Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/corelight/reporter-hook' of https://github.com/corelight/bro

Browse source 
* 'topic/corelight/reporter-hook' of https://github.com/corelight/bro:
  Add reporter hook.
This commit is contained in:
Jon Siwek 2017-11-21 12:19:28 -06:00
commit 787b1e6bf2
13 changed files with 287 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

46
src/plugin/Manager.cc
View file

@ -841,6 +841,52 @@ bool Manager::HookLogWrite(const std::string& writer,
return result;
}
bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr event,
const Connection* conn, const val_list* addl, bool location,
const Location* location1, const Location* location2,
bool time, const std::string& message)
{
HookArgumentList args;
if ( HavePluginForHook(META_HOOK_PRE) )
{
args.push_back(HookArgument(prefix));
args.push_back(HookArgument(conn));
args.push_back(HookArgument(addl));
args.push_back(HookArgument(location1));
args.push_back(HookArgument(location2));
args.push_back(HookArgument(location));
args.push_back(HookArgument(time));
args.push_back(HookArgument(message));
MetaHookPre(HOOK_REPORTER, args);
}
hook_list* l = hooks[HOOK_REPORTER];
bool result = true;
if ( l )
{
for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
{
Plugin* p = (*i).second;
if ( ! p->HookReporter(prefix, event, conn, addl, location, location1, location2, time, message) )
{
result = false;
break;
}
}
}
if ( HavePluginForHook(META_HOOK_POST) )
MetaHookPost(HOOK_REPORTER, args, HookArgument(result));
return result;
}
void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
{
hook_list* l = hooks[HOOK_CALL_FUNCTION];

33
src/plugin/Manager.h
View file

@ -355,6 +355,39 @@ public:
int num_fields, const threading::Field* const* fields,
threading::Value** vals) const;
/**
* Hook into reporting. This method will be called for each reporter call
* made; this includes weirds. The method cannot manipulate the data at
* the current time; however it is possible to prevent script-side events
* from being called by returning false.
*
* @param prefix The prefix passed by the reporter framework
*
* @param event The event to be called
*
* @param conn The associated connection
*
* @param addl Additional Bro values; typically will be passed to the event
* by the reporter framework.
*
* @param location True if event expects location information
*
* @param location1 First location
*
* @param location2 Second location
*
* @param time True if event expects time information
*
* @param message Message supplied by the reporter framework
*
* @return true if event should be called by the reporter framework, false
* if the event call should be skipped
*/
bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
const Connection* conn, const val_list* addl, bool location,
const Location* location1, const Location* location2,
bool time, const std::string& message);
/**
* Internal method that registers a freshly instantiated plugin with
* the manager.

18
src/plugin/Plugin.cc
View file

@ -208,6 +208,16 @@ void HookArgument::Describe(ODesc* d) const
d->Add("}");
}
break;
case LOCATION:
if ( arg.loc )
{
arg.loc->Describe(d);
}
else
{
d->Add("<no location>");
}
}
}
@ -393,6 +403,14 @@ bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
return true;
}
bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
const Connection* conn, const val_list* addl, bool location,
const Location* location1, const Location* location2,
bool time, const std::string& message)
{
return true;
}
void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
{
}

42
src/plugin/Plugin.h
View file

@ -48,6 +48,7 @@ enum HookType {
HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree
HOOK_LOG_INIT, //< Activates Plugin::HookLogInit
HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite
HOOK_REPORTER, //< Activates Plugin::HookReporter
// Meta hooks.
META_HOOK_PRE, //< Activates Plugin::MetaHookPre().
@ -172,7 +173,7 @@ public:
*/
enum Type {
BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS
VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION
};
/**
@ -250,6 +251,11 @@ public:
*/
explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair) { type = THREAD_FIELDS; tfields = fpair; }
/**
* Constructor with a location argument.
*/
explicit HookArgument(const Location* location) { type = LOCATION; arg.loc = location; }
/**
* Returns the value for a boolen argument. The argument's type must
* match accordingly.
@ -360,6 +366,7 @@ private:
const val_list* vals;
const void* voidp;
const logging::WriterBackend::WriterInfo* winfo;
const Location* loc;
} arg;
// Outside union because these have dtors.
@ -781,6 +788,39 @@ protected:
const threading::Field* const* fields,
threading::Value** vals);
/**
* Hook into reporting. This method will be called for each reporter call
* made; this includes weirds. The method cannot manipulate the data at
* the current time; however it is possible to prevent script-side events
* from being called by returning false.
*
* @param prefix The prefix passed by the reporter framework
*
* @param event The event to be called
*
* @param conn The associated connection
*
* @param addl Additional Bro values; typically will be passed to the event
* by the reporter framework.
*
* @param location True if event expects location information
*
* @param location1 First location
*
* @param location2 Second location
*
* @param time True if event expects time information
*
* @param message Message supplied by the reporter framework
*
* @return true if event should be called by the reporter framework, false
* if the event call should be skipped
*/
virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
const Connection* conn, const val_list* addl, bool location,
const Location* location1, const Location* location2,
bool time, const std::string& message);
// Meta hooks.
/**