Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/justin/software-framework-parse-cache'

Browse source 
* origin/topic/justin/software-framework-parse-cache:
  Restore behavior of Software::register event
  Optimzie software framework version parsing
This commit is contained in:
Robin Sommer 2021-09-21 17:40:05 +02:00
commit 74680bf4e6
3 changed files with 42 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -1,3 +1,13 @@
4.2.0-dev.194 | 2021-09-21 17:56:14 +0200
* Optimize software framework version parsing by adding a small
cache in front of the parse method, and moving the parsing itself
to the proxies where the caching can be more efficient. (Justin
Azoff, Corelight)
* Add further mappings for MS-OAUT IDispatch methods. (FOX-DS)
4.2.0-dev.189 | 2021-09-21 07:45:11 -0700 4.2.0-dev.189 | 2021-09-21 07:45:11 -0700
* Add btests for new functionality (Christian Kreibich, Corelight) * Add btests for new functionality (Christian Kreibich, Corelight)

2
VERSION
View file

@ -1 +1 @@
4.2.0-dev.189 4.2.0-dev.194

42
scripts/base/frameworks/software/main.zeek
View file

@ -238,6 +238,18 @@ function parse(unparsed_version: string): Description
return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]]; return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
} }
global parse_cache: table[string] of Description &read_expire=65secs;
# Call parse, but cache results in the parse_cache table
function parse_with_cache(unparsed_version: string): Description
{
if (unparsed_version in parse_cache)
return parse_cache[unparsed_version];
local res = parse(unparsed_version);
parse_cache[unparsed_version] = res;
return res;
}
function parse_mozilla(unparsed_version: string): Description function parse_mozilla(unparsed_version: string): Description
{ {
@ -464,8 +476,25 @@ function software_fmt(i: Info): string
return fmt("%s %s", i$name, software_fmt_version(i$version)); return fmt("%s %s", i$name, software_fmt_version(i$version));
} }
# Parse unparsed_version if needed before raising register event
# This is used to maintain the behavior of the exported Software::register
# event that expects a pre-parsed 'name' field.
event Software::new(info: Info)
{
if ( ! info?$version )
{
local sw = parse_with_cache(info$unparsed_version);
info$unparsed_version = sw$unparsed_version;
info$name = sw$name;
info$version = sw$version;
}
event Software::register(info);
}
event Software::register(info: Info) event Software::register(info: Info)
{ {
local ts: SoftwareSet; local ts: SoftwareSet;
if ( info$host in tracked ) if ( info$host in tracked )
@ -514,19 +543,10 @@ function found(id: conn_id, info: Info): bool
return F; return F;
} }
if ( ! info?$version )
{
local sw = parse(info$unparsed_version);
info$unparsed_version = sw$unparsed_version;
info$name = sw$name;
info$version = sw$version;
}
@if ( Cluster::is_enabled() ) @if ( Cluster::is_enabled() )
Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::register, Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::new, info);
info);
@else @else
event Software::register(info); event Software::new(info);
@endif @endif
return T; return T;