Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/corelight/reporter-hook' of https://github.com/corelight/bro

Browse source 
* 'topic/corelight/reporter-hook' of https://github.com/corelight/bro:
  Add reporter hook.
This commit is contained in:
Jon Siwek 2017-11-21 12:19:28 -06:00
commit 787b1e6bf2
13 changed files with 287 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

42
src/plugin/Plugin.h
View file

@ -48,6 +48,7 @@ enum HookType {
HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree
HOOK_LOG_INIT, //< Activates Plugin::HookLogInit
HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite
HOOK_REPORTER, //< Activates Plugin::HookReporter
// Meta hooks.
META_HOOK_PRE, //< Activates Plugin::MetaHookPre().
@ -172,7 +173,7 @@ public:
*/
enum Type {
BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS
VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION
};
/**
@ -250,6 +251,11 @@ public:
*/
explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair) { type = THREAD_FIELDS; tfields = fpair; }
/**
* Constructor with a location argument.
*/
explicit HookArgument(const Location* location) { type = LOCATION; arg.loc = location; }
/**
* Returns the value for a boolen argument. The argument's type must
* match accordingly.
@ -360,6 +366,7 @@ private:
const val_list* vals;
const void* voidp;
const logging::WriterBackend::WriterInfo* winfo;
const Location* loc;
} arg;
// Outside union because these have dtors.
@ -781,6 +788,39 @@ protected:
const threading::Field* const* fields,
threading::Value** vals);
/**
* Hook into reporting. This method will be called for each reporter call
* made; this includes weirds. The method cannot manipulate the data at
* the current time; however it is possible to prevent script-side events
* from being called by returning false.
*
* @param prefix The prefix passed by the reporter framework
*
* @param event The event to be called
*
* @param conn The associated connection
*
* @param addl Additional Bro values; typically will be passed to the event
* by the reporter framework.
*
* @param location True if event expects location information
*
* @param location1 First location
*
* @param location2 Second location
*
* @param time True if event expects time information
*
* @param message Message supplied by the reporter framework
*
* @return true if event should be called by the reporter framework, false
* if the event call should be skipped
*/
virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
const Connection* conn, const val_list* addl, bool location,
const Location* location1, const Location* location2,
bool time, const std::string& message);
// Meta hooks.
/**