diff --git a/CHANGES b/CHANGES index 80f97a0258..83149f48dc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ + +4.2.0-dev.194 | 2021-09-21 17:56:14 +0200 + + * Optimize software framework version parsing by adding a small + cache in front of the parse method, and moving the parsing itself + to the proxies where the caching can be more efficient. (Justin + Azoff, Corelight) + + * Add further mappings for MS-OAUT IDispatch methods. (FOX-DS) + 4.2.0-dev.189 | 2021-09-21 07:45:11 -0700 * Add btests for new functionality (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index ff46676803..6b60aec92f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.2.0-dev.189 +4.2.0-dev.194 diff --git a/scripts/base/frameworks/software/main.zeek b/scripts/base/frameworks/software/main.zeek index fc5b9fb1e3..5704ee98b9 100644 --- a/scripts/base/frameworks/software/main.zeek +++ b/scripts/base/frameworks/software/main.zeek @@ -238,6 +238,18 @@ function parse(unparsed_version: string): Description return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]]; } +global parse_cache: table[string] of Description &read_expire=65secs; + +# Call parse, but cache results in the parse_cache table +function parse_with_cache(unparsed_version: string): Description + { + if (unparsed_version in parse_cache) + return parse_cache[unparsed_version]; + + local res = parse(unparsed_version); + parse_cache[unparsed_version] = res; + return res; + } function parse_mozilla(unparsed_version: string): Description { @@ -464,8 +476,25 @@ function software_fmt(i: Info): string return fmt("%s %s", i$name, software_fmt_version(i$version)); } +# Parse unparsed_version if needed before raising register event +# This is used to maintain the behavior of the exported Software::register +# event that expects a pre-parsed 'name' field. +event Software::new(info: Info) + { + if ( ! info?$version ) + { + local sw = parse_with_cache(info$unparsed_version); + info$unparsed_version = sw$unparsed_version; + info$name = sw$name; + info$version = sw$version; + } + + event Software::register(info); + } + event Software::register(info: Info) { + local ts: SoftwareSet; if ( info$host in tracked ) @@ -514,19 +543,10 @@ function found(id: conn_id, info: Info): bool return F; } - if ( ! info?$version ) - { - local sw = parse(info$unparsed_version); - info$unparsed_version = sw$unparsed_version; - info$name = sw$name; - info$version = sw$version; - } - @if ( Cluster::is_enabled() ) - Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::register, - info); + Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::new, info); @else - event Software::register(info); + event Software::new(info); @endif return T;