Merge remote-tracking branch 'origin/topic/justin/software-framework-parse-cache'

* origin/topic/justin/software-framework-parse-cache: Restore behavior of Software::register event Optimzie software framework version parsing
2025-10-16 05:28:20 +00:00 · 2021-09-21 17:40:05 +02:00 · 2021-09-21 17:40:05 +02:00 · 74680bf4e6
commit 74680bf4e6
parent 2fc12d5bed ef5fb790ef
3 changed files with 42 additions and 12 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+
+4.2.0-dev.194 | 2021-09-21 17:56:14 +0200
+
+  * Optimize software framework version parsing by adding a small
+    cache in front of the parse method, and moving the parsing itself
+    to the proxies where the caching can be more efficient. (Justin
+    Azoff, Corelight)
+
+  * Add further mappings for MS-OAUT IDispatch methods. (FOX-DS)
+
 4.2.0-dev.189 | 2021-09-21 07:45:11 -0700

  * Add btests for new functionality (Christian Kreibich, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-4.2.0-dev.189
+4.2.0-dev.194
--- a/scripts/base/frameworks/software/main.zeek
+++ b/scripts/base/frameworks/software/main.zeek
@ -238,6 +238,18 @@ function parse(unparsed_version: string): Description
 	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}

+global parse_cache: table[string] of Description &read_expire=65secs;
+
+# Call parse, but cache results in the parse_cache table
+function parse_with_cache(unparsed_version: string): Description
+	{
+	if (unparsed_version in parse_cache)
+		return parse_cache[unparsed_version];
+	
+	local res = parse(unparsed_version);
+	parse_cache[unparsed_version] = res;
+	return res;
+	}

 function parse_mozilla(unparsed_version: string): Description
 	{
@ -464,8 +476,25 @@ function software_fmt(i: Info): string
 	return fmt("%s %s", i$name, software_fmt_version(i$version));
 	}

+# Parse unparsed_version if needed before raising register event
+# This is used to maintain the behavior of the exported Software::register
+# event that expects a pre-parsed 'name' field.
+event Software::new(info: Info)
+	{
+	if ( ! info?$version )
+		{
+		local sw = parse_with_cache(info$unparsed_version);
+		info$unparsed_version = sw$unparsed_version;
+		info$name = sw$name;
+		info$version = sw$version;
+		}
+
+	event Software::register(info);
+	}
+
 event Software::register(info: Info)
 	{
+
 	local ts: SoftwareSet;

 	if ( info$host in tracked )
@ -514,19 +543,10 @@ function found(id: conn_id, info: Info): bool
 		return F;
 		}

-	if ( ! info?$version )
-		{
-		local sw = parse(info$unparsed_version);
-		info$unparsed_version = sw$unparsed_version;
-		info$name = sw$name;
-		info$version = sw$version;
-		}
-
 	@if ( Cluster::is_enabled() )
-		Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::register,
-		                     info);
+		Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::new, info);
 	@else
-		event Software::register(info);
+		event Software::new(info);
 	@endif

 	return T;