protocol/finger/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Finger", zeek::analyzer::finger::Finger_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Finger";

8
src/analyzer/protocol/ftp/FTP.cc
View file

@ -15,20 +15,20 @@
#include "events.bif.h"
using namespace analyzer::ftp;
namespace zeek::analyzer::ftp {
FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
{
pending_reply = 0;
nvt_orig = new login::NVT_Analyzer(conn, true);
nvt_orig = new zeek::analyzer::login::NVT_Analyzer(conn, true);
nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetCRLFAsEOL(LF_as_EOL);
nvt_orig->SetIsNULSensitive(LF_as_EOL);
nvt_resp = new login::NVT_Analyzer(conn, false);
nvt_resp = new zeek::analyzer::login::NVT_Analyzer(conn, false);
nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetCRLFAsEOL(LF_as_EOL);
@ -331,3 +331,5 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
if ( done )
Parent()->Remove();
}
} // namespace zeek::analyzer::ftp

17
src/analyzer/protocol/ftp/FTP.h
View file

@ -4,9 +4,9 @@
#include "analyzer/protocol/tcp/TCP.h"
namespace analyzer { namespace login { class NVT_Analyzer; }}
ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login);
namespace analyzer { namespace ftp {
namespace zeek::analyzer::ftp {
class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -21,8 +21,8 @@ public:
}
protected:
login::NVT_Analyzer* nvt_orig;
login::NVT_Analyzer* nvt_resp;
zeek::analyzer::login::NVT_Analyzer* nvt_orig;
zeek::analyzer::login::NVT_Analyzer* nvt_resp;
uint32_t pending_reply; // code associated with multi-line reply, or 0
std::string auth_requested; // AUTH method requested
};
@ -49,4 +49,11 @@ protected:
bool first_token;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ftp
namespace analyzer::ftp {
using FTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ftp::FTP_Analyzer.")]] = zeek::analyzer::ftp::FTP_Analyzer;
using FTP_ADAT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ftp::FTP_ADAT_Analyzer.")]] = zeek::analyzer::ftp::FTP_ADAT_Analyzer;
} // namespace analyzer::ftp

2
src/analyzer/protocol/ftp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("FTP", ::analyzer::ftp::FTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("FTP", zeek::analyzer::ftp::FTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("FTP_ADAT", nullptr));
zeek::plugin::Configuration config;

15
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -14,7 +14,9 @@
#include "events.bif.h"
using namespace analyzer::gnutella;
namespace zeek::analyzer::gnutella {
namespace detail {
GnutellaMsgState::GnutellaMsgState()
{
@ -32,6 +34,7 @@ GnutellaMsgState::GnutellaMsgState()
payload_len = 0;
}
} // namespace detail
Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
@ -42,8 +45,8 @@ Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn)
ms = nullptr;
orig_msg_state = new GnutellaMsgState();
resp_msg_state = new GnutellaMsgState();
orig_msg_state = new detail::GnutellaMsgState();
resp_msg_state = new detail::GnutellaMsgState();
}
Gnutella_Analyzer::~Gnutella_Analyzer()
@ -66,7 +69,7 @@ void Gnutella_Analyzer::Done()
if ( gnutella_partial_binary_msg )
{
GnutellaMsgState* p = orig_msg_state;
detail::GnutellaMsgState* p = orig_msg_state;
for ( int i = 0; i < 2; ++i, p = resp_msg_state )
{
@ -206,7 +209,7 @@ void Gnutella_Analyzer::DissectMessage(char* msg)
}
void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
void Gnutella_Analyzer::SendEvents(detail::GnutellaMsgState* p, bool is_orig)
{
if ( p->msg_sent )
return;
@ -317,3 +320,5 @@ void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
else if ( gnutella_binary_msg )
DeliverMessages(len, data, orig);
}
} // namespace zeek::analyzer::gnutella

30
src/analyzer/protocol/gnutella/Gnutella.h
View file

@ -4,13 +4,15 @@
#include "analyzer/protocol/tcp/TCP.h"
#define ORIG_OK 0x1
#define RESP_OK 0x2
namespace zeek::analyzer::gnutella {
#define GNUTELLA_MSG_SIZE 23
#define GNUTELLA_MAX_PAYLOAD 1024
constexpr int ORIG_OK = 0x1;
constexpr int RESP_OK = 0x2;
namespace analyzer { namespace gnutella {
constexpr int GNUTELLA_MSG_SIZE = 23;
constexpr int GNUTELLA_MAX_PAYLOAD = 1024;
namespace detail {
class GnutellaMsgState {
public:
@ -32,6 +34,7 @@ public:
unsigned int payload_left;
};
} // namespace detail
class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -54,7 +57,7 @@ private:
void DeliverLines(int len, const u_char* data, bool orig);
void SendEvents(GnutellaMsgState* p, bool is_orig);
void SendEvents(detail::GnutellaMsgState* p, bool is_orig);
void DissectMessage(char* msg);
void DeliverMessages(int len, const u_char* data, bool orig);
@ -63,9 +66,16 @@ private:
int new_state;
int sent_establish;
GnutellaMsgState* orig_msg_state;
GnutellaMsgState* resp_msg_state;
GnutellaMsgState* ms;
detail::GnutellaMsgState* orig_msg_state;
detail::GnutellaMsgState* resp_msg_state;
detail::GnutellaMsgState* ms;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::gnutella
namespace analyzer::gnutella {
using GnutellaMsgState [[deprecated("Remove in v4.1. Use zeek::analyzer::gnutella::detail::GnutellaMsgState.")]] = zeek::analyzer::gnutella::detail::GnutellaMsgState;
using Gnutella_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gnutella::Gnutella_Analyzer.")]] = zeek::analyzer::gnutella::Gnutella_Analyzer;
} // namespace analyzer::gnutella

2
src/analyzer/protocol/gnutella/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("Gnutella", ::analyzer::gnutella::Gnutella_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Gnutella", zeek::analyzer::gnutella::Gnutella_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Gnutella";

4
src/analyzer/protocol/gssapi/GSSAPI.cc
View file

@ -5,7 +5,7 @@
#include "Reporter.h"
#include "events.bif.h"
using namespace analyzer::gssapi;
namespace zeek::analyzer::gssapi {
GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
@ -54,3 +54,5 @@ void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}
} // namespace zeek::analyzer::gssapi

10
src/analyzer/protocol/gssapi/GSSAPI.h
View file

@ -7,7 +7,7 @@
#include "gssapi_pac.h"
namespace analyzer { namespace gssapi {
namespace zeek::analyzer::gssapi {
class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -31,4 +31,10 @@ protected:
binpac::GSSAPI::GSSAPI_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::gssapi
namespace analyzer::gssapi {
using GSSAPI_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gssapi::GSSAPI_Analyzer.")]] = zeek::analyzer::gssapi::GSSAPI_Analyzer;
} // namespace analyzer::gssapi

2
src/analyzer/protocol/gssapi/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("GSSAPI", ::analyzer::gssapi::GSSAPI_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("GSSAPI", zeek::analyzer::gssapi::GSSAPI_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GSSAPI";

4
src/analyzer/protocol/gtpv1/GTPv1.cc
View file

@ -4,7 +4,7 @@
#include "events.bif.h"
using namespace analyzer::gtpv1;
namespace zeek::analyzer::gtpv1 {
GTPv1_Analyzer::GTPv1_Analyzer(zeek::Connection* conn)
: Analyzer("GTPV1", conn)
@ -35,3 +35,5 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
} // namespace zeek::analyzer::gtpv1

10
src/analyzer/protocol/gtpv1/GTPv1.h
View file

@ -2,7 +2,7 @@
#include "gtpv1_pac.h"
namespace analyzer { namespace gtpv1 {
namespace zeek::analyzer::gtpv1 {
class GTPv1_Analyzer final : public zeek::analyzer::Analyzer {
public:
@ -20,4 +20,10 @@ protected:
binpac::GTPv1::GTPv1_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::gtpv1
namespace analyzer::gtpv1 {
using GTPv1_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::gtpv1::GTPv1_Analyzer.")]] = zeek::analyzer::gtpv1::GTPv1_Analyzer;
} // namespace analyzer::gtpv1

2
src/analyzer/protocol/gtpv1/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("GTPv1", ::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("GTPv1", zeek::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GTPv1";

133
src/analyzer/protocol/http/HTTP.cc
View file

@ -16,28 +16,29 @@
#include "events.bif.h"
using namespace analyzer::http;
namespace zeek::analyzer::http {
const bool DEBUG_http = false;
// The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a
// message was interrupted.
enum {
enum HTTP_ExpectRequest {
EXPECT_REQUEST_LINE,
EXPECT_REQUEST_MESSAGE,
EXPECT_REQUEST_TRAILER,
EXPECT_REQUEST_NOTHING,
};
enum {
enum HTTP_ExpectReply {
EXPECT_REPLY_LINE,
EXPECT_REPLY_MESSAGE,
EXPECT_REPLY_TRAILER,
EXPECT_REPLY_NOTHING,
};
HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body)
:MIME_Entity(arg_message, parent_entity)
HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, zeek::analyzer::mime::MIME_Entity* parent_entity,
int arg_expect_body)
: zeek::analyzer::mime::MIME_Entity(arg_message, parent_entity)
{
http_message = arg_message;
expect_body = arg_expect_body;
@ -75,7 +76,7 @@ void HTTP_Entity::EndOfData()
http_message->MyHTTP_Analyzer()->
ForwardEndOfData(http_message->IsOrig());
MIME_Entity::EndOfData();
zeek::analyzer::mime::MIME_Entity::EndOfData();
}
void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF)
@ -89,7 +90,7 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF)
if ( end_of_data )
{
// Multipart entities may have trailers
if ( content_type != mime::CONTENT_TYPE_MULTIPART )
if ( content_type != zeek::analyzer::mime::CONTENT_TYPE_MULTIPART )
IllegalFormat("data trailing the end of entity");
return;
}
@ -100,13 +101,13 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF)
http_message->MyHTTP_Analyzer()->Weird("http_no_crlf_in_header_list");
header_length += len;
MIME_Entity::Deliver(len, data, trailing_CRLF);
zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF);
return;
}
// Entity body.
if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
content_type == mime::CONTENT_TYPE_MESSAGE )
if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ||
content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE )
DeliverBody(len, data, trailing_CRLF);
else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
@ -188,14 +189,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, bool trailing_CRLF)
{
if ( encoding == GZIP || encoding == DEFLATE )
{
zip::ZIP_Analyzer::Method method =
zeek::analyzer::zip::ZIP_Analyzer::Method method =
encoding == GZIP ?
zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE;
zeek::analyzer::zip::ZIP_Analyzer::GZIP : zeek::analyzer::zip::ZIP_Analyzer::DEFLATE;
if ( ! zip )
{
// We don't care about the direction here.
zip = new zip::ZIP_Analyzer(
zip = new zeek::analyzer::zip::ZIP_Analyzer(
http_message->MyHTTP_Analyzer()->Conn(),
false, method);
zip->SetOutputHandler(new UncompressedOutput(this));
@ -216,7 +217,7 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, bool trailing_CRLF
body_length += 2;
if ( deliver_body )
MIME_Entity::Deliver(len, data, trailing_CRLF);
zeek::analyzer::mime::MIME_Entity::Deliver(len, data, trailing_CRLF);
zeek::detail::Rule::PatternType rule =
http_message->IsOrig() ?
@ -307,7 +308,7 @@ bool HTTP_Entity::Undelivered(int64_t len)
void HTTP_Entity::SubmitData(int len, const char* buf)
{
if ( deliver_body )
MIME_Entity::SubmitData(len, buf);
zeek::analyzer::mime::MIME_Entity::SubmitData(len, buf);
if ( send_size && ( encoding == GZIP || encoding == DEFLATE ) )
// Auto-decompress in DeliverBody invalidates sizes derived from headers
@ -364,12 +365,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length)
// expect_data_length.
}
void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
void HTTP_Entity::SubmitHeader(zeek::analyzer::mime::MIME_Header* h)
{
if ( mime::istrequal(h->get_name(), "content-length") )
if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-length") )
{
zeek::data_chunk_t vt = h->get_value_token();
if ( ! mime::is_null_data_chunk(vt) )
if ( ! zeek::analyzer::mime::is_null_data_chunk(vt) )
{
int64_t n;
if ( atoi_n(vt.length, vt.data, nullptr, 10, n) )
@ -392,7 +393,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
}
// Figure out content-length for HTTP 206 Partial Content response
else if ( mime::istrequal(h->get_name(), "content-range") &&
else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-range") &&
http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
{
zeek::data_chunk_t vt = h->get_value_token();
@ -477,7 +478,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
}
}
else if ( mime::istrequal(h->get_name(), "transfer-encoding") )
else if ( zeek::analyzer::mime::istrequal(h->get_name(), "transfer-encoding") )
{
HTTP_Analyzer::HTTP_VersionNumber http_version;
@ -487,21 +488,21 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
http_version = http_message->analyzer->GetReplyVersionNumber();
zeek::data_chunk_t vt = h->get_value_token();
if ( mime::istrequal(vt, "chunked") &&
if ( zeek::analyzer::mime::istrequal(vt, "chunked") &&
http_version == HTTP_Analyzer::HTTP_VersionNumber{1, 1} )
chunked_transfer_state = BEFORE_CHUNK;
}
else if ( mime::istrequal(h->get_name(), "content-encoding") )
else if ( zeek::analyzer::mime::istrequal(h->get_name(), "content-encoding") )
{
zeek::data_chunk_t vt = h->get_value_token();
if ( mime::istrequal(vt, "gzip") || mime::istrequal(vt, "x-gzip") )
if ( zeek::analyzer::mime::istrequal(vt, "gzip") || zeek::analyzer::mime::istrequal(vt, "x-gzip") )
encoding = GZIP;
if ( mime::istrequal(vt, "deflate") )
if ( zeek::analyzer::mime::istrequal(vt, "deflate") )
encoding = DEFLATE;
}
MIME_Entity::SubmitHeader(h);
zeek::analyzer::mime::MIME_Entity::SubmitHeader(h);
}
void HTTP_Entity::SubmitAllHeaders()
@ -513,7 +514,7 @@ void HTTP_Entity::SubmitAllHeaders()
DEBUG_MSG("%.6f end of headers\n", network_time);
if ( Parent() &&
Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART )
Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART )
{
// Don't treat single \r or \n characters in the multipart body content
// as lines because the MIME_Entity code will implicitly add back a
@ -537,7 +538,7 @@ void HTTP_Entity::SubmitAllHeaders()
return;
}
MIME_Entity::SubmitAllHeaders();
zeek::analyzer::mime::MIME_Entity::SubmitAllHeaders();
if ( expect_body == HTTP_BODY_NOT_EXPECTED )
{
@ -545,8 +546,8 @@ void HTTP_Entity::SubmitAllHeaders()
return;
}
if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
content_type == mime::CONTENT_TYPE_MESSAGE )
if ( content_type == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART ||
content_type == zeek::analyzer::mime::CONTENT_TYPE_MESSAGE )
{
// Do nothing.
// Make sure that we check for multiple/message contents first,
@ -597,7 +598,7 @@ void HTTP_Entity::SubmitAllHeaders()
HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
int expect_body, int64_t init_header_length)
: MIME_Message (arg_analyzer)
: zeek::analyzer::mime::MIME_Message (arg_analyzer)
{
analyzer = arg_analyzer;
content_line = arg_cl;
@ -639,7 +640,7 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
if ( finished )
return;
MIME_Message::Done();
zeek::analyzer::mime::MIME_Message::Done();
// DEBUG_MSG("%.6f HTTP message done.\n", network_time);
top_level->EndOfData();
@ -680,7 +681,7 @@ bool HTTP_Message::Undelivered(int64_t len)
return false;
}
void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
void HTTP_Message::BeginEntity(zeek::analyzer::mime::MIME_Entity* entity)
{
if ( DEBUG_http )
DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig);
@ -694,7 +695,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
);
}
void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
void HTTP_Message::EndEntity(zeek::analyzer::mime::MIME_Entity* entity)
{
if ( DEBUG_http )
DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig);
@ -714,7 +715,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
current_entity = (HTTP_Entity*) entity->Parent();
if ( entity->Parent() &&
entity->Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART )
entity->Parent()->MIMEContentType() == zeek::analyzer::mime::CONTENT_TYPE_MULTIPART )
{
content_line->SupressWeirds(false);
content_line->SetCRLFAsEOL();
@ -737,12 +738,12 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
}
}
void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
void HTTP_Message::SubmitHeader(zeek::analyzer::mime::MIME_Header* h)
{
MyHTTP_Analyzer()->HTTP_Header(is_orig, h);
}
void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
void HTTP_Message::SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& hlist)
{
if ( http_all_headers )
analyzer->EnqueueConnEvent(http_all_headers,
@ -760,7 +761,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
);
}
void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */)
void HTTP_Message::SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */)
{
// Do nothing for now. Note that if this ever changes do something
// which relies on the header list argument, that's currently not
@ -795,15 +796,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail)
const char* category = "";
switch ( event_type ) {
case mime::MIME_EVENT_ILLEGAL_FORMAT:
case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT:
category = "illegal format";
break;
case mime::MIME_EVENT_ILLEGAL_ENCODING:
case zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING:
category = "illegal encoding";
break;
case mime::MIME_EVENT_CONTENT_GAP:
case zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP:
category = "content gap";
break;
@ -971,7 +972,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{
if ( ! RequestExpected() )
HTTP_Event("crud_trailing_HTTP_request",
mime::to_string_val(line, end_of_line));
zeek::analyzer::mime::to_string_val(line, end_of_line));
else
{
// We do see HTTP requests with a
@ -1093,7 +1094,7 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
if ( ! content_line->IsSkippedContents(seq, len) )
{
if ( msg )
msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
msg->SubmitEvent(zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP,
fmt("seq=%" PRIu64", len=%d", seq, len));
}
@ -1314,10 +1315,10 @@ bool HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
version_end = version_start + 3;
if ( skip_whitespace(version_end, end_of_line) != end_of_line )
HTTP_Event("crud after HTTP version is ignored",
mime::to_string_val(line, end_of_line));
zeek::analyzer::mime::to_string_val(line, end_of_line));
}
else
HTTP_Event("bad_HTTP_version", mime::to_string_val(line, end_of_line));
HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(line, end_of_line));
}
// NormalizeURI(line, end_of_uri);
@ -1343,7 +1344,7 @@ HTTP_Analyzer::HTTP_VersionNumber HTTP_Analyzer::HTTP_Version(int len, const cha
}
else
{
HTTP_Event("bad_HTTP_version", mime::to_string_val(len, data));
HTTP_Event("bad_HTTP_version", zeek::analyzer::mime::to_string_val(len, data));
return {};
}
}
@ -1519,20 +1520,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
// ##TODO: some server replies with an HTML document
// without a status line and a MIME header, when the
// request is malformed.
HTTP_Event("bad_HTTP_reply", mime::to_string_val(line, end_of_line));
HTTP_Event("bad_HTTP_reply", zeek::analyzer::mime::to_string_val(line, end_of_line));
return 0;
}
SetVersion(&reply_version, HTTP_Version(end_of_line - rest, rest));
for ( ; rest < end_of_line; ++rest )
if ( mime::is_lws(*rest) )
if ( zeek::analyzer::mime::is_lws(*rest) )
break;
if ( rest >= end_of_line )
{
HTTP_Event("HTTP_reply_code_missing",
mime::to_string_val(line, end_of_line));
zeek::analyzer::mime::to_string_val(line, end_of_line));
return 0;
}
@ -1541,20 +1542,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
if ( rest + 3 > end_of_line )
{
HTTP_Event("HTTP_reply_code_missing",
mime::to_string_val(line, end_of_line));
zeek::analyzer::mime::to_string_val(line, end_of_line));
return 0;
}
reply_code = HTTP_ReplyCode(rest);
for ( rest += 3; rest < end_of_line; ++rest )
if ( mime::is_lws(*rest) )
if ( zeek::analyzer::mime::is_lws(*rest) )
break;
if ( rest >= end_of_line )
{
HTTP_Event("HTTP_reply_reason_phrase_missing",
mime::to_string_val(line, end_of_line));
zeek::analyzer::mime::to_string_val(line, end_of_line));
// Tolerate missing reason phrase?
return 1;
}
@ -1601,29 +1602,29 @@ int HTTP_Analyzer::ExpectReplyMessageBody()
return HTTP_BODY_EXPECTED;
}
void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
void HTTP_Analyzer::HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h)
{
// To be "liberal", we only look at "keep-alive" on the client
// side, and if seen assume the connection to be persistent.
// This seems fairly safe - at worst, the client does indeed
// send additional requests, and the server ignores them.
if ( is_orig && mime::istrequal(h->get_name(), "connection") )
if ( is_orig && zeek::analyzer::mime::istrequal(h->get_name(), "connection") )
{
if ( mime::istrequal(h->get_value_token(), "keep-alive") )
if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "keep-alive") )
keep_alive = 1;
}
if ( ! is_orig &&
mime::istrequal(h->get_name(), "connection") )
zeek::analyzer::mime::istrequal(h->get_name(), "connection") )
{
if ( mime::istrequal(h->get_value_token(), "close") )
if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "close") )
connection_close = 1;
else if ( mime::istrequal(h->get_value_token(), "upgrade") )
else if ( zeek::analyzer::mime::istrequal(h->get_value_token(), "upgrade") )
upgrade_connection = true;
}
if ( ! is_orig &&
mime::istrequal(h->get_name(), "upgrade") )
zeek::analyzer::mime::istrequal(h->get_name(), "upgrade") )
upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length);
if ( http_header )
@ -1645,15 +1646,15 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time);
auto upper_hn = mime::to_string_val(h->get_name());
auto upper_hn = zeek::analyzer::mime::to_string_val(h->get_name());
upper_hn->ToUpper();
EnqueueConnEvent(http_header,
ConnVal(),
zeek::val_mgr->Bool(is_orig),
mime::to_string_val(h->get_name()),
zeek::analyzer::mime::to_string_val(h->get_name()),
std::move(upper_hn),
mime::to_string_val(h->get_value())
zeek::analyzer::mime::to_string_val(h->get_value())
);
}
}
@ -1704,24 +1705,24 @@ void HTTP_Analyzer::SkipEntityData(bool is_orig)
msg->SkipEntityData();
}
bool analyzer::http::is_reserved_URI_char(unsigned char ch)
bool is_reserved_URI_char(unsigned char ch)
{ // see RFC 3986 (definition of URI)
return strchr(":/?#[]@!$&'()*+,;=", ch) != 0;
}
bool analyzer::http::is_unreserved_URI_char(unsigned char ch)
bool is_unreserved_URI_char(unsigned char ch)
{ // see RFC 3986 (definition of URI)
return isalnum(ch) != 0 || strchr("-_.!~*\'()", ch) != 0;
}
void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p)
void escape_URI_char(unsigned char ch, unsigned char*& p)
{
*p++ = '%';
*p++ = encode_hex((ch >> 4) & 0xf);
*p++ = encode_hex(ch & 0xf);
}
zeek::String* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end,
zeek::String* unescape_URI(const u_char* line, const u_char* line_end,
zeek::analyzer::Analyzer* analyzer)
{
zeek::byte_vec decoded_URI = new u_char[line_end - line + 1];
@ -1819,3 +1820,5 @@ zeek::String* analyzer::http::unescape_URI(const u_char* line, const u_char* lin
return new zeek::String(true, decoded_URI, URI_p - decoded_URI);
}
} // namespace zeek::analyzer::http

50
src/analyzer/protocol/http/HTTP.h
View file

@ -11,7 +11,7 @@
#include "IPAddr.h"
#include "analyzer/protocol/http/events.bif.h"
namespace analyzer { namespace http {
namespace zeek::analyzer::http {
enum CHUNKED_TRANSFER_STATE {
NON_CHUNKED_TRANSFER,
@ -27,9 +27,9 @@ class HTTP_Entity;
class HTTP_Message;
class HTTP_Analyzer;
class HTTP_Entity final : public mime::MIME_Entity {
class HTTP_Entity final : public zeek::analyzer::mime::MIME_Entity {
public:
HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
HTTP_Entity(HTTP_Message* msg, zeek::analyzer::mime::MIME_Entity* parent_entity,
int expect_body);
~HTTP_Entity() override
{
@ -58,7 +58,7 @@ protected:
int64_t body_length;
int64_t header_length;
enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
zip::ZIP_Analyzer* zip;
zeek::analyzer::zip::ZIP_Analyzer* zip;
bool deliver_body;
bool is_partial_content;
uint64_t offset;
@ -66,7 +66,7 @@ protected:
bool send_size; // whether to send size indication to FAF
std::string precomputed_file_id;
MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
zeek::analyzer::mime::MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
void DeliverBody(int len, const char* data, bool trailing_CRLF);
void DeliverBodyClear(int len, const char* data, bool trailing_CRLF);
@ -75,7 +75,7 @@ protected:
void SetPlainDelivery(int64_t length);
void SubmitHeader(mime::MIME_Header* h) override;
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders() override;
};
@ -96,7 +96,7 @@ enum {
// HTTP_Message::EndEntity -> Message::Done
// HTTP_MessageDone -> {Request,Reply}Made
class HTTP_Message final : public mime::MIME_Message {
class HTTP_Message final : public zeek::analyzer::mime::MIME_Message {
friend class HTTP_Entity;
public:
@ -108,16 +108,16 @@ public:
bool Undelivered(int64_t len);
void BeginEntity(mime::MIME_Entity* /* entity */) override;
void EndEntity(mime::MIME_Entity* entity) override;
void SubmitHeader(mime::MIME_Header* h) override;
void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */) override;
void BeginEntity(zeek::analyzer::mime::MIME_Entity* /* entity */) override;
void EndEntity(zeek::analyzer::mime::MIME_Entity* entity) override;
void SubmitHeader(zeek::analyzer::mime::MIME_Header* h) override;
void SubmitAllHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */) override;
void SubmitData(int len, const char* buf) override;
bool RequestBuffer(int* plen, char** pbuf) override;
void SubmitAllData();
void SubmitEvent(int event_type, const char* detail) override;
void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
void SubmitTrailingHeaders(zeek::analyzer::mime::MIME_HeaderList& /* hlist */);
void SetPlainDelivery(int64_t length);
void SkipEntityData();
@ -152,7 +152,7 @@ class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer
public:
HTTP_Analyzer(zeek::Connection* conn);
void HTTP_Header(bool is_orig, mime::MIME_Header* h);
void HTTP_Header(bool is_orig, zeek::analyzer::mime::MIME_Header* h);
void HTTP_EntityData(bool is_orig, zeek::String* entity_data);
void HTTP_MessageDone(bool is_orig, HTTP_Message* message);
void HTTP_Event(const char* category, const char* detail);
@ -284,4 +284,26 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end,
zeek::analyzer::Analyzer* analyzer);
} } // namespace analyzer::*
} // namespace zeek::analyzer::http
namespace analyzer::http {
using CHUNKED_TRANSFER_STATE [[deprecated("Remove in v4.1. Use zeek::analyzer::http::CHUNKED_TRANSFER_STATE.")]] = zeek::analyzer::http::CHUNKED_TRANSFER_STATE;
constexpr auto NON_CHUNKED_TRANSFER [[deprecated("Remove in v4.1. Use zeek::analyzer::http::NON_CHUNKED_TRANSFER.")]] = zeek::analyzer::http::NON_CHUNKED_TRANSFER;
constexpr auto BEFORE_CHUNK [[deprecated("Remove in v4.1. Use zeek::analyzer::http::BEFORE_CHUNK.")]] = zeek::analyzer::http::BEFORE_CHUNK;
constexpr auto EXPECT_CHUNK_SIZE [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_SIZE.")]] = zeek::analyzer::http::EXPECT_CHUNK_SIZE;
constexpr auto EXPECT_CHUNK_DATA [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_DATA.")]] = zeek::analyzer::http::EXPECT_CHUNK_DATA;
constexpr auto EXPECT_CHUNK_DATA_CRLF [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_DATA_CRLF.")]] = zeek::analyzer::http::EXPECT_CHUNK_DATA_CRLF;
constexpr auto EXPECT_CHUNK_TRAILER [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_CHUNK_TRAILER.")]] = zeek::analyzer::http::EXPECT_CHUNK_TRAILER;
constexpr auto EXPECT_NOTHING [[deprecated("Remove in v4.1. Use zeek::analyzer::http::EXPECT_NOTHING.")]] = zeek::analyzer::http::EXPECT_NOTHING;
using HTTP_Entity [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Entity.")]] = zeek::analyzer::http::HTTP_Entity;
using HTTP_Message [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Message.")]] = zeek::analyzer::http::HTTP_Message;
using HTTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::http::HTTP_Analyzer.")]] = zeek::analyzer::http::HTTP_Analyzer;
constexpr auto is_reserved_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::is_reserved_URI_char.")]] = zeek::analyzer::http::is_reserved_URI_char;
constexpr auto is_unreserved_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::is_unreserved_URI_char.")]] = zeek::analyzer::http::is_unreserved_URI_char;
constexpr auto escape_URI_char [[deprecated("Remove in v4.1. Use zeek::analyzer::http::escape_URI_char.")]] = zeek::analyzer::http::escape_URI_char;
constexpr auto unescape_URI [[deprecated("Remove in v4.1. Use zeek::analyzer::http::unescape_URI.")]] = zeek::analyzer::http::unescape_URI;
} // namespace analyzer::http

2
src/analyzer/protocol/http/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("HTTP", ::analyzer::http::HTTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("HTTP", zeek::analyzer::http::HTTP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::HTTP";

4
src/analyzer/protocol/http/functions.bif
View file

@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
if ( ha )
{
if ( ha->IsAnalyzer("HTTP") )
static_cast<::analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
static_cast<zeek::analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
else
reporter->Error("non-HTTP analyzer associated with connection record");
}
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len();
return zeek::make_intrusive<zeek::StringVal>(::analyzer::http::unescape_URI(line, line_end, 0));
return zeek::make_intrusive<zeek::StringVal>(zeek::analyzer::http::unescape_URI(line, line_end, 0));
%}

4
src/analyzer/protocol/ident/Ident.cc
View file

@ -11,7 +11,7 @@
#include "events.bif.h"
using namespace analyzer::ident;
namespace zeek::analyzer::ident {
Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
@ -255,3 +255,5 @@ void Ident_Analyzer::BadReply(int length, const char* line)
did_bad_reply = true;
}
}
} // namespace zeek::analyzer::ident

10
src/analyzer/protocol/ident/Ident.h
View file

@ -5,7 +5,7 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "analyzer/protocol/tcp/ContentLine.h"
namespace analyzer { namespace ident {
namespace zeek::analyzer::ident {
class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -33,4 +33,10 @@ protected:
bool did_bad_reply;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ident
namespace analyzer::ident {
using Ident_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ident::Ident_Analyzer.")]] = zeek::analyzer::ident::Ident_Analyzer;
} // namespace analyzer::ident

2
src/analyzer/protocol/ident/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("Ident", ::analyzer::ident::Ident_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Ident", zeek::analyzer::ident::Ident_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Ident";

4
src/analyzer/protocol/imap/IMAP.cc
View file

@ -4,7 +4,7 @@
#include "analyzer/protocol/tcp/TCP_Reassembler.h"
#include "analyzer/Manager.h"
using namespace analyzer::imap;
namespace zeek::analyzer::imap {
IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
@ -83,3 +83,5 @@ void IMAP_Analyzer::StartTLS()
if ( ssl )
AddChildAnalyzer(ssl);
}
} // namespace zeek::analyzer::imap

10
src/analyzer/protocol/imap/IMAP.h
View file

@ -8,7 +8,7 @@
#include "imap_pac.h"
namespace analyzer { namespace imap {
namespace zeek::analyzer::imap {
class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -34,4 +34,10 @@ protected:
bool tls_active;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::imap
namespace analyzer::imap {
using IMAP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::imap::IMAP_Analyzer.")]] = zeek::analyzer::imap::IMAP_Analyzer;
} // namespace analyzer::imap

2
src/analyzer/protocol/imap/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("IMAP", zeek::analyzer::imap::IMAP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IMAP";

5
src/analyzer/protocol/imap/imap.pac
View file

@ -7,12 +7,13 @@
%include bro.pac
%extern{
#include "zeek-config.h"
#include "Reporter.h"
#include "events.bif.h"
namespace analyzer { namespace imap { class IMAP_Analyzer; } }
namespace zeek::analyzer::imap { class IMAP_Analyzer; }
namespace binpac { namespace IMAP { class IMAP_Conn; } }
typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer;
using IMAPAnalyzer = zeek::analyzer::imap::IMAP_Analyzer*;
#include "IMAP.h"
%}

9
src/analyzer/protocol/irc/IRC.cc
View file

@ -9,9 +9,10 @@
#include "events.bif.h"
using namespace analyzer::irc;
using namespace std;
namespace zeek::analyzer::irc {
IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
{
@ -1162,8 +1163,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
orig_zip_status = ZIP_LOADED;
resp_zip_status = ZIP_LOADED;
AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false));
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new zeek::analyzer::zip::ZIP_Analyzer(Conn(), false));
}
return;
@ -1222,3 +1223,5 @@ vector<string> IRC_Analyzer::SplitWords(const string& input, char split)
return words;
}
} // namespace zeek::analyzer::irc

10
src/analyzer/protocol/irc/IRC.h
View file

@ -4,7 +4,7 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "analyzer/protocol/tcp/ContentLine.h"
namespace analyzer { namespace irc {
namespace zeek::analyzer::irc {
/**
* \brief Main class for analyzing IRC traffic.
@ -69,4 +69,10 @@ private:
bool starttls; // if true, connection has been upgraded to tls
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::irc
namespace analyzer::irc {
using IRC_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::irc::IRC_Analyzer.")]] = zeek::analyzer::irc::IRC_Analyzer;
} // namespace analyzer::irc

2
src/analyzer/protocol/irc/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("IRC", ::analyzer::irc::IRC_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("IRC", zeek::analyzer::irc::IRC_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IRC";

4
src/analyzer/protocol/krb/KRB.cc
View file

@ -7,7 +7,7 @@
#include "types.bif.h"
#include "events.bif.h"
using namespace analyzer::krb;
namespace zeek::analyzer::krb {
bool KRB_Analyzer::krb_available = false;
#ifdef USE_KRB5
@ -157,3 +157,5 @@ zeek::StringValPtr KRB_Analyzer::GetAuthenticationInfo(const zeek::String* princ
return nullptr;
#endif
}
} // namespace zeek::analyzer::krb

10
src/analyzer/protocol/krb/KRB.h
View file

@ -10,7 +10,7 @@
#include <mutex>
namespace analyzer { namespace krb {
namespace zeek::analyzer::krb {
class KRB_Analyzer final : public zeek::analyzer::Analyzer {
@ -43,4 +43,10 @@ private:
#endif
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::krb
namespace analyzer::krb {
using KRB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::krb::KRB_Analyzer.")]] = zeek::analyzer::krb::KRB_Analyzer;
} // namespace analyzer::krb

4
src/analyzer/protocol/krb/KRB_TCP.cc
View file

@ -5,7 +5,7 @@
#include "types.bif.h"
#include "events.bif.h"
using namespace analyzer::krb_tcp;
namespace zeek::analyzer::krb_tcp {
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
@ -63,3 +63,5 @@ void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
had_gap = true;
interp->NewGap(orig, len);
}
} // namespace zeek::analyzer::krb_tcp

10
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -6,7 +6,7 @@
#include "krb_TCP_pac.h"
namespace analyzer { namespace krb_tcp {
namespace zeek::analyzer::krb_tcp {
class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -34,4 +34,10 @@ protected:
bool had_gap;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::krb_tcp
namespace analyzer::krb_tcp {
using KRB_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::krb_tcp::KRB_Analyzer.")]] = zeek::analyzer::krb_tcp::KRB_Analyzer;
} // namespace analyzer::krb_tcp

4
src/analyzer/protocol/krb/Plugin.cc
View file

@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("KRB", ::analyzer::krb::KRB_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("KRB_TCP", ::analyzer::krb_tcp::KRB_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("KRB", zeek::analyzer::krb::KRB_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("KRB_TCP", zeek::analyzer::krb_tcp::KRB_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::KRB";
config.description = "Kerberos analyzer";

5
src/analyzer/protocol/krb/krb.pac
View file

@ -2,12 +2,13 @@
%include bro.pac
%extern{
#include "zeek-config.h"
#include "types.bif.h"
#include "events.bif.h"
namespace analyzer { namespace krb { class KRB_Analyzer; } }
namespace zeek::analyzer::krb { class KRB_Analyzer; }
namespace binpac { namespace KRB { class KRB_Conn; } }
typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer;
using KRBAnalyzer = zeek::analyzer::krb::KRB_Analyzer*;
#include "KRB.h"
%}

5
src/analyzer/protocol/krb/krb_TCP.pac
View file

@ -2,12 +2,13 @@
%include bro.pac
%extern{
#include "zeek-config.h"
#include "types.bif.h"
#include "events.bif.h"
namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } }
namespace zeek::analyzer::krb_tcp { class KRB_Analyzer; }
namespace binpac { namespace KRB_TCP { class KRB_Conn; } }
typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer;
using KRBTCPAnalyzer = zeek::analyzer::krb_tcp::KRB_Analyzer*;
#include "KRB_TCP.h"
%}

4
src/analyzer/protocol/login/Login.cc
View file

@ -15,7 +15,7 @@
#include "events.bif.h"
using namespace analyzer::login;
namespace zeek::analyzer::login {
static zeek::RE_Matcher* re_skip_authentication = nullptr;
static zeek::RE_Matcher* re_direct_login_prompts;
@ -633,3 +633,5 @@ zeek::RE_Matcher* init_RE(zeek::ListVal* l)
return re;
}
} // namespace zeek::analyzer::login

21
src/analyzer/protocol/login/Login.h
View file

@ -4,15 +4,14 @@
#include "analyzer/protocol/tcp/TCP.h"
namespace analyzer { namespace login {
namespace zeek::analyzer::login {
typedef enum {
enum login_state {
LOGIN_STATE_AUTHENTICATE, // trying to authenticate
LOGIN_STATE_LOGGED_IN, // successful authentication
LOGIN_STATE_SKIP, // skip any further processing
LOGIN_STATE_CONFUSED, // we're confused
} login_state;
};
// If no action by this many lines, we're definitely confused.
#define MAX_AUTHENTICATE_LINES 50
@ -83,4 +82,16 @@ protected:
bool saw_ploy;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::login
namespace analyzer::login {
using login_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::login_state.")]] = zeek::analyzer::login::login_state;
constexpr auto LOGIN_STATE_AUTHENTICATE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_AUTHENTICATE.")]] = zeek::analyzer::login::LOGIN_STATE_AUTHENTICATE;
constexpr auto LOGIN_STATE_LOGGED_IN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_LOGGED_IN.")]] = zeek::analyzer::login::LOGIN_STATE_LOGGED_IN;
constexpr auto LOGIN_STATE_SKIP [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_SKIP.")]] = zeek::analyzer::login::LOGIN_STATE_SKIP;
constexpr auto LOGIN_STATE_CONFUSED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::LOGIN_STATE_CONFUSED.")]] = zeek::analyzer::login::LOGIN_STATE_CONFUSED;
using Login_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Login_Analyzer.")]] = zeek::analyzer::login::Login_Analyzer;
} // namespace analyzer::login

16
src/analyzer/protocol/login/NVT.cc
View file

@ -28,7 +28,7 @@
#define TELNET_IAC 255
using namespace analyzer::login;
namespace zeek::analyzer::login {
TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code)
{
@ -117,6 +117,7 @@ void TelnetOption::BadOption()
endp->Event(bad_option);
}
namespace detail {
void TelnetTerminalOption::RecvSubOption(u_char* data, int len)
{
@ -379,6 +380,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
// in ex/redund-binary-opt.trace.
}
} // namespace detail
NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig)
: zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
@ -405,23 +407,23 @@ TelnetOption* NVT_Analyzer::FindOption(unsigned int code)
{ // Maybe we haven't created this option yet.
switch ( code ) {
case TELNET_OPTION_BINARY:
opt = new TelnetBinaryOption(this);
opt = new detail::TelnetBinaryOption(this);
break;
case TELNET_OPTION_TERMINAL:
opt = new TelnetTerminalOption(this);
opt = new detail::TelnetTerminalOption(this);
break;
case TELNET_OPTION_ENCRYPT:
opt = new TelnetEncryptOption(this);
opt = new detail::TelnetEncryptOption(this);
break;
case TELNET_OPTION_AUTHENTICATE:
opt = new TelnetAuthenticateOption(this);
opt = new detail::TelnetAuthenticateOption(this);
break;
case TELNET_OPTION_ENVIRON:
opt = new TelnetEnvironmentOption(this);
opt = new detail::TelnetEnvironmentOption(this);
break;
}
}
@ -734,3 +736,5 @@ void NVT_Analyzer::BadOptionTermination(unsigned int /* code */)
{
Event(bad_option_termination);
}
} // namespace zeek::analyzer::login

22
src/analyzer/protocol/login/NVT.h
View file

@ -11,9 +11,9 @@
#define TELNET_OPTION_ENVIRON 39
#define NUM_TELNET_OPTIONS 5
namespace analyzer { namespace login {
ZEEK_FORWARD_DECLARE_NAMESPACED(NVT_Analyzer, zeek, analyzer::login);
class NVT_Analyzer;
namespace zeek::analyzer::login {
class TelnetOption {
public:
@ -58,6 +58,8 @@ protected:
int active;
};
namespace detail {
class TelnetTerminalOption final : public TelnetOption {
public:
explicit TelnetTerminalOption(NVT_Analyzer* arg_endp)
@ -122,6 +124,8 @@ protected:
void InconsistentOption(unsigned int type) override;
};
} // namespace detail
class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
NVT_Analyzer(zeek::Connection* conn, bool orig);
@ -171,4 +175,16 @@ protected:
int num_options = 0;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::login
namespace analyzer::login {
using TelnetOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::TelnetOption.")]] = zeek::analyzer::login::TelnetOption;
using TelnetTerminalOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetTerminalOption.")]] = zeek::analyzer::login::detail::TelnetTerminalOption;
using TelnetEncryptOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetEncryptOption.")]] = zeek::analyzer::login::detail::TelnetEncryptOption;
using TelnetAuthenticateOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetAuthenticateOption.")]] = zeek::analyzer::login::detail::TelnetAuthenticateOption;
using TelnetEnvironmentOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetEnvironmentOption.")]] = zeek::analyzer::login::detail::TelnetEnvironmentOption;
using TelnetBinaryOption [[deprecated("Remove in v4.1. Use zeek::analyzer::login::detail::TelnetBinaryOption.")]] = zeek::analyzer::login::detail::TelnetBinaryOption;
using NVT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::NVT_Analyzer.")]] = zeek::analyzer::login::NVT_Analyzer;
} // namespace analyzer::login

6
src/analyzer/protocol/login/Plugin.cc
View file

@ -14,9 +14,9 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("Telnet", ::analyzer::login::Telnet_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rsh", ::analyzer::login::Rsh_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rlogin", ::analyzer::login::Rlogin_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Telnet", zeek::analyzer::login::Telnet_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rsh", zeek::analyzer::login::Rsh_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rlogin", zeek::analyzer::login::Rlogin_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NVT", nullptr));
AddComponent(new zeek::analyzer::Component("Login", nullptr));
AddComponent(new zeek::analyzer::Component("Contents_Rsh", nullptr));

4
src/analyzer/protocol/login/RSH.cc
View file

@ -9,7 +9,7 @@
#include "events.bif.h"
using namespace analyzer::login;
namespace zeek::analyzer::login {
// FIXME: this code should probably be merged with Rlogin.cc.
@ -223,3 +223,5 @@ void Rsh_Analyzer::ServerUserName(const char* s)
username = new zeek::StringVal(s);
}
} // namespace zeek::analyzer::login

28
src/analyzer/protocol/login/RSH.h
View file

@ -5,9 +5,11 @@
#include "Login.h"
#include "analyzer/protocol/tcp/ContentLine.h"
namespace analyzer { namespace login {
ZEEK_FORWARD_DECLARE_NAMESPACED(Rsh_Analyzer, zeek, analyzer::login);
typedef enum {
namespace zeek::analyzer::login {
enum rsh_state {
RSH_FIRST_NULL, // waiting to see first NUL
RSH_CLIENT_USER_NAME, // scanning client user name up to NUL
RSH_SERVER_USER_NAME, // scanning server user name up to NUL
@ -18,9 +20,7 @@ typedef enum {
RSH_PRESUMED_REJECTED, // apparently server said No Way
RSH_UNKNOWN, // we don't know what state we're in
} rsh_state;
class Rsh_Analyzer;
};
class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
@ -55,4 +55,20 @@ public:
Contents_Rsh_Analyzer* contents_resp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::login
namespace analyzer::login {
using rsh_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::rsh_state.")]] = zeek::analyzer::login::rsh_state;
constexpr auto RSH_FIRST_NULL [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_FIRST_NULL.")]] = zeek::analyzer::login::RSH_FIRST_NULL;
constexpr auto RSH_CLIENT_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_CLIENT_USER_NAME.")]] = zeek::analyzer::login::RSH_CLIENT_USER_NAME;
constexpr auto RSH_SERVER_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_SERVER_USER_NAME.")]] = zeek::analyzer::login::RSH_SERVER_USER_NAME;
constexpr auto RSH_INITIAL_CMD [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_INITIAL_CMD.")]] = zeek::analyzer::login::RSH_INITIAL_CMD;
constexpr auto RSH_LINE_MODE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_LINE_MODE.")]] = zeek::analyzer::login::RSH_LINE_MODE;
constexpr auto RSH_PRESUMED_REJECTED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_PRESUMED_REJECTED.")]] = zeek::analyzer::login::RSH_PRESUMED_REJECTED;
constexpr auto RSH_UNKNOWN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RSH_UNKNOWN.")]] = zeek::analyzer::login::RSH_UNKNOWN;
using Contents_Rsh_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Contents_Rsh_Analyzer.")]] = zeek::analyzer::login::Contents_Rsh_Analyzer;
using Rsh_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Rsh_Analyzer.")]] = zeek::analyzer::login::Rsh_Analyzer;
} // namespace analyzer::login

4
src/analyzer/protocol/login/Rlogin.cc
View file

@ -9,7 +9,7 @@
#include "events.bif.h"
using namespace analyzer::login;
namespace zeek::analyzer::login {
Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
@ -249,3 +249,5 @@ void Rlogin_Analyzer::TerminalType(const char* s)
zeek::make_intrusive<zeek::StringVal>(s)
);
}
} // namespace zeek::analyzer::login

33
src/analyzer/protocol/login/Rlogin.h
View file

@ -5,9 +5,11 @@
#include "Login.h"
#include "analyzer/protocol/tcp/ContentLine.h"
namespace analyzer { namespace login {
ZEEK_FORWARD_DECLARE_NAMESPACED(Rlogin_Analyzer, zeek, analyzer::login);
typedef enum {
namespace zeek::analyzer::login {
enum rlogin_state {
RLOGIN_FIRST_NULL, // waiting to see first NUL
RLOGIN_CLIENT_USER_NAME, // scanning client user name up to NUL
RLOGIN_SERVER_USER_NAME, // scanning server user name up to NUL
@ -26,9 +28,7 @@ typedef enum {
RLOGIN_PRESUMED_REJECTED, // apparently server said No Way
RLOGIN_UNKNOWN, // we don't know what state we're in
} rlogin_state;
class Rlogin_Analyzer;
};
class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
@ -65,4 +65,25 @@ public:
{ return new Rlogin_Analyzer(conn); }
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::login
namespace analyzer::login {
using rlogin_state [[deprecated("Remove in v4.1. Use zeek::analyzer::login::rlogin_state.")]] = zeek::analyzer::login::rlogin_state;
constexpr auto RLOGIN_FIRST_NULL [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_FIRST_NULL.")]] = zeek::analyzer::login::RLOGIN_FIRST_NULL;
constexpr auto RLOGIN_CLIENT_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_CLIENT_USER_NAME.")]] = zeek::analyzer::login::RLOGIN_CLIENT_USER_NAME;
constexpr auto RLOGIN_SERVER_USER_NAME [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_SERVER_USER_NAME.")]] = zeek::analyzer::login::RLOGIN_SERVER_USER_NAME;
constexpr auto RLOGIN_TERMINAL_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_TERMINAL_TYPE.")]] = zeek::analyzer::login::RLOGIN_TERMINAL_TYPE;
constexpr auto RLOGIN_SERVER_ACK [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_SERVER_ACK.")]] = zeek::analyzer::login::RLOGIN_SERVER_ACK;
constexpr auto RLOGIN_IN_BAND_CONTROL_FF2 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_IN_BAND_CONTROL_FF2.")]] = zeek::analyzer::login::RLOGIN_IN_BAND_CONTROL_FF2;
constexpr auto RLOGIN_WINDOW_CHANGE_S1 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S1.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S1;
constexpr auto RLOGIN_WINDOW_CHANGE_S2 [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S2.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_S2;
constexpr auto RLOGIN_WINDOW_CHANGE_REMAINDER [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_REMAINDER.")]] = zeek::analyzer::login::RLOGIN_WINDOW_CHANGE_REMAINDER;
constexpr auto RLOGIN_LINE_MODE [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_LINE_MODE.")]] = zeek::analyzer::login::RLOGIN_LINE_MODE;
constexpr auto RLOGIN_PRESUMED_REJECTED [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_PRESUMED_REJECTED.")]] = zeek::analyzer::login::RLOGIN_PRESUMED_REJECTED;
constexpr auto RLOGIN_UNKNOWN [[deprecated("Remove in v4.1. Use zeek::analyzer::login::RLOGIN_UNKNOWN.")]] = zeek::analyzer::login::RLOGIN_UNKNOWN;
using Contents_Rlogin_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Contents_Rlogin_Analyzer.")]] = zeek::analyzer::login::Contents_Rlogin_Analyzer;
using Rlogin_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Rlogin_Analyzer.")]] = zeek::analyzer::login::Rlogin_Analyzer;
} // namespace analyzer::login

4
src/analyzer/protocol/login/Telnet.cc
View file

@ -7,7 +7,7 @@
#include "events.bif.h"
using namespace analyzer::login;
namespace zeek::analyzer::login {
Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn)
: Login_Analyzer("TELNET", conn)
@ -21,3 +21,5 @@ Telnet_Analyzer::Telnet_Analyzer(zeek::Connection* conn)
AddSupportAnalyzer(nvt_orig);
AddSupportAnalyzer(nvt_resp);
}
} // namespace zeek::analyzer::login

10
src/analyzer/protocol/login/Telnet.h
View file

@ -4,7 +4,7 @@
#include "Login.h"
namespace analyzer { namespace login {
namespace zeek::analyzer::login {
class Telnet_Analyzer : public Login_Analyzer {
public:
@ -15,4 +15,10 @@ public:
{ return new Telnet_Analyzer(conn); }
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::login
namespace analyzer::login {
using Telnet_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::login::Telnet_Analyzer.")]] = zeek::analyzer::login::Telnet_Analyzer;
} // namespace analyzer::login

5
src/analyzer/protocol/login/functions.bif
View file

@ -34,7 +34,7 @@ function get_login_state%(cid: conn_id%): count
if ( ! la )
return zeek::val_mgr->False();
return zeek::val_mgr->Count(int(static_cast<::analyzer::login::Login_Analyzer*>(la)->LoginState()));
return zeek::val_mgr->Count(int(static_cast<zeek::analyzer::login::Login_Analyzer*>(la)->LoginState()));
%}
## Sets the login state of a connection with a login analyzer.
@ -58,6 +58,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
if ( ! la )
return zeek::val_mgr->False();
static_cast<::analyzer::login::Login_Analyzer*>(la)->SetLoginState(::analyzer::login::login_state(new_state));
static_cast<zeek::analyzer::login::Login_Analyzer*>(la)->SetLoginState(
zeek::analyzer::login::login_state(new_state));
return zeek::val_mgr->True();
%}

28
src/analyzer/protocol/mime/MIME.cc
View file

@ -19,7 +19,7 @@
// headers of form: <name>=<value>; <param_1>=<param_val_1>;
// <param_2>=<param_val_2>; ... (so that
namespace analyzer { namespace mime {
namespace zeek::analyzer::mime {
static const zeek::data_chunk_t null_data_chunk = { 0, nullptr };
@ -439,11 +439,6 @@ zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf)
return new zeek::String(true, (zeek::byte_vec) dest, j);
}
} } // namespace analyzer::*
using namespace analyzer::mime;
MIME_Multiline::MIME_Multiline()
{
line = nullptr;
@ -1567,3 +1562,24 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
zeek::make_intrusive<zeek::StringVal>(detail)
);
}
} // namespace zeek::analyzer::mime
namespace analyzer::mime {
zeek::StringVal* new_string_val(int length, const char* data)
{ return zeek::analyzer::mime::to_string_val(length, data).release(); }
zeek::StringVal* new_string_val(const char* data, const char* end_of_data)
{ return zeek::analyzer::mime::to_string_val(data, end_of_data).release(); }
zeek::StringVal* new_string_val(const zeek::data_chunk_t buf)
{ return zeek::analyzer::mime::to_string_val(buf).release(); }
zeek::StringValPtr to_string_val(int length, const char* data)
{ return zeek::analyzer::mime::to_string_val(length, data); }
zeek::StringValPtr to_string_val(const char* data, const char* end_of_data)
{ return zeek::analyzer::mime::to_string_val(data, end_of_data); }
zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf)
{ return zeek::analyzer::mime::to_string_val(buf); }
} // namespace analyzer::mime

62
src/analyzer/protocol/mime/MIME.h
View file

@ -19,7 +19,7 @@ using TableValPtr = zeek::IntrusivePtr<TableVal>;
using StringValPtr = zeek::IntrusivePtr<StringVal>;
}
namespace analyzer { namespace mime {
namespace zeek::analyzer::mime {
// MIME: Multipurpose Internet Mail Extensions
// Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME)
@ -46,8 +46,6 @@ enum MIME_EVENT_TYPE {
MIME_EVENT_OTHER,
};
// MIME data structures.
class MIME_Multiline;
@ -279,11 +277,11 @@ protected:
};
extern bool is_null_data_chunk(zeek::data_chunk_t b);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use analyzer::mime::to_string_val().")]]
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf);
extern zeek::StringValPtr to_string_val(int length, const char* data);
extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data);
@ -304,4 +302,54 @@ extern int MIME_get_value(int len, const char* data, zeek::String*& buf,
extern int MIME_get_field_name(int len, const char* data, zeek::data_chunk_t* name);
extern zeek::String* MIME_decode_quoted_pairs(zeek::data_chunk_t buf);
} } // namespace analyzer::*
} // namespace zeek::analyzer::mime
namespace analyzer::mime {
using MIME_CONTENT_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_CONTENT_TYPE.")]] = zeek::analyzer::mime::MIME_CONTENT_TYPE;
constexpr auto CONTENT_TYPE_MULTIPART [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_MULTIPART.")]] = zeek::analyzer::mime::CONTENT_TYPE_MULTIPART;
constexpr auto CONTENT_TYPE_MESSAGE [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_MESSAGE.")]] = zeek::analyzer::mime::CONTENT_TYPE_MESSAGE;
constexpr auto CONTENT_TYPE_TEXT [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_TEXT.")]] = zeek::analyzer::mime::CONTENT_TYPE_TEXT;
constexpr auto CONTENT_TYPE_OTHER [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::CONTENT_TYPE_OTHER.")]] = zeek::analyzer::mime::CONTENT_TYPE_OTHER;
using MIME_EVENT_TYPE [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_EVENT_TYPE.")]] = zeek::analyzer::mime::MIME_EVENT_TYPE;
constexpr auto MIME_EVENT_ILLEGAL_FORMAT [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT.")]] = zeek::analyzer::mime::MIME_EVENT_ILLEGAL_FORMAT;
constexpr auto MIME_EVENT_ILLEGAL_ENCODING [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING.")]] = zeek::analyzer::mime::MIME_EVENT_ILLEGAL_ENCODING;
constexpr auto MIME_EVENT_CONTENT_GAP [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP.")]] = zeek::analyzer::mime::MIME_EVENT_CONTENT_GAP;
constexpr auto MIME_EVENT_OTHER [[deprecated("Remove in v4.1. Uze zeek::analyzer::mime::MIME_EVENT_OTHER.")]] = zeek::analyzer::mime::MIME_EVENT_OTHER;
using MIME_Multiline [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Multiline.")]] = zeek::analyzer::mime::MIME_Multiline;
using MIME_Header [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Header.")]] = zeek::analyzer::mime::MIME_Header;
using MIME_HeaderList [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_HeaderList.")]] = zeek::analyzer::mime::MIME_HeaderList;
using MIME_Entity [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Entity.")]] = zeek::analyzer::mime::MIME_Entity;
using MIME_Message [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Message.")]] = zeek::analyzer::mime::MIME_Message;
using MIME_Mail [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_Mail.")]] = zeek::analyzer::mime::MIME_Mail;
constexpr auto is_null_data_chunk [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::is_null_data_chunk.")]] = zeek::analyzer::mime::is_null_data_chunk;
constexpr auto is_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::is_lws.")]] = zeek::analyzer::mime::is_lws;
constexpr auto MIME_is_field_name_char [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_is_field_name_char.")]] = zeek::analyzer::mime::MIME_is_field_name_char;
constexpr auto MIME_count_leading_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_count_leading_lws.")]] = zeek::analyzer::mime::MIME_count_leading_lws;
constexpr auto MIME_count_trailing_lws [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_count_trailing_lws.")]] = zeek::analyzer::mime::MIME_count_trailing_lws;
constexpr auto MIME_skip_comments [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_skip_comments.")]] = zeek::analyzer::mime::MIME_skip_comments;
constexpr auto MIME_skip_lws_comments [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_skip_lws_comments.")]] = zeek::analyzer::mime::MIME_skip_lws_comments;
constexpr auto MIME_get_token [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_token.")]] = zeek::analyzer::mime::MIME_get_token;
constexpr auto MIME_get_slash_token_pair [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_slash_token_pair.")]] = zeek::analyzer::mime::MIME_get_slash_token_pair;
constexpr auto MIME_get_value [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_value.")]] = zeek::analyzer::mime::MIME_get_value;
constexpr auto MIME_get_field_name [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_get_field_name.")]] = zeek::analyzer::mime::MIME_get_field_name;
constexpr auto MIME_decode_quoted_pairs [[deprecated("Remove in v4.1. Use zeek::analyzer::mime::MIME_decode_quoted_pairs.")]] = zeek::analyzer::mime::MIME_decode_quoted_pairs;
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringVal* new_string_val(const zeek::data_chunk_t buf);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringValPtr to_string_val(int length, const char* data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringValPtr to_string_val(const char* data, const char* end_of_data);
[[deprecated("Remove in v4.1. Use zeek::analyzer::mime::to_string_val().")]]
extern zeek::StringValPtr to_string_val(const zeek::data_chunk_t buf);
} // namespace analyzer::mime

4
src/analyzer/protocol/modbus/Modbus.cc
View file

@ -4,7 +4,7 @@
#include "events.bif.h"
using namespace analyzer::modbus;
namespace zeek::analyzer::modbus {
ModbusTCP_Analyzer::ModbusTCP_Analyzer(zeek::Connection* c)
: TCP_ApplicationAnalyzer("MODBUS", c)
@ -42,3 +42,5 @@ void ModbusTCP_Analyzer::EndpointEOF(bool is_orig)
TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
} // namespace zeek::analyzer::modbus

10
src/analyzer/protocol/modbus/Modbus.h
View file

@ -3,7 +3,7 @@
#include "analyzer/protocol/tcp/TCP.h"
#include "modbus_pac.h"
namespace analyzer { namespace modbus {
namespace zeek::analyzer::modbus {
class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
@ -23,4 +23,10 @@ protected:
binpac::ModbusTCP::ModbusTCP_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::modbus
namespace analyzer::modbus {
using ModbusTCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::modbus::ModbusTCP_Analyzer.")]] = zeek::analyzer::modbus::ModbusTCP_Analyzer;
} // namespace analyzer::modbus

2
src/analyzer/protocol/modbus/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("MODBUS", ::analyzer::modbus::ModbusTCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("MODBUS", zeek::analyzer::modbus::ModbusTCP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Modbus";

4
src/analyzer/protocol/mqtt/MQTT.cc
View file

@ -7,7 +7,7 @@
#include "Scope.h"
#include "mqtt_pac.h"
using namespace analyzer::MQTT;
namespace zeek::analyzer::mqtt {
MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
@ -55,3 +55,5 @@ void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}
} // namespace zeek::analyzer::mqtt

10
src/analyzer/protocol/mqtt/MQTT.h
View file

@ -7,7 +7,7 @@
namespace binpac { namespace MQTT { class MQTT_Conn; } }
namespace analyzer { namespace MQTT {
namespace zeek::analyzer::mqtt {
class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -28,4 +28,10 @@ protected:
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::mqtt
namespace analyzer::MQTT {
using MQTT_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::mqtt::MQTT_Analyzer.")]] = zeek::analyzer::mqtt::MQTT_Analyzer;
} // namespace analyzer::mqtt

2
src/analyzer/protocol/mqtt/Plugin.cc
View file

@ -12,7 +12,7 @@ public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("MQTT",
::analyzer::MQTT::MQTT_Analyzer::InstantiateAnalyzer));
zeek::analyzer::mqtt::MQTT_Analyzer::InstantiateAnalyzer));
zeek::plugin::Configuration config;
config.name = "Zeek::MQTT";

4
src/analyzer/protocol/mysql/MySQL.cc
View file

@ -5,7 +5,7 @@
#include "Reporter.h"
#include "events.bif.h"
using namespace analyzer::MySQL;
namespace zeek::analyzer::mysql {
MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
@ -63,3 +63,5 @@ void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
had_gap = true;
interp->NewGap(orig, len);
}
} // namespace zeek::analyzer::mysql

10
src/analyzer/protocol/mysql/MySQL.h
View file

@ -7,7 +7,7 @@
#include "mysql_pac.h"
namespace analyzer { namespace MySQL {
namespace zeek::analyzer::mysql {
class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -32,4 +32,10 @@ protected:
bool had_gap;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::mysql
namespace analyzer::MySQL {
using MySQL_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::mysql::MySQL_Analyzer.")]] = zeek::analyzer::mysql::MySQL_Analyzer;
} // namespace analyzer::MySQL

2
src/analyzer/protocol/mysql/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("MySQL", ::analyzer::MySQL::MySQL_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("MySQL", zeek::analyzer::mysql::MySQL_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::MySQL";
config.description = "MySQL analyzer";

12
src/analyzer/protocol/ncp/NCP.cc
View file

@ -12,7 +12,6 @@
#include "consts.bif.h"
using namespace std;
using namespace analyzer::ncp;
#include "NCP.h"
#include "Sessions.h"
@ -23,6 +22,9 @@ using namespace analyzer::ncp;
uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
namespace zeek::analyzer::ncp {
namespace detail {
NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a)
: analyzer(a)
{
@ -163,7 +165,9 @@ void NCP_FrameBuffer::compute_msg_length()
msg_len = (msg_len << 8) | data[4+i];
}
Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* arg_session)
} // namespace detail
Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* arg_session)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
{
session = arg_session;
@ -247,7 +251,7 @@ void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
{
session = new NCP_Session(this);
session = new detail::NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session);
AddSupportAnalyzer(o_ncp);
r_ncp = new Contents_NCP_Analyzer(conn, false, session);
@ -258,3 +262,5 @@ NCP_Analyzer::~NCP_Analyzer()
{
delete session;
}
} // namespace zeek::analyzer::ncp

25
src/analyzer/protocol/ncp/NCP.h
View file

@ -22,7 +22,8 @@
#include "ncp_pac.h"
namespace analyzer { namespace ncp {
namespace zeek::analyzer::ncp {
namespace detail {
// Create a general NCP_Session class so that it can be used in
// case the RPC conversation is tunneled through other connections,
@ -82,17 +83,19 @@ protected:
void compute_msg_length() override;
};
} // namespace detail
class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* session);
Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, detail::NCP_Session* session);
~Contents_NCP_Analyzer() override;
protected:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
NCP_FrameBuffer buffer;
NCP_Session* session;
detail::NCP_FrameBuffer buffer;
detail::NCP_Session* session;
// Re-sync for partial connections (or after a content gap).
bool resync;
@ -109,9 +112,19 @@ public:
protected:
NCP_Session* session;
detail::NCP_Session* session;
Contents_NCP_Analyzer * o_ncp;
Contents_NCP_Analyzer * r_ncp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ncp
namespace analyzer::ncp {
using NCP_Session [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::NCP_Session.")]] = zeek::analyzer::ncp::detail::NCP_Session;
using FrameBuffer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::FrameBuffer.")]] = zeek::analyzer::ncp::detail::FrameBuffer;
using NCP_FrameBuffer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::detail::NCP_FrameBuffer.")]] = zeek::analyzer::ncp::detail::NCP_FrameBuffer;
using Contents_NCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::Contents_NCP_Analyzer.")]] = zeek::analyzer::ncp::Contents_NCP_Analyzer;
using NCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ncp::NCP_Analyzer.")]] = zeek::analyzer::ncp::NCP_Analyzer;
} // namespace analyzer::ncp

2
src/analyzer/protocol/ncp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("NCP", ::analyzer::ncp::NCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NCP", zeek::analyzer::ncp::NCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_NCP", nullptr));
zeek::plugin::Configuration config;

38
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -13,12 +13,13 @@
#include "events.bif.h"
using namespace analyzer::netbios_ssn;
double netbios_ssn_session_timeout = 15.0;
constexpr double netbios_ssn_session_timeout = 15.0;
#define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++;
namespace zeek::analyzer::netbios_ssn {
namespace detail {
NetbiosSSN_RawMsgHdr::NetbiosSSN_RawMsgHdr(const u_char*& data, int& len)
{
type = *data; ++data, --len;
@ -48,7 +49,6 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
MAKE_INT16(offset, data);; len -= 2;
}
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
@ -161,7 +161,6 @@ void NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len,
void NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len,
bool is_query)
{
NetbiosDGM_RawMsgHdr hdr(data, len);
if ( unsigned(hdr.length-14) > unsigned(len) )
@ -331,16 +330,17 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false)));
}
} // namespace detail
Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
NetbiosSSN_Interpreter* arg_interp)
detail::NetbiosSSN_Interpreter* arg_interp)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
{
interp = arg_interp;
type = flags = msg_size = 0;
msg_buf = nullptr;
buf_n = buf_len = msg_size = 0;
state = NETBIOS_SSN_TYPE;
state = detail::NETBIOS_SSN_TYPE;
}
Contents_NetbiosSSN::~Contents_NetbiosSSN()
@ -367,10 +367,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
if ( state == NETBIOS_SSN_TYPE )
if ( state == detail::NETBIOS_SSN_TYPE )
{
type = *data;
state = NETBIOS_SSN_FLAGS;
state = detail::NETBIOS_SSN_FLAGS;
++data;
--len;
@ -379,10 +379,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state == NETBIOS_SSN_FLAGS )
if ( state == detail::NETBIOS_SSN_FLAGS )
{
flags = *data;
state = NETBIOS_SSN_LEN_HI;
state = detail::NETBIOS_SSN_LEN_HI;
++data;
--len;
@ -391,10 +391,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state == NETBIOS_SSN_LEN_HI )
if ( state == detail::NETBIOS_SSN_LEN_HI )
{
msg_size = (*data) << 8;
state = NETBIOS_SSN_LEN_LO;
state = detail::NETBIOS_SSN_LEN_LO;
++data;
--len;
@ -403,10 +403,10 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state == NETBIOS_SSN_LEN_LO )
if ( state == detail::NETBIOS_SSN_LEN_LO )
{
msg_size += *data;
state = NETBIOS_SSN_BUF;
state = detail::NETBIOS_SSN_BUF;
buf_n = 0;
@ -433,7 +433,7 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
return;
}
if ( state != NETBIOS_SSN_BUF )
if ( state != detail::NETBIOS_SSN_BUF )
Conn()->Internal("state inconsistency in Contents_NetbiosSSN::Deliver");
int n;
@ -450,14 +450,14 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
interp->ParseMessage(type, flags, msg_buf, msg_size, IsOrig());
buf_n = 0;
state = NETBIOS_SSN_TYPE;
state = detail::NETBIOS_SSN_TYPE;
}
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
{
//smb_session = new SMB_Session(this);
interp = new NetbiosSSN_Interpreter(this);
interp = new detail::NetbiosSSN_Interpreter(this);
orig_netbios = resp_netbios = nullptr;
did_session_done = 0;
@ -538,3 +538,5 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t)
t + netbios_ssn_session_timeout,
true, zeek::detail::TIMER_NB_EXPIRE);
}
} // namespace zeek::analyzer::netbios_ssn

69
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -4,11 +4,11 @@
#include "analyzer/protocol/udp/UDP.h"
#include "analyzer/protocol/tcp/TCP.h"
//#include "analyzer/protocol/smb/SMB.h"
namespace analyzer { namespace netbios_ssn {
namespace zeek::analyzer::netbios_ssn {
namespace detail {
typedef enum {
enum NetbiosSSN_Opcode {
NETBIOS_SSN_MSG = 0x0,
NETBIOS_DGM_DIRECT_UNIQUE = 0x10,
NETBIOS_DGM_DIRECT_GROUP = 0x11,
@ -22,7 +22,7 @@ typedef enum {
NETBIOS_SSN_NEG_RESP = 0x83,
NETBIOS_SSN_RETARG_RESP = 0x84,
NETBIOS_SSN_KEEP_ALIVE = 0x85,
} NetbiosSSN_Opcode;
};
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@ -60,6 +60,13 @@ struct NetbiosDGM_RawMsgHdr {
uint16_t offset;
};
enum NetbiosSSN_State {
NETBIOS_SSN_TYPE, // looking for type field
NETBIOS_SSN_FLAGS, // looking for flag field
NETBIOS_SSN_LEN_HI, // looking for high-order byte of length
NETBIOS_SSN_LEN_LO, // looking for low-order byte of length
NETBIOS_SSN_BUF, // building up the message in the buffer
};
class NetbiosSSN_Interpreter {
public:
@ -102,31 +109,24 @@ protected:
//SMB_Session* smb_session;
};
typedef enum {
NETBIOS_SSN_TYPE, // looking for type field
NETBIOS_SSN_FLAGS, // looking for flag field
NETBIOS_SSN_LEN_HI, // looking for high-order byte of length
NETBIOS_SSN_LEN_LO, // looking for low-order byte of length
NETBIOS_SSN_BUF, // building up the message in the buffer
} NetbiosSSN_State;
} // namespace detail
// ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
NetbiosSSN_Interpreter* interp);
detail::NetbiosSSN_Interpreter* interp);
~Contents_NetbiosSSN() override;
void Flush(); // process any partially-received data
NetbiosSSN_State State() const { return state; }
detail::NetbiosSSN_State State() const { return state; }
protected:
void DeliverStream(int len, const u_char* data, bool orig) override;
void ProcessChunk(int& len, const u_char*& data, bool orig);
NetbiosSSN_Interpreter* interp;
detail::NetbiosSSN_Interpreter* interp;
unsigned int type;
unsigned int flags;
@ -136,7 +136,7 @@ protected:
int buf_len; // size of msg_buf
int msg_size; // expected size of message
NetbiosSSN_State state;
detail::NetbiosSSN_State state;
};
class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -158,7 +158,7 @@ protected:
void ExpireTimer(double t);
NetbiosSSN_Interpreter* interp;
detail::NetbiosSSN_Interpreter* interp;
//SMB_Session* smb_session;
Contents_NetbiosSSN* orig_netbios;
Contents_NetbiosSSN* resp_netbios;
@ -168,4 +168,37 @@ protected:
// FIXME: Doesn't really fit into new analyzer structure. What to do?
int IsReuse(double t, const u_char* pkt);
} } // namespace analyzer::*
} // namespace zeek::analyzer::netbios_ssn
namespace analyzer::netbios_ssn {
using NetbiosSSN_Opcode [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Opcode.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Opcode;
constexpr auto NETBIOS_SSN_MSG [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_MSG.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_MSG;
constexpr auto NETBIOS_DGM_DIRECT_UNIQUE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_UNIQUE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_UNIQUE;
constexpr auto NETBIOS_DGM_DIRECT_GROUP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_GROUP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_DIRECT_GROUP;
constexpr auto NETBIOS_DGM_BROADCAST [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_BROADCAST.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_BROADCAST;
constexpr auto NETBIOS_DGM_ERROR [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_ERROR.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_ERROR;
constexpr auto NETBIOS_DGG_QUERY_REQ [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGG_QUERY_REQ.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGG_QUERY_REQ;
constexpr auto NETBIOS_DGM_POS_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_POS_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_POS_RESP;
constexpr auto NETBIOS_DGM_NEG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_NEG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_DGM_NEG_RESP;
constexpr auto NETBIOS_SSN_REQ [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_REQ.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_REQ;
constexpr auto NETBIOS_SSN_POS_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_POS_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_POS_RESP;
constexpr auto NETBIOS_SSN_NEG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_NEG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_NEG_RESP;
constexpr auto NETBIOS_SSN_RETARG_RESP [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_RETARG_RESP.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_RETARG_RESP;
constexpr auto NETBIOS_SSN_KEEP_ALIVE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_KEEP_ALIVE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_KEEP_ALIVE;
using NetbiosSSN_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_RawMsgHdr.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_RawMsgHdr;
using NetbiosDGM_RawMsgHdr [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosDGM_RawMsgHdr.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosDGM_RawMsgHdr;
using NetbiosSSN_State [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_State.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_State;
constexpr auto NETBIOS_SSN_TYPE [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_TYPE.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_TYPE;
constexpr auto NETBIOS_SSN_FLAGS [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_FLAGS.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_FLAGS;
constexpr auto NETBIOS_SSN_LEN_HI [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_HI.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_HI;
constexpr auto NETBIOS_SSN_LEN_LO [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_LO.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_LEN_LO;
constexpr auto NETBIOS_SSN_BUF [[deprecated("Remove in v4.1. Uze zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_BUF.")]] = zeek::analyzer::netbios_ssn::detail::NETBIOS_SSN_BUF;
using NetbiosSSN_Interpreter [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Interpreter.")]] = zeek::analyzer::netbios_ssn::detail::NetbiosSSN_Interpreter;
using Contents_NetbiosSSN [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::Contents_NetbiosSSN.")]] = zeek::analyzer::netbios_ssn::Contents_NetbiosSSN;
using NetbiosSSN_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer.")]] = zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer;
} // namespace analyzer::netbios_ssn

2
src/analyzer/protocol/netbios/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("NetbiosSSN", ::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NetbiosSSN", zeek::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_NetbiosSSN", nullptr));
zeek::plugin::Configuration config;

4
src/analyzer/protocol/ntlm/NTLM.cc
View file

@ -5,7 +5,7 @@
#include "Reporter.h"
#include "events.bif.h"
using namespace analyzer::ntlm;
namespace zeek::analyzer::ntlm {
NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
@ -54,3 +54,5 @@ void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}
} // namespace zeek::analyzer::ntlm

10
src/analyzer/protocol/ntlm/NTLM.h
View file

@ -7,7 +7,7 @@
#include "ntlm_pac.h"
namespace analyzer { namespace ntlm {
namespace zeek::analyzer::ntlm {
class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
@ -31,4 +31,10 @@ protected:
binpac::NTLM::NTLM_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ntlm
namespace analyzer::ntlm {
using NTLM_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ntlm::NTLM_Analyzer.")]] = zeek::analyzer::ntlm::NTLM_Analyzer;
} // namespace analyzer::ntlm

2
src/analyzer/protocol/ntlm/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("NTLM", ::analyzer::ntlm::NTLM_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NTLM", zeek::analyzer::ntlm::NTLM_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::NTLM";

4
src/analyzer/protocol/ntp/NTP.cc
View file

@ -4,7 +4,7 @@
#include "events.bif.h"
using namespace analyzer::NTP;
namespace zeek::analyzer::ntp {
NTP_Analyzer::NTP_Analyzer(zeek::Connection* c)
: zeek::analyzer::Analyzer("NTP", c)
@ -37,3 +37,5 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
} // namespace zeek::analyzer::ntp

10
src/analyzer/protocol/ntp/NTP.h
View file

@ -7,7 +7,7 @@
#include "ntp_pac.h"
namespace analyzer { namespace NTP {
namespace zeek::analyzer::ntp {
class NTP_Analyzer final : public zeek::analyzer::Analyzer {
public:
@ -26,4 +26,10 @@ protected:
binpac::NTP::NTP_Conn* interp;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::ntp
namespace analyzer::NTP {
using NTP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::ntp::NTP_Analyzer.")]] = zeek::analyzer::ntp::NTP_Analyzer;
} // namespace analyzer::NTP

2
src/analyzer/protocol/ntp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("NTP", ::analyzer::NTP::NTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NTP", zeek::analyzer::ntp::NTP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::NTP";

347
src/analyzer/protocol/pop3/POP3.cc
View file

@ -14,7 +14,7 @@
#include "events.bif.h"
using namespace analyzer::pop3;
namespace zeek::analyzer::pop3 {
#undef POP3_CMD_DEF
#define POP3_CMD_DEF(cmd) #cmd,
@ -25,14 +25,13 @@ static const char* pop3_cmd_word[] = {
#define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)")
POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
{
masterState = POP3_START;
subState = POP3_WOK;
state = START;
lastState = START;
masterState = detail::POP3_START;
subState = detail::POP3_WOK;
state = detail::START;
lastState = detail::START;
guessing = false;
waitingForAuthentication = false;
@ -145,7 +144,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
}
switch ( state ) {
case AUTH_LOGIN:
case detail::AUTH_LOGIN:
// Format: Line 1 - User
// Line 2 - Password
if ( authLines == 1 )
@ -156,7 +155,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
break;
case AUTH_PLAIN:
case detail::AUTH_PLAIN:
{
// Format: "authorization identity<NUL>authentication
// identity<NUL>password"
@ -195,7 +194,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
break;
}
case AUTH_CRAM_MD5:
case detail::AUTH_CRAM_MD5:
{ // Format: "user<space>password-hash"
const char* s;
const char* str = (char*) decoded->CheckString();
@ -209,7 +208,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
break;
}
case AUTH:
case detail::AUTH:
break;
default:
@ -268,8 +267,8 @@ void POP3_Analyzer::ProcessClientCmd()
if ( ! waitingForAuthentication )
{
Weird("pop3_client_command_unknown");
if ( subState == POP3_WOK )
subState = POP3_OK;
if ( subState == detail::POP3_WOK )
subState = detail::POP3_OK;
}
return;
}
@ -279,31 +278,31 @@ void POP3_Analyzer::ProcessClientCmd()
const char* message = tokens.size() > 1 ? tokens[1].c_str() : "";
switch ( cmd_code ) {
case POP3_CMD_ERR:
case POP3_CMD_OK:
case detail::POP3_CMD_ERR:
case detail::POP3_CMD_OK:
Weird("pop3_client_sending_server_commands");
break;
case POP3_CMD_USER:
if ( masterState == POP3_AUTHORIZATION )
case detail::POP3_CMD_USER:
if ( masterState == detail::POP3_AUTHORIZATION )
{
POP3Event(pop3_request, true, cmd, message);
state = USER;
subState = POP3_WOK;
state = detail::USER;
subState = detail::POP3_WOK;
user = message;
}
else
NotAllowed(cmd, "authorization");
break;
case POP3_CMD_PASS:
if ( masterState == POP3_AUTHORIZATION )
case detail::POP3_CMD_PASS:
if ( masterState == detail::POP3_AUTHORIZATION )
{
if ( state == USER )
if ( state == detail::USER )
{
POP3Event(pop3_request, true, cmd, message);
state = PASS;
subState = POP3_WOK;
state = detail::PASS;
subState = detail::POP3_WOK;
password = message;
}
else
@ -314,12 +313,12 @@ void POP3_Analyzer::ProcessClientCmd()
NotAllowed(cmd, "authorization");
break;
case POP3_CMD_APOP:
if ( masterState == POP3_AUTHORIZATION )
case detail::POP3_CMD_APOP:
if ( masterState == detail::POP3_AUTHORIZATION )
{
POP3Event(pop3_request, true, cmd, message);
state = APOP;
subState = POP3_WOK;
state = detail::APOP;
subState = detail::POP3_WOK;
char* arg1 = copy_string(message);
char* e;
@ -333,32 +332,32 @@ void POP3_Analyzer::ProcessClientCmd()
NotAllowed(cmd, "authorization");
break;
case POP3_CMD_AUTH:
if ( masterState == POP3_AUTHORIZATION )
case detail::POP3_CMD_AUTH:
if ( masterState == detail::POP3_AUTHORIZATION )
{
POP3Event(pop3_request, true, cmd, message);
if ( ! *message )
{
requestForMultiLine = true;
state = AUTH;
subState = POP3_WOK;
state = detail::AUTH;
subState = detail::POP3_WOK;
}
else
{
if ( strstr(message, "LOGIN") )
state = AUTH_LOGIN;
state = detail::AUTH_LOGIN;
else if ( strstr(message, "PLAIN") )
state = AUTH_PLAIN;
state = detail::AUTH_PLAIN;
else if ( strstr(message, "CRAM-MD5") )
state = AUTH_CRAM_MD5;
state = detail::AUTH_CRAM_MD5;
else
{
state = AUTH;
state = detail::AUTH;
POP3Event(pop3_unexpected, true, cmd,
fmt("unknown AUTH method %s", message));
}
subState = POP3_WOK;
subState = detail::POP3_WOK;
waitingForAuthentication = true;
authLines = 0;
}
@ -368,31 +367,31 @@ void POP3_Analyzer::ProcessClientCmd()
"pass must follow the command 'USER'");
break;
case POP3_CMD_STAT:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_STAT:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = STAT;
subState = detail::POP3_WOK;
state = detail::STAT;
}
else
NotAllowed(cmd, "transaction");
break;
case POP3_CMD_LIST:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_LIST:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
if ( ! *message )
{
requestForMultiLine = true;
state = LIST;
subState = POP3_WOK;
state = detail::LIST;
subState = detail::POP3_WOK;
}
else
{
state = LIST;
subState = POP3_WOK;
state = detail::LIST;
subState = detail::POP3_WOK;
}
}
else
@ -401,148 +400,148 @@ void POP3_Analyzer::ProcessClientCmd()
requestForMultiLine = true;
guessing = true;
lastState = LIST;
lastState = detail::LIST;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_RETR:
case detail::POP3_CMD_RETR:
requestForMultiLine = true;
if ( masterState == POP3_TRANSACTION )
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = RETR;
subState = detail::POP3_WOK;
state = detail::RETR;
}
else
{
guessing = true;
lastState = RETR;
lastState = detail::RETR;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_DELE:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_DELE:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = DELE;
subState = detail::POP3_WOK;
state = detail::DELE;
}
else
{
guessing = true;
lastState = DELE;
lastState = detail::DELE;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_RSET:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_RSET:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = RSET;
subState = detail::POP3_WOK;
state = detail::RSET;
}
else
{
guessing = true;
lastState = RSET;
lastState = detail::RSET;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_NOOP:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_NOOP:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = NOOP;
subState = detail::POP3_WOK;
state = detail::NOOP;
}
else
{
guessing = true;
lastState = NOOP;
lastState = detail::NOOP;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_LAST:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_LAST:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = LAST;
subState = detail::POP3_WOK;
state = detail::LAST;
}
else
{
guessing = true;
lastState = LAST;
lastState = detail::LAST;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_QUIT:
if ( masterState == POP3_AUTHORIZATION ||
masterState == POP3_TRANSACTION ||
masterState == POP3_START )
case detail::POP3_CMD_QUIT:
if ( masterState == detail::POP3_AUTHORIZATION ||
masterState == detail::POP3_TRANSACTION ||
masterState == detail::POP3_START )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = QUIT;
subState = detail::POP3_WOK;
state = detail::QUIT;
}
else
{
guessing = true;
lastState = LAST;
lastState = detail::LAST;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_TOP:
case detail::POP3_CMD_TOP:
requestForMultiLine = true;
if ( masterState == POP3_TRANSACTION )
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = TOP;
subState = detail::POP3_WOK;
state = detail::TOP;
}
else
{
guessing = true;
lastState = TOP;
lastState = detail::TOP;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_CAPA:
case detail::POP3_CMD_CAPA:
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = CAPA;
subState = detail::POP3_WOK;
state = detail::CAPA;
requestForMultiLine = true;
break;
case POP3_CMD_STLS:
case detail::POP3_CMD_STLS:
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = STLS;
subState = detail::POP3_WOK;
state = detail::STLS;
break;
case POP3_CMD_UIDL:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_UIDL:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
if ( ! *message )
{
requestForMultiLine = true;
state = UIDL;
subState = POP3_WOK;
state = detail::UIDL;
subState = detail::POP3_WOK;
}
else
{
state = UIDL;
subState = POP3_WOK;
state = detail::UIDL;
subState = detail::POP3_WOK;
}
}
else
@ -551,22 +550,22 @@ void POP3_Analyzer::ProcessClientCmd()
requestForMultiLine = true;
guessing = true;
lastState = UIDL;
lastState = detail::UIDL;
NotAllowed(cmd, "transaction");
}
break;
case POP3_CMD_XSENDER:
if ( masterState == POP3_TRANSACTION )
case detail::POP3_CMD_XSENDER:
if ( masterState == detail::POP3_TRANSACTION )
{
POP3Event(pop3_request, true, cmd, message);
subState = POP3_WOK;
state = LAST;
subState = detail::POP3_WOK;
state = detail::LAST;
}
else
{
guessing = true;
lastState = XSENDER;
lastState = detail::XSENDER;
NotAllowed(cmd, "transaction");
}
break;
@ -610,7 +609,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
}
else
{
if ( state == RETR || state == TOP )
if ( state == detail::RETR || state == detail::TOP )
{
int data_len = end_of_line - line;
ProcessData(data_len, line);
@ -642,8 +641,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
line, length);
Weird("pop3_server_command_unknown");
if ( subState == POP3_WOK )
subState = POP3_OK;
if ( subState == detail::POP3_WOK )
subState = detail::POP3_OK;
}
return;
}
@ -653,13 +652,13 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
const char* message = tokens.size() > 1 ? tokens[1].c_str() : "";
switch ( cmd_code ) {
case POP3_CMD_OK:
if ( subState == POP3_WOK )
subState = POP3_OK;
case detail::POP3_CMD_OK:
if ( subState == detail::POP3_WOK )
subState = detail::POP3_OK;
if ( guessing )
{
masterState = POP3_TRANSACTION;
masterState = detail::POP3_TRANSACTION;
guessing = false;
state = lastState;
POP3Event(pop3_unexpected, false, cmd,
@ -667,43 +666,43 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
}
switch ( state ) {
case START:
masterState = POP3_AUTHORIZATION;
case detail::START:
masterState = detail::POP3_AUTHORIZATION;
break;
case USER:
state = USER;
masterState = POP3_AUTHORIZATION;
case detail::USER:
state = detail::USER;
masterState = detail::POP3_AUTHORIZATION;
ProtocolConfirmation();
break;
case PASS:
case APOP:
case NOOP:
case LAST:
case STAT:
case RSET:
case DELE:
case XSENDER:
if ( masterState == POP3_AUTHORIZATION )
case detail::PASS:
case detail::APOP:
case detail::NOOP:
case detail::LAST:
case detail::STAT:
case detail::RSET:
case detail::DELE:
case detail::XSENDER:
if ( masterState == detail::POP3_AUTHORIZATION )
AuthSuccessfull();
masterState = POP3_TRANSACTION;
masterState = detail::POP3_TRANSACTION;
break;
case AUTH:
case AUTH_PLAIN:
case AUTH_CRAM_MD5:
case AUTH_LOGIN:
case detail::AUTH:
case detail::AUTH_PLAIN:
case detail::AUTH_CRAM_MD5:
case detail::AUTH_LOGIN:
if ( requestForMultiLine == true )
multiLine = true;
if ( waitingForAuthentication )
masterState = POP3_TRANSACTION;
masterState = detail::POP3_TRANSACTION;
waitingForAuthentication = false;
AuthSuccessfull();
break;
case TOP:
case RETR:
case detail::TOP:
case detail::RETR:
{
int data_len = end_of_line - line;
if ( ! mail )
@ -715,29 +714,29 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
break;
}
case CAPA:
case detail::CAPA:
ProtocolConfirmation();
// Fall-through.
case UIDL:
case LIST:
case detail::UIDL:
case detail::LIST:
if (requestForMultiLine == true)
multiLine = true;
break;
case STLS:
case detail::STLS:
ProtocolConfirmation();
tls = true;
StartTLS();
return;
case QUIT:
if ( masterState == POP3_AUTHORIZATION ||
masterState == POP3_START )
masterState = POP3_FINISHED;
case detail::QUIT:
if ( masterState == detail::POP3_AUTHORIZATION ||
masterState == detail::POP3_START )
masterState = detail::POP3_FINISHED;
else if ( masterState == POP3_TRANSACTION )
masterState = POP3_UPDATE;
else if ( masterState == detail::POP3_TRANSACTION )
masterState = detail::POP3_UPDATE;
break;
}
@ -749,9 +748,9 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
FinishClientCmd();
break;
case POP3_CMD_ERR:
if ( subState == POP3_WOK )
subState = POP3_OK;
case detail::POP3_CMD_ERR:
if ( subState == detail::POP3_WOK )
subState = detail::POP3_OK;
multiLine = false;
requestForMultiLine = false;
@ -759,18 +758,18 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
waitingForAuthentication = false;
switch ( state ) {
case START:
case detail::START:
break;
case USER:
case PASS:
case APOP:
case AUTH:
case AUTH_LOGIN:
case AUTH_PLAIN:
case AUTH_CRAM_MD5:
masterState = POP3_AUTHORIZATION;
state = START;
case detail::USER:
case detail::PASS:
case detail::APOP:
case detail::AUTH:
case detail::AUTH_LOGIN:
case detail::AUTH_PLAIN:
case detail::AUTH_CRAM_MD5:
masterState = detail::POP3_AUTHORIZATION;
state = detail::START;
waitingForAuthentication = false;
if ( user.size() )
@ -778,27 +777,27 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
user.c_str(), password.c_str());
break;
case NOOP:
case LAST:
case STAT:
case RSET:
case DELE:
case LIST:
case RETR:
case UIDL:
case TOP:
case XSENDER:
masterState = POP3_TRANSACTION;
case detail::NOOP:
case detail::LAST:
case detail::STAT:
case detail::RSET:
case detail::DELE:
case detail::LIST:
case detail::RETR:
case detail::UIDL:
case detail::TOP:
case detail::XSENDER:
masterState = detail::POP3_TRANSACTION;
break;
case CAPA:
case detail::CAPA:
break;
case QUIT:
if ( masterState == POP3_AUTHORIZATION ||
masterState == POP3_TRANSACTION ||
masterState == POP3_START )
masterState = POP3_FINISHED;
case detail::QUIT:
if ( masterState == detail::POP3_AUTHORIZATION ||
masterState == detail::POP3_TRANSACTION ||
masterState == detail::POP3_START )
masterState = detail::POP3_FINISHED;
break;
}
@ -839,7 +838,7 @@ void POP3_Analyzer::AuthSuccessfull()
void POP3_Analyzer::BeginData(bool orig)
{
delete mail;
mail = new mime::MIME_Mail(this, orig);
mail = new zeek::analyzer::mime::MIME_Mail(this, orig);
}
void POP3_Analyzer::EndData()
@ -864,7 +863,7 @@ int POP3_Analyzer::ParseCmd(std::string cmd)
if ( cmd.size() == 0 )
return -1;
for ( int code = POP3_CMD_OK; code < POP3_CMD_END; ++code )
for ( int code = detail::POP3_CMD_OK; code < detail::POP3_CMD_END; ++code )
{
char c = cmd.c_str()[0];
if ( c == '+' || c == '-' )
@ -929,3 +928,5 @@ void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig,
EnqueueConnEvent(event, std::move(vl));
}
} // namespace zeek::analyzer::pop3

Some files were not shown because too many files have changed in this diff Show more