Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/master' into topic/johanna/table-changes

Browse source
This commit is contained in:
Johanna Amann 2020-07-13 17:11:55 -07:00
commit 7c37226eaa
39 changed files with 714 additions and 251 deletions
Download patch file Download diff file Expand all files Collapse all files

79
CHANGES
View file

@ -1,4 +1,83 @@
3.2.0-dev.899 | 2020-07-14 00:02:05 +0000
* Improve Broker store API's handling of invalid arguments
* Some methods mistakenly returned a bool instead of QueryResult
when passed an invalid `opaque of Broker::Store` handle.
* Now generates a runtime exception for store_name() and is_closed()
calls that pass an invalid `opaque of Broker::Store` handle as any
returned value can't be reasonably used in any subsequent logic.
* Descriptions of any invalid arguments are now given in the error
message. (Jon Siwek, Corelight)
* Add zeek::detail::emit_builtin_exception() functions
These work like zeek::emit_builtin_error(), but also throw an InterpreterException (Jon Siwek, Corelight)
* GH-1024: fix crash on passing wrong types to Broker store API (Jon Siwek, Corelight)
3.2.0-dev.894 | 2020-07-13 12:12:17 -0700
* GH-1019: deprecate icmp_conn params for ICMP events
Previously, a single `icmp_conn` record was built per ICMP "connection"
and re-used for all events generated from it. This may have been a
historical attempt at performance optimization, but:
* By default, Zeek does not load any scripts that handle ICMP events.
* The one script Zeek ships with that does handle ICMP events,
"detect-traceroute", is already noted as being disabled due to
potential performance problems of doing that kind of analysis.
* Re-use of the original `icmp_conn` record tends to misreport
TTL and length values since they come from original packet instead
of the current one.
* Even if we chose to still re-use `icmp_conn` records and just fill
in a new TTL and length value each packet, a user script could have
stored a reference to the record and not be expecting those values
to be changed out from underneath them.
Now, a new `icmp_info` record is created/populated in all ICMP events
and should be used instead of `icmp_conn`. It also removes the
orig_h/resp_h fields as those are redundant with what's already
available in the connection record. (Jon Siwek, Corelight)
3.2.0-dev.892 | 2020-07-13 12:10:22 -0700
* Fix wrong frame offsets for locals of alternate event/hook prototypes
Local frame offsets were being assigned based on number of the alternate
prototype's parameters, which may end up having less total parameters
than the canonical prototype, causing the local value to incorrectly
overwrite an event/hook argument value. (Jon Siwek, Corelight)
* Add deprecation expression to deprecated prototype/parameter messages (Jon Siwek, Corelight)
* Improve "use of deprecated prototype" warning message
The location information now points out the place of the deprecated
prototype instead of the location where the ID was initially declared
(which may not itself be a deprecated prototype). (Jon Siwek, Corelight)
* Emit deprecation warning for use of &deprecated function parameters
Particularly, this is meant for using &deprecated on canonical
event/hook prototype parameters to encourage users to create handlers
to another, non-deprecated prototype. i.e. for canonical prototypes,
we may not always want to put &deprecated directly on the prototype
itself since that signals deprecation of the ID entirely. (Jon Siwek, Corelight)
3.2.0-dev.885 | 2020-07-10 11:20:41 -0700
* Add more error checks to shadow log parsing (Jon Siwek, Corelight)
i.e. Coverity warns about possible use of ftell() negative return value
3.2.0-dev.884 | 2020-07-09 14:09:58 -0700
* Add Supervisor::{stdout,stderr}_hook (Jon Siwek, Corelight)

13
NEWS
View file

@ -273,6 +273,19 @@ Deprecated Functionality
that the former returns a vector with indices starting at 1 while the
later returns a vector with indices starting at 0.
- The ``icmp_conn`` parameter of ICMP events is deprecated, there's an
alternate version with an ``icmp_info`` parameter to use instead.
The ``icmp_conn`` record passed to ICMP events has always been re-used
amongst all events within an ICMP "connection", so the
``itype``, ``icode``, ``len``, and ``hlim`` fields as inspected in
handlers never appears to change even if the underlying packet data
has different values for those fields. However, it's not known if
anyone relied on that behavior, so the new ``icmp_info`` record is
introduced with the more-expected behavior of being created and
populated for each new event. It also removes the orig_h/resp_h
fields since those are redundant with what's already available in
the connection parameter.
Zeek 3.1.0
==========

2
VERSION
View file

@ -1 +1 @@
3.2.0-dev.884
3.2.0-dev.899

2
auxil/broker

@ -1 +1 @@
Subproject commit f132cdaa28bcfe56187a67ff8c97bdf4040e303a
Subproject commit cb0a780dd5ed0dbdacad5fd1e5d5afd337aee0f7

2
doc

@ -1 +1 @@
Subproject commit d5b36f9ac02d4be67edb6aae35b39dae7bcaa00c
Subproject commit fb7d642ed8b16752daaaa01541a28a2add310f19

13
scripts/base/init-bare.zeek
View file

@ -188,6 +188,19 @@ type icmp_conn: record {
v6: bool; ##< True if it's an ICMPv6 packet.
};
## Specifics about an ICMP conversation/packet.
## ICMP events typically pass this in addition to :zeek:type:`conn_id`.
##
## .. zeek:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
## icmp_time_exceeded icmp_unreachable
type icmp_info: record {
v6: bool; ##< True if it's an ICMPv6 packet.
itype: count; ##< The ICMP type of the current packet.
icode: count; ##< The ICMP code of the current packet.
len: count; ##< The length of the ICMP payload.
ttl: count; ##< The encapsulating IP header's TTL (IPv4) or Hop Limit (IPv6).
};
## Packet context part of an ICMP message. The fields of this record reflect the
## packet that is described by the context.
##

2
scripts/policy/misc/detect-traceroute/main.zeek
View file

@ -95,7 +95,7 @@ event signature_match(state: signature_state, msg: string, data: string)
}
}
event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context)
{
SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h,"-",get_port_transport_proto(context$id$resp_p))], [$str=cat(c$id$orig_h)]);
}

12
src/Attr.cc
View file

@ -42,6 +42,18 @@ Attr::Attr(AttrTag t)
void Attr::SetAttrExpr(ExprPtr e)
{ expr = std::move(e); }
std::string Attr::DeprecationMessage() const
{
if ( tag != ATTR_DEPRECATED )
return "";
if ( ! expr )
return "";
auto ce = static_cast<zeek::detail::ConstExpr*>(expr.get());
return ce->Value()->AsStringVal()->CheckString();
}
void Attr::Describe(ODesc* d) const
{
AddTag(d);

7
src/Attr.h
View file

@ -3,6 +3,7 @@
#pragma once
#include <vector>
#include <string>
#include "Obj.h"
#include "BroList.h"
@ -75,6 +76,12 @@ public:
void Describe(ODesc* d) const override;
void DescribeReST(ODesc* d, bool shorten = false) const;
/**
* Returns the deprecation string associated with a &deprecated attribute
* or an empty string if this is not such an attribute.
*/
std::string DeprecationMessage() const;
bool operator==(const Attr& other) const
{
if ( tag != other.tag )

85
src/Func.cc
View file

@ -788,31 +788,51 @@ function_ingredients::function_ingredients(zeek::detail::ScopePtr scope, zeek::d
this->body = std::move(body);
}
} // namespace detail
void emit_builtin_error(const char* msg)
{
emit_builtin_error(msg, zeek::ValPtr{});
}
void emit_builtin_error(const char* msg, zeek::ValPtr arg)
{
emit_builtin_error(msg, arg.get());
}
void emit_builtin_error(const char* msg, Obj* arg)
static void emit_builtin_error_common(const char* msg, Obj* arg, bool unwind)
{
auto emit = [=](const zeek::detail::CallExpr* ce)
{
if ( ce )
ce->Error(msg, arg);
{
if ( unwind )
{
if ( arg )
{
ODesc d;
arg->Describe(&d);
reporter->ExprRuntimeError(ce, "%s (%s), during call:", msg,
d.Description());
}
else
reporter->Error(msg, arg);
reporter->ExprRuntimeError(ce, "%s", msg);
}
else
ce->Error(msg, arg);
}
else
{
if ( arg )
{
if ( unwind )
reporter->RuntimeError(arg->GetLocationInfo(), "%s", msg);
else
arg->Error(msg);
}
else
{
if ( unwind )
reporter->RuntimeError(nullptr, "%s", msg);
else
reporter->Error("%s", msg);
}
}
};
if ( zeek::detail::call_stack.empty() )
{
// Shouldn't happen unless someone (mistakenly) calls builtin_error()
// from somewhere that's not even evaluating script-code.
emit(nullptr);
return;
}
@ -866,6 +886,39 @@ void emit_builtin_error(const char* msg, Obj* arg)
emit(last_call.call);
}
void emit_builtin_exception(const char* msg)
{
emit_builtin_error_common(msg, nullptr, true);
}
void emit_builtin_exception(const char* msg, const zeek::ValPtr& arg)
{
emit_builtin_error_common(msg, arg.get(), true);
}
void emit_builtin_exception(const char* msg, Obj* arg)
{
emit_builtin_error_common(msg, arg, true);
}
} // namespace detail
void emit_builtin_error(const char* msg)
{
zeek::detail::emit_builtin_error_common(msg, nullptr, false);
}
void emit_builtin_error(const char* msg, const zeek::ValPtr& arg)
{
zeek::detail::emit_builtin_error_common(msg, arg.get(), false);
}
void emit_builtin_error(const char* msg, Obj* arg)
{
zeek::detail::emit_builtin_error_common(msg, arg, false);
}
} // namespace zeek
void builtin_error(const char* msg)
@ -873,7 +926,7 @@ void builtin_error(const char* msg)
zeek::emit_builtin_error(msg);
}
void builtin_error(const char* msg, zeek::ValPtr arg)
void builtin_error(const char* msg, const zeek::ValPtr& arg)
{
zeek::emit_builtin_error(msg, arg);
}

6
src/Func.h
View file

@ -275,13 +275,17 @@ extern std::vector<CallInfo> call_stack;
// This is set to true after the built-in functions have been initialized.
extern bool did_builtin_init;
extern void emit_builtin_exception(const char* msg);
extern void emit_builtin_exception(const char* msg, const zeek::ValPtr& arg);
extern void emit_builtin_exception(const char* msg, Obj* arg);
} // namespace detail
extern std::string render_call_stack();
// These methods are used by BIFs, so they're in the public namespace.
extern void emit_builtin_error(const char* msg);
extern void emit_builtin_error(const char* msg, zeek::ValPtr);
extern void emit_builtin_error(const char* msg, const zeek::ValPtr&);
extern void emit_builtin_error(const char* msg, Obj* arg);
} // namespace zeek

9
src/ID.cc
View file

@ -294,14 +294,7 @@ std::string ID::GetDeprecationWarning() const
const auto& depr_attr = GetAttr(ATTR_DEPRECATED);
if ( depr_attr )
{
auto expr = static_cast<zeek::detail::ConstExpr*>(depr_attr->GetExpr().get());
if ( expr )
{
StringVal* text = expr->Value()->AsStringVal();
result = text->CheckString();
}
}
result = depr_attr->DeprecationMessage();
if ( result.empty() )
return fmt("deprecated (%s)", Name());

11
src/Type.cc
View file

@ -563,7 +563,7 @@ FuncType::FuncType(RecordTypePtr arg_args,
offsets[i] = i;
}
prototypes.emplace_back(Prototype{false, args, std::move(offsets)});
prototypes.emplace_back(Prototype{false, "", args, std::move(offsets)});
}
TypePtr FuncType::ShallowClone()
@ -1120,14 +1120,7 @@ string RecordType::GetFieldDeprecationWarning(int field, bool has_check) const
{
string result;
if ( const auto& deprecation = decl->GetAttr(zeek::detail::ATTR_DEPRECATED) )
{
auto expr = static_cast<zeek::detail::ConstExpr*>(deprecation->GetExpr().get());
if ( expr )
{
StringVal* text = expr->Value()->AsStringVal();
result = text->CheckString();
}
}
result = deprecation->DeprecationMessage();
if ( result.empty() )
return fmt("deprecated (%s%s$%s)", GetName().c_str(), has_check ? "?" : "",

3
src/Type.h
View file

@ -427,7 +427,10 @@ public:
*/
struct Prototype {
bool deprecated;
std::string deprecation_msg;
RecordTypePtr args;
// Maps from parameter index in canonical prototype to
// parameter index in this alternate prorotype.
std::map<int, int> offsets;
};

92
src/Var.cc
View file

@ -96,17 +96,27 @@ static bool add_prototype(const zeek::detail::IDPtr& id, zeek::Type* t,
return false;
}
offsets[i] = o;
offsets[o] = i;
}
auto deprecated = false;
std::string depr_msg;
if ( attrs )
for ( const auto& a : *attrs )
if ( a->Tag() == zeek::detail::ATTR_DEPRECATED )
{
deprecated = true;
depr_msg = a->DeprecationMessage();
break;
}
zeek::FuncType::Prototype p;
p.deprecated = deprecated;
p.deprecation_msg = std::move(depr_msg);
p.args = alt_args;
p.offsets = std::move(offsets);
zeek::FuncType::Prototype p{deprecated, alt_args, std::move(offsets)};
canon_ft->AddPrototype(std::move(p));
return true;
}
@ -450,7 +460,25 @@ static std::optional<zeek::FuncType::Prototype> func_type_check(const zeek::Func
return {};
}
return decl->FindPrototype(*impl->Params());
auto rval = decl->FindPrototype(*impl->Params());
if ( rval )
for ( auto i = 0; i < rval->args->NumFields(); ++i )
if ( auto ad = rval->args->FieldDecl(i)->GetAttr(zeek::detail::ATTR_DEPRECATED) )
{
auto msg = ad->DeprecationMessage();
if ( msg.empty() )
impl->Warn(fmt("use of deprecated parameter '%s'",
rval->args->FieldName(i)),
decl, true);
else
impl->Warn(fmt("use of deprecated parameter '%s': %s",
rval->args->FieldName(i), msg.data()),
decl, true);
}
return rval;
}
static bool canonical_arg_types_match(const zeek::FuncType* decl, const zeek::FuncType* impl)
@ -523,7 +551,15 @@ void begin_func(zeek::detail::IDPtr id, const char* module_name,
}
if ( prototype->deprecated )
t->Warn("use of deprecated prototype", id.get());
{
if ( prototype->deprecation_msg.empty() )
t->Warn(fmt("use of deprecated '%s' prototype", id->Name()),
prototype->args.get(), true);
else
t->Warn(fmt("use of deprecated '%s' prototype: %s",
id->Name(), prototype->deprecation_msg.data()),
prototype->args.get(), true);
}
}
else
{
@ -568,24 +604,54 @@ void begin_func(zeek::detail::IDPtr id, const char* module_name,
else
id->SetType(t);
const auto& args = t->Params();
const auto& canon_args = id->GetType()->AsFuncType()->Params();
zeek::detail::push_scope(std::move(id), std::move(attrs));
const auto& args = t->Params();
int num_args = args->NumFields();
for ( int i = 0; i < num_args; ++i )
for ( int i = 0; i < canon_args->NumFields(); ++i )
{
zeek::TypeDecl* arg_i = args->FieldDecl(i);
zeek::TypeDecl* arg_i;
bool hide = false;
if ( prototype )
{
auto it = prototype->offsets.find(i);
if ( it == prototype->offsets.end() )
{
// Alternate prototype hides this param
hide = true;
arg_i = canon_args->FieldDecl(i);
}
else
{
// Alternate prototype maps this param to another index
arg_i = args->FieldDecl(it->second);
}
}
else
{
if ( i < args->NumFields() )
arg_i = args->FieldDecl(i);
else
break;
}
auto arg_id = zeek::detail::lookup_ID(arg_i->id, module_name);
if ( arg_id && ! arg_id->IsGlobal() )
arg_id->Error("argument name used twice");
arg_id = zeek::detail::install_ID(arg_i->id, module_name, false, false);
arg_id->SetType(arg_i->type);
const char* local_name = arg_i->id;
if ( prototype )
arg_id->SetOffset(prototype->offsets[i]);
if ( hide )
// Note the illegal '-' in hidden name implies we haven't
// clobbered any local variable names.
local_name = fmt("%s-hidden", local_name);
arg_id = zeek::detail::install_ID(local_name, module_name, false, false);
arg_id->SetType(arg_i->type);
}
if ( zeek::detail::Attr* depr_attr = find_attr(zeek::detail::current_scope()->Attrs().get(),

25
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -204,7 +204,8 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
if ( icmp_sent )
EnqueueConnEvent(icmp_sent,
ConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr)
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
BuildInfo(icmpp, len, icmpv6, ip_hdr)
);
if ( icmp_sent_payload )
@ -214,6 +215,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
EnqueueConnEvent(icmp_sent_payload,
ConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
BuildInfo(icmpp, len, icmpv6, ip_hdr),
zeek::make_intrusive<zeek::StringVal>(payload)
);
}
@ -239,6 +241,19 @@ zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len
return icmp_conn_val;
}
zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr)
{
static auto icmp_info = zeek::id::find_type<zeek::RecordType>("icmp_info");
auto rval = zeek::make_intrusive<zeek::RecordVal>(icmp_info);
rval->Assign(0, zeek::val_mgr->Bool(icmpv6));
rval->Assign(1, zeek::val_mgr->Count(icmpp->icmp_type));
rval->Assign(2, zeek::val_mgr->Count(icmpp->icmp_code));
rval->Assign(3, zeek::val_mgr->Count(len));
rval->Assign(4, zeek::val_mgr->Count(ip_hdr->TTL()));
return rval;
}
TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
{
const u_char* transport_hdr;
@ -520,6 +535,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
zeek::val_mgr->Count(iid),
zeek::val_mgr->Count(iseq),
zeek::make_intrusive<zeek::StringVal>(payload)
@ -548,6 +564,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
@ -581,6 +598,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
@ -608,6 +626,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
);
@ -635,6 +654,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
zeek::make_intrusive<zeek::AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
@ -653,6 +673,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data)
);
}
@ -678,6 +699,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr),
BuildInfo(icmpp, len, 0, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data)
);
@ -716,6 +738,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
EnqueueConnEvent(f,
ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildInfo(icmpp, len, 1, ip_hdr),
zeek::val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data)
);

3
src/analyzer/protocol/icmp/ICMP.h
View file

@ -57,6 +57,9 @@ protected:
zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const IP_Hdr* ip_hdr);
zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr);
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr );

99
src/analyzer/protocol/icmp/events.bif
View file

@ -12,8 +12,13 @@
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## info: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## .. zeek:see:: icmp_error_message icmp_sent_payload
event icmp_sent%(c: connection, icmp: icmp_conn%);
event icmp_sent%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info%);
event icmp_sent%(c: connection, info: icmp_info%);
event icmp_sent%(c: connection, icmp: icmp_conn%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
##
@ -22,10 +27,15 @@ event icmp_sent%(c: connection, icmp: icmp_conn%);
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## info: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## payload: The payload of the ICMP message.
##
## .. zeek:see:: icmp_error_message icmp_sent_payload
event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
event icmp_sent_payload%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, payload: string%);
event icmp_sent_payload%(c: connection, info: icmp_info, payload: string%);
event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *echo request* messages.
##
@ -38,6 +48,9 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## info: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## id: The *echo request* identifier.
##
## seq: The *echo request* sequence number.
@ -46,7 +59,9 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
## after the first 8 bytes of the ICMP header.
##
## .. zeek:see:: icmp_echo_reply
event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
event icmp_echo_request%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string%);
event icmp_echo_request%(c: connection, info: icmp_info, id: count, seq: count, payload: string%);
event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn.";
## Generated for ICMP *echo reply* messages.
##
@ -59,6 +74,9 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## id: The *echo reply* identifier.
##
## seq: The *echo reply* sequence number.
@ -67,7 +85,9 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
## after the first 8 bytes of the ICMP header.
##
## .. zeek:see:: icmp_echo_request
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
event icmp_echo_reply%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string%);
event icmp_echo_reply%(c: connection, info: icmp_info, id: count, seq: count, payload: string%);
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn.";
## Generated for all ICMPv6 error messages that are not handled
## separately with dedicated events. Zeek's ICMP analyzer handles a number
@ -83,6 +103,9 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## info: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## code: The ICMP code of the error message.
##
## context: A record with specifics of the original packet that the message
@ -90,7 +113,9 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa
##
## .. zeek:see:: icmp_unreachable icmp_packet_too_big
## icmp_time_exceeded icmp_parameter_problem
event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
event icmp_error_message%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%);
event icmp_error_message%(c: connection, info: icmp_info, code: count, context: icmp_context%);
event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *destination unreachable* messages.
##
@ -103,6 +128,9 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *unreachable* message.
##
## context: A record with specifics of the original packet that the message
@ -114,7 +142,9 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
##
## .. zeek:see:: icmp_error_message icmp_packet_too_big
## icmp_time_exceeded icmp_parameter_problem
event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
event icmp_unreachable%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%);
event icmp_unreachable%(c: connection, info: icmp_info, code: count, context: icmp_context%);
event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMPv6 *packet too big* messages.
##
@ -127,6 +157,9 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *too big* message.
##
## context: A record with specifics of the original packet that the message
@ -138,7 +171,9 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
##
## .. zeek:see:: icmp_error_message icmp_unreachable
## icmp_time_exceeded icmp_parameter_problem
event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
event icmp_packet_too_big%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%);
event icmp_packet_too_big%(c: connection, info: icmp_info, code: count, context: icmp_context%);
event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *time exceeded* messages.
##
@ -151,6 +186,9 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *exceeded* message.
##
## context: A record with specifics of the original packet that the message
@ -162,7 +200,9 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
##
## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
## icmp_parameter_problem
event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
event icmp_time_exceeded%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%);
event icmp_time_exceeded%(c: connection, info: icmp_info, code: count, context: icmp_context%);
event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMPv6 *parameter problem* messages.
##
@ -175,6 +215,9 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *parameter problem* message.
##
## context: A record with specifics of the original packet that the message
@ -186,7 +229,9 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
##
## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
## icmp_time_exceeded
event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
event icmp_parameter_problem%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, code: count, context: icmp_context%);
event icmp_parameter_problem%(c: connection, info: icmp_info, code: count, context: icmp_context%);
event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *router solicitation* messages.
##
@ -199,11 +244,16 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. zeek:see:: icmp_router_advertisement
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%);
event icmp_router_solicitation%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, options: icmp6_nd_options%);
event icmp_router_solicitation%(c: connection, info: icmp_info, options: icmp6_nd_options%);
event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *router advertisement* messages.
##
@ -216,6 +266,9 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## cur_hop_limit: The default value that should be placed in Hop Count field
## for outgoing IP packets.
##
@ -241,7 +294,9 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n
##
## .. zeek:see:: icmp_router_solicitation
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
event icmp_router_advertisement%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
event icmp_router_advertisement%(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *neighbor solicitation* messages.
##
@ -254,13 +309,18 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit:
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## tgt: The IP address of the target of the solicitation.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_advertisement icmp_redirect
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_solicitation%(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *neighbor advertisement* messages.
##
@ -273,6 +333,9 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## router: Flag indicating the sender is a router.
##
## solicited: Flag indicating advertisement is in response to a solicitation.
@ -286,7 +349,9 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt
##
## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_solicitation icmp_redirect
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_advertisement%(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";
## Generated for ICMP *redirect* messages.
##
@ -299,6 +364,9 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool,
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## info: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## tgt: The address that is supposed to be a better first hop to use for
## ICMP Destination Address.
##
@ -308,5 +376,6 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool,
##
## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_solicitation icmp_neighbor_advertisement
event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%);
event icmp_redirect%(c: connection, icmp: icmp_conn &deprecated="Remove in v4.1", info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options%);
event icmp_redirect%(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options%);
event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%) &deprecated="Remove in v4.1. The icmp_info record is replacing icmp_conn";

207
src/broker/store.bif
View file

@ -7,6 +7,8 @@
#include "broker/Data.h"
#include "Trigger.h"
static bro_broker::StoreHandleVal* to_store_handle(zeek::Val* h)
{ return dynamic_cast<bro_broker::StoreHandleVal*>(h); }
%%}
module Broker;
@ -74,58 +76,54 @@ function Broker::__create_clone%(id: string, resync_interval: interval,
function Broker::__is_closed%(h: opaque of Broker::Store%): bool
%{
bro_broker::Manager::ScriptScopeGuard ssg;
auto handle = to_store_handle(h);
if ( ! h )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
}
if ( ! handle )
zeek::detail::emit_builtin_exception("invalid Broker store handle", h);
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
return zeek::val_mgr->Bool(broker_mgr->LookupStore(handle->store.name()));
%}
function Broker::__close%(h: opaque of Broker::Store%): bool
%{
bro_broker::Manager::ScriptScopeGuard ssg;
auto handle = to_store_handle(h);
if ( ! h )
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
zeek::emit_builtin_error("invalid Broker store handle", h);
return val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
return zeek::val_mgr->Bool(broker_mgr->CloseStore(handle->store.name()));
%}
function Broker::__store_name%(h: opaque of Broker::Store%): string
%{
if ( ! h )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->EmptyString();
}
auto handle = to_store_handle(h);
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
return zeek::make_intrusive<zeek::StringVal>(handle->store.name());
if ( ! handle )
zeek::detail::emit_builtin_exception("invalid Broker store handle", h);
return make_intrusive<zeek::StringVal>(handle->store.name());
%}
function Broker::__exists%(h: opaque of Broker::Store,
k: any%): Broker::QueryResult
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
zeek::emit_builtin_error("invalid Broker store handle", h);
return bro_broker::query_result();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return bro_broker::query_result();
}
@ -159,18 +157,19 @@ function Broker::__exists%(h: opaque of Broker::Store,
function Broker::__get%(h: opaque of Broker::Store,
k: any%): Broker::QueryResult
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
zeek::emit_builtin_error("invalid Broker store handle", h);
return bro_broker::query_result();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return bro_broker::query_result();
}
@ -204,25 +203,26 @@ function Broker::__get%(h: opaque of Broker::Store,
function Broker::__put_unique%(h: opaque of Broker::Store,
k: any, v: any, e: interval%): Broker::QueryResult
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
zeek::emit_builtin_error("invalid Broker store handle", h);
return bro_broker::query_result();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto val = bro_broker::val_to_data(v);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return bro_broker::query_result();
}
if ( ! val )
{
zeek::emit_builtin_error("invalid Broker data conversion for value argument");
zeek::emit_builtin_error("invalid Broker data conversion for value argument", v);
return bro_broker::query_result();
}
@ -258,18 +258,19 @@ function Broker::__put_unique%(h: opaque of Broker::Store,
function Broker::__get_index_from_value%(h: opaque of Broker::Store,
k: any, i: any%): Broker::QueryResult
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
zeek::emit_builtin_error("invalid Broker store handle", h);
return bro_broker::query_result();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return bro_broker::query_result();
}
@ -277,7 +278,7 @@ function Broker::__get_index_from_value%(h: opaque of Broker::Store,
if ( ! index )
{
zeek::emit_builtin_error("invalid Broker data conversion for index argument");
zeek::emit_builtin_error("invalid Broker data conversion for index argument", i);
return bro_broker::query_result();
}
@ -311,13 +312,13 @@ function Broker::__get_index_from_value%(h: opaque of Broker::Store,
function Broker::__keys%(h: opaque of Broker::Store%): Broker::QueryResult
%{
if ( ! h )
{
zeek::emit_builtin_error("invalid Broker store handle");
return zeek::val_mgr->False();
}
auto handle = to_store_handle(h);
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle", h);
return bro_broker::query_result();
}
auto trigger = frame->GetTrigger();
@ -349,25 +350,26 @@ function Broker::__keys%(h: opaque of Broker::Store%): Broker::QueryResult
function Broker::__put%(h: opaque of Broker::Store,
k: any, v: any, e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto val = bro_broker::val_to_data(v);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! val )
{
zeek::emit_builtin_error("invalid Broker data conversion for value argument");
zeek::emit_builtin_error("invalid Broker data conversion for value argument", v);
return zeek::val_mgr->False();
}
@ -377,18 +379,19 @@ function Broker::__put%(h: opaque of Broker::Store,
function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
@ -399,25 +402,26 @@ function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto amount = bro_broker::val_to_data(a);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! amount )
{
zeek::emit_builtin_error("invalid Broker data conversion for amount argument");
zeek::emit_builtin_error("invalid Broker data conversion for amount argument", a);
return zeek::val_mgr->False();
}
@ -429,25 +433,26 @@ function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto amount = bro_broker::val_to_data(a);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! amount )
{
zeek::emit_builtin_error("invalid Broker data conversion for amount argument");
zeek::emit_builtin_error("invalid Broker data conversion for amount argument", a);
return zeek::val_mgr->False();
}
@ -458,25 +463,26 @@ function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto str = bro_broker::val_to_data(s);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! str )
{
zeek::emit_builtin_error("invalid Broker data conversion for str argument");
zeek::emit_builtin_error("invalid Broker data conversion for str argument", s);
return zeek::val_mgr->False();
}
@ -487,25 +493,26 @@ function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto idx = bro_broker::val_to_data(i);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! idx )
{
zeek::emit_builtin_error("invalid Broker data conversion for index argument");
zeek::emit_builtin_error("invalid Broker data conversion for index argument", i);
return zeek::val_mgr->False();
}
@ -517,32 +524,33 @@ function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
i: any, v: any, e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto idx = bro_broker::val_to_data(i);
auto val = bro_broker::val_to_data(v);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! idx )
{
zeek::emit_builtin_error("invalid Broker data conversion for index argument");
zeek::emit_builtin_error("invalid Broker data conversion for index argument", i);
return zeek::val_mgr->False();
}
if ( ! val )
{
zeek::emit_builtin_error("invalid Broker data conversion for value argument");
zeek::emit_builtin_error("invalid Broker data conversion for value argument", v);
return zeek::val_mgr->False();
}
@ -554,25 +562,26 @@ function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto idx = bro_broker::val_to_data(i);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! idx )
{
zeek::emit_builtin_error("invalid Broker data conversion for index argument");
zeek::emit_builtin_error("invalid Broker data conversion for index argument", i);
return zeek::val_mgr->False();
}
@ -584,25 +593,26 @@ function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
auto val = bro_broker::val_to_data(v);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
if ( ! val )
{
zeek::emit_builtin_error("invalid Broker data conversion for value argument");
zeek::emit_builtin_error("invalid Broker data conversion for value argument", v);
return zeek::val_mgr->False();
}
@ -612,18 +622,19 @@ function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
auto key = bro_broker::val_to_data(k);
if ( ! key )
{
zeek::emit_builtin_error("invalid Broker data conversion for key argument");
zeek::emit_builtin_error("invalid Broker data conversion for key argument", k);
return zeek::val_mgr->False();
}
@ -633,14 +644,14 @@ function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
function Broker::__clear%(h: opaque of Broker::Store%): bool
%{
if ( ! h )
auto handle = to_store_handle(h);
if ( ! handle )
{
zeek::emit_builtin_error("invalid Broker store handle");
zeek::emit_builtin_error("invalid Broker store handle", h);
return zeek::val_mgr->False();
}
auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
handle->store.clear();
return zeek::val_mgr->True();
%}

30
src/logging/writers/ascii/Ascii.cc
View file

@ -111,9 +111,35 @@ static std::optional<LeftoverLog> parse_shadow_log(const std::string& fname)
return rval;
}
fseek(sf_stream, 0, SEEK_END);
int res = fseek(sf_stream, 0, SEEK_END);
if ( res == -1 )
{
rval.error = fmt("Failed to fseek(SEEK_END) on %s: %s",
rval.shadow_filename.data(), strerror(errno));
fclose(sf_stream);
return rval;
}
auto sf_len = ftell(sf_stream);
fseek(sf_stream, 0, SEEK_SET);
if ( sf_len == -1 )
{
rval.error = fmt("Failed to ftell() on %s: %s",
rval.shadow_filename.data(), strerror(errno));
fclose(sf_stream);
return rval;
}
res = fseek(sf_stream, 0, SEEK_SET);
if ( res == -1 )
{
rval.error = fmt("Failed to fseek(SEEK_SET) on %s: %s",
rval.shadow_filename.data(), strerror(errno));
fclose(sf_stream);
return rval;
}
auto sf_content = std::make_unique<char[]>(sf_len);
auto bytes_read = fread(sf_content.get(), 1, sf_len, sf_stream);

3
testing/btest/Baseline/broker.store.invalid-handle/out Normal file
View file

@ -0,0 +1,3 @@
expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/broker.store.invalid-handle/invalid-handle.zeek, line 18: invalid Broker store handle (0), during call: (Broker::is_closed(a))
error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/broker.store.invalid-handle/invalid-handle.zeek, line 6: invalid Broker store handle (Broker::keys(a) and 0)
keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]

6
testing/btest/Baseline/core.icmp.icmp-context/output
View file

@ -1,12 +1,12 @@
icmp_unreachable (code=0)
conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=0, hlim=64, v6=F]
icmp_info: [v6=F, itype=3, icode=0, len=0, ttl=64]
icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
icmp_unreachable (code=0)
conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=3, icode=0, len=20, hlim=64, v6=F]
icmp_info: [v6=F, itype=3, icode=0, len=20, ttl=64]
icmp_context: [id=[orig_h=10.0.0.2, orig_p=0/unknown, resp_h=10.0.0.1, resp_p=0/unknown], len=20, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
icmp_unreachable (code=3)
conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, hlim=128, v6=F]
icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128]
icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]

12
testing/btest/Baseline/core.icmp.icmp-events/output
View file

@ -1,20 +1,20 @@
icmp_unreachable (code=3)
conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
icmp_conn: [orig_h=192.168.1.102, resp_h=192.168.1.1, itype=3, icode=3, len=148, hlim=128, v6=F]
icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128]
icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_time_exceeded (code=0)
conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=11, icode=0, len=32, hlim=64, v6=F]
icmp_info: [v6=F, itype=11, icode=0, len=32, ttl=64]
icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64]
icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56]
icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64]
icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56]

8
testing/btest/Baseline/core.icmp.icmp6-context/output
View file

@ -1,16 +1,16 @@
icmp_unreachable (code=0)
conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=0, hlim=64, v6=T]
icmp_info: [v6=T, itype=1, icode=0, len=0, ttl=64]
icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
icmp_unreachable (code=0)
conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=40, hlim=64, v6=T]
icmp_info: [v6=T, itype=1, icode=0, len=40, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
icmp_unreachable (code=0)
conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, hlim=64, v6=T]
icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_unreachable (code=0)
conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=48, hlim=64, v6=T]
icmp_info: [v6=T, itype=1, icode=0, len=48, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]

34
testing/btest/Baseline/core.icmp.icmp6-events/output
View file

@ -1,46 +1,46 @@
icmp_unreachable (code=0)
conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=1, icode=0, len=60, hlim=64, v6=T]
icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_packet_too_big (code=0)
conn_id: [orig_h=fe80::dead, orig_p=2/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=2, icode=0, len=52, hlim=64, v6=T]
icmp_info: [v6=T, itype=2, icode=0, len=52, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_time_exceeded (code=0)
conn_id: [orig_h=fe80::dead, orig_p=3/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=3, icode=0, len=52, hlim=64, v6=T]
icmp_info: [v6=T, itype=3, icode=0, len=52, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_parameter_problem (code=0)
conn_id: [orig_h=fe80::dead, orig_p=4/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=4, icode=0, len=52, hlim=64, v6=T]
icmp_info: [v6=T, itype=4, icode=0, len=52, ttl=64]
icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_echo_request (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
icmp_echo_reply (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
icmp_echo_request (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
icmp_echo_reply (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
icmp_echo_request (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
icmp_echo_reply (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
icmp_echo_request (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
icmp_conn: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, resp_h=2001:4860:8006::63, itype=128, icode=0, len=32, hlim=128, v6=T]
icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
icmp_redirect (tgt=fe80::cafe, dest=fe80::babe)
conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, hlim=255, v6=T]
icmp_info: [v6=T, itype=137, icode=0, len=32, ttl=255]
options: []
icmp_router_advertisement
cur_hop_limit=13
@ -54,20 +54,20 @@ icmp_router_advertisement
reachable_time=3.0 secs 700.0 msecs
retrans_timer=1.0 sec 300.0 msecs
conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, hlim=255, v6=T]
icmp_info: [v6=T, itype=134, icode=0, len=8, ttl=255]
options: []
icmp_neighbor_advertisement (tgt=fe80::babe)
router=T
solicited=F
override=T
conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, hlim=255, v6=T]
icmp_info: [v6=T, itype=136, icode=0, len=16, ttl=255]
options: []
icmp_router_solicitation
conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, hlim=255, v6=T]
icmp_info: [v6=T, itype=133, icode=0, len=0, ttl=255]
options: []
icmp_neighbor_solicitation (tgt=fe80::babe)
conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp]
icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, hlim=255, v6=T]
icmp_info: [v6=T, itype=135, icode=0, len=16, ttl=255]
options: []

4
testing/btest/Baseline/core.icmp.icmp_sent/out
View file

@ -1,2 +1,2 @@
icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T]
icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T], 20
icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1]
icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1], 20

2
testing/btest/Baseline/language.alternate-event-hook-prototypes/out
View file

@ -1,4 +1,4 @@
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-event-hook-prototypes/alternate-event-hook-prototypes.zeek, line 68 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-event-hook-prototypes/alternate-event-hook-prototypes.zeek, line 10: use of deprecated prototype (hook(c:count;) : bool and my_hook)
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-event-hook-prototypes/alternate-event-hook-prototypes.zeek, line 68 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-event-hook-prototypes/alternate-event-hook-prototypes.zeek, line 13: use of deprecated 'my_hook' prototype (hook(c:count;) : bool)
my_hook, infinite, 13
my_hook, 13, infinite
my_hook, infinite

3
testing/btest/Baseline/language.alternate-prototypes-deprecated-args/hidden-error Normal file
View file

@ -0,0 +1,3 @@
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 11 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 7: use of deprecated parameter 'b': Don't use 'b' (event(a:string; b:string; c:string;))
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 30 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 9: use of deprecated 'myev' prototype: Don't use this prototype (event(a:string; b:string;))
error in ./hide.zeek, line 5: unknown identifier b, at or near "b"

8
testing/btest/Baseline/language.alternate-prototypes-deprecated-args/out Normal file
View file

@ -0,0 +1,8 @@
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 11 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 7: use of deprecated parameter 'b': Don't use 'b' (event(a:string; b:string; c:string;))
warning in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 30 and /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.alternate-prototypes-deprecated-args/alternate-prototypes-deprecated-args.zeek, line 9: use of deprecated 'myev' prototype: Don't use this prototype (event(a:string; b:string;))
myev (canon), one, two, three
myev (new), one, three, [1, 2, 3]
myev (new), one, three, 0
myev (new), one, three, 1
myev (new), one, three, 2
myev (old), one, two

2
testing/btest/bifs/get_current_packet_header.zeek
View file

@ -1,7 +1,7 @@
# @TEST-EXEC: zeek -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output
# @TEST-EXEC: btest-diff output
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)
event icmp_neighbor_solicitation(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)
{
local hdr: raw_pkt_hdr = get_current_packet_header();
print fmt("%s", hdr);

34
testing/btest/broker/store/invalid-handle.zeek Normal file
View file

@ -0,0 +1,34 @@
# @TEST-EXEC: zeek -b %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
function print_keys(a: any)
{
when ( local s = Broker::keys(a) )
{
print "keys", s;
}
timeout 2sec
{
print fmt("<timeout for print keys>");
}
}
function checkit(a: any)
{
if ( Broker::is_closed(a) )
print "this shouldn't get printed";
else
print "this shouldn't get printed either";
}
global a: int = 0;
event zeek_init() &priority=10
{
checkit(a);
}
event zeek_init()
{
print_keys(a);
}

4
testing/btest/core/icmp/icmp-context.test
View file

@ -5,10 +5,10 @@
# @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp-destunreach-udp.pcap %INPUT >>output 2>&1
# @TEST-EXEC: btest-diff output
event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_unreachable (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}

20
testing/btest/core/icmp/icmp-events.test
View file

@ -6,39 +6,39 @@
# @TEST-EXEC: btest-diff output
event icmp_sent(c: connection, icmp: icmp_conn)
event icmp_sent(c: connection, info: icmp_info)
{
print "icmp_sent";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_unreachable (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_time_exceeded (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}

4
testing/btest/core/icmp/icmp6-context.test
View file

@ -6,10 +6,10 @@
# @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp6-destunreach-ip6ext.pcap %INPUT >>output 2>&1
# @TEST-EXEC: btest-diff output
event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_unreachable (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}

52
testing/btest/core/icmp/icmp6-events.test
View file

@ -13,103 +13,103 @@
# @TEST-EXEC: btest-diff output
event icmp_sent(c: connection, icmp: icmp_conn)
event icmp_sent(c: connection, info: icmp_info)
{
print "icmp_sent";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
}
event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_unreachable(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_unreachable (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_packet_too_big(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_packet_too_big (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_time_exceeded (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_parameter_problem(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_parameter_problem (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
event icmp_redirect(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)
{
print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " options: " + fmt("%s", options);
}
event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
event icmp_error_message(c: connection, info: icmp_info, code: count, context: icmp_context)
{
print "icmp_error_message (code=" + fmt("%d", code) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " icmp_context: " + fmt("%s", context);
}
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)
event icmp_neighbor_solicitation(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " options: " + fmt("%s", options);
}
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
event icmp_neighbor_advertisement(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")";
print " router=" + fmt("%s", router);
print " solicited=" + fmt("%s", solicited);
print " override=" + fmt("%s", override);
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " options: " + fmt("%s", options);
}
event icmp_router_solicitation(c: connection, icmp: icmp_conn, options: icmp6_nd_options)
event icmp_router_solicitation(c: connection, info: icmp_info, options: icmp6_nd_options)
{
print "icmp_router_solicitation";
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " options: " + fmt("%s", options);
}
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
event icmp_router_advertisement(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
{
print "icmp_router_advertisement";
print " cur_hop_limit=" + fmt("%s", cur_hop_limit);
@ -123,6 +123,6 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c
print " reachable_time=" + fmt("%s", reachable_time);
print " retrans_timer=" + fmt("%s", retrans_timer);
print " conn_id: " + fmt("%s", c$id);
print " icmp_conn: " + fmt("%s", icmp);
print " icmp_info: " + fmt("%s", info);
print " options: " + fmt("%s", options);
}

6
testing/btest/core/icmp/icmp6-nd-options.test
View file

@ -5,7 +5,7 @@
# @TEST-EXEC: btest-diff output
event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
event icmp_router_advertisement(c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)
{
print "icmp_router_advertisement options";
for ( o in options )
@ -17,7 +17,7 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c
}
}
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
event icmp_neighbor_advertisement(c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)
{
print "icmp_neighbor_advertisement options";
for ( o in options )
@ -27,7 +27,7 @@ event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool,
}
}
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)
event icmp_redirect(c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)
{
print "icmp_redirect options";
for ( o in options )

8
testing/btest/core/icmp/icmp_sent.zeek
View file

@ -1,12 +1,12 @@
# @TEST-EXEC: zeek -b -r $TRACES/icmp/icmp_sent.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
event icmp_sent(c: connection, icmp: icmp_conn)
event icmp_sent(c: connection, info: icmp_info)
{
print "icmp_sent", c$id, icmp;
print "icmp_sent", c$id, info;
}
event icmp_sent_payload(c: connection, icmp: icmp_conn, payload: string)
event icmp_sent_payload(c: connection, info: icmp_info, payload: string)
{
print "icmp_sent_payload", c$id, icmp, |payload|;
print "icmp_sent_payload", c$id, info, |payload|;
}

4
testing/btest/core/tunnels/gre-erspan3-dot1q.zeek
View file

@ -1,12 +1,12 @@
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-erspan3-dot1q.pcap %INPUT > out
# @TEST-EXEC: btest-diff out
event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "echo request", id, seq;
}
event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
event icmp_echo_reply(c: connection, info: icmp_info, id: count, seq: count, payload: string)
{
print "echo reply", id, seq;
}

47
testing/btest/language/alternate-prototypes-deprecated-args.zeek Normal file
View file

@ -0,0 +1,47 @@
# @TEST-EXEC: zeek -b %INPUT >out 2>&1
#
# @TEST-EXEC-FAIL: zeek -b %INPUT hide.zeek >hidden-error 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff hidden-error
global myev: event(a: string, b: string &deprecated="Don't use 'b'", c: string);
global myev: event(a: string, c: string);
global myev: event(a: string, b: string) &deprecated="Don't use this prototype";
event myev(a: string, b: string, c: string) &priority=11
{
print "myev (canon)", a, b, c;
}
event myev(a: string, c: string) &priority = 7
{
local ddd = vector(1,2,3);
print "myev (new)", a, c, ddd;
}
global eee = vector(1,2,3);
event myev(a: string, c: string) &priority = 6
{
for ( o in eee )
print "myev (new)", a, c, o;
}
event myev(a: string, b: string) &priority = 5
{
print "myev (old)", a, b;
}
event zeek_init()
{
event myev("one", "two", "three");
}
@TEST-START-FILE hide.zeek
event myev(a: string, c: string) &priority = 7
{
local ddd = vector(1,2,3);
print "myev (new)", a, c, ddd;
print b;
}
@TEST-END-FILE