Merge remote-tracking branch 'origin/topic/timw/2338-signature-eval-unused'

* origin/topic/timw/2338-signature-eval-unused: Add is_used attribute to an ID if used in a signature eval statement
2025-10-02 14:48:21 +00:00 · 2022-09-06 07:44:18 -07:00 · 2022-09-06 07:44:18 -07:00 · 7cc876d84a
commit 7cc876d84a
parent 875e81883c 0a0dd7143b
6 changed files with 42 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5.1.0-dev.489 | 2022-09-06 07:44:18 -0700
+
+  * Add is_used attribute to an ID if used in a signature eval statement (Tim Wojtulewicz, Corelight)
+
 5.1.0-dev.486 | 2022-09-02 13:57:31 -0700

  * Update Management framework to new Supervisor::NodeConfig script fields (Christian Kreibich, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-5.1.0-dev.486
+5.1.0-dev.489
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -180,6 +180,10 @@ RuleConditionEval::RuleConditionEval(const char* func)
 			rules_error("eval function parameters must be a 'signature_state' "
 			            "and a 'string' type",
 			            func);
+
+		std::vector<AttrPtr> attrv{make_intrusive<Attr>(ATTR_IS_USED, nullptr)};
+		id->AddAttrs(
+			make_intrusive<Attributes>(std::move(attrv), id->GetType(), false, id->IsGlobal()));
 		}
 	}

--- a/testing/btest/Baseline/signatures.signature-cond-used/.stderr
+++ b/testing/btest/Baseline/signatures.signature-cond-used/.stderr
@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
--- a/testing/btest/Baseline/signatures.signature-cond-used/.stdout
+++ b/testing/btest/Baseline/signatures.signature-cond-used/.stdout
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+signature_cond, GET /download/CHANGES.bro-aux.txt HTTP/1.1\x0d\x0aUser-Agent: Wget/1.14 (darwin12.2.0)\x0d\x0aAccept: */*\x0d\x0aHost: bro.org\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a
+signature_match, GET, GET /download/CHANGES.bro-aux.txt HTTP/1.1\x0d\x0aUser-Agent: Wget/1.14 (darwin12.2.0)\x0d\x0aAccept: */*\x0d\x0aHost: bro.org\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a
--- a/testing/btest/signatures/signature-cond-used.zeek
+++ b/testing/btest/signatures/signature-cond-used.zeek
@ -0,0 +1,29 @@
+# @TEST-DOC: The function signature_cond used for eval in test.sig should not be reported as unused
+# @TEST-EXEC: zeek -b %INPUT -r $TRACES/http/get.trace
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: btest-diff .stdout
+module SignatureEvalTest;
+
+@load-sigs ./test.sig
+
+event signature_match(state: signature_state, msg: string, data: string)
+        {
+        print "signature_match", msg, data;
+        }
+
+function signature_cond(state: signature_state, data: string): bool
+        {
+        print "signature_cond", data;
+        return T;
+        }
+
+
+@TEST-START-FILE test.sig
+signature my-first-sig {
+        ip-proto == tcp
+        dst-port == 80
+        payload /GET/
+        event "GET"
+        eval SignatureEvalTest::signature_cond
+}
+@TEST-END-FILE
				`@ -0,0 +1 @@`
				`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`