Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update deprecated BifEvent::generate_* usages

Browse source
This commit is contained in:
Jon Siwek 2020-04-17 18:42:58 -07:00
parent 9b2fb29aca
commit 81517bd703
79 changed files with 1122 additions and 1066 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -111,6 +111,8 @@ Deprecated Functionality
- ``Analyzer::BuildConnVal()`` is deprecated, use ``Analyzer::ConnVal()``.
- ``BifEvent::generate_`` functions are deprecated, use ``BifEvent::enqueue_``.
Zeek 3.1.0
==========

2
aux/bifcl

@ -1 +1 @@
Subproject commit daf968b2fc34c4316811adb1094f7ca1d68b92bf
Subproject commit 98494503da8177734445c7d0f2d9e1c42a4d610a

38
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -61,13 +61,13 @@ flow BitTorrent_Flow(is_orig: bool) {
handshake_ok = true;
if ( ::bittorrent_peer_handshake )
{
BifEvent::generate_bittorrent_peer_handshake(
BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(reserved),
bytestring_to_val(info_hash),
bytestring_to_val(peer_id));
to_stringval(reserved),
to_stringval(info_hash),
to_stringval(peer_id));
}
connection()->bro_analyzer()->ProtocolConfirmation();
@ -79,7 +79,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_keep_alive )
{
BifEvent::generate_bittorrent_peer_keep_alive(
BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -92,7 +92,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_choke )
{
BifEvent::generate_bittorrent_peer_choke(
BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -105,7 +105,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unchoke )
{
BifEvent::generate_bittorrent_peer_unchoke(
BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -118,7 +118,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_interested )
{
BifEvent::generate_bittorrent_peer_interested(
BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -131,7 +131,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_not_interested )
{
BifEvent::generate_bittorrent_peer_not_interested(
BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -144,7 +144,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_have )
{
BifEvent::generate_bittorrent_peer_have(
BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -158,11 +158,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_bitfield )
{
BifEvent::generate_bittorrent_peer_bitfield(
BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(bitfield));
to_stringval(bitfield));
}
return true;
@ -173,7 +173,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_request )
{
BifEvent::generate_bittorrent_peer_request(
BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -188,7 +188,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_piece )
{
BifEvent::generate_bittorrent_peer_piece(
BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -203,7 +203,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_cancel )
{
BifEvent::generate_bittorrent_peer_cancel(
BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -217,11 +217,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_port )
{
BifEvent::generate_bittorrent_peer_port(
BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
val_mgr->Port(listen_port, TRANSPORT_TCP)->Ref()->AsPortVal());
val_mgr->Port(listen_port, TRANSPORT_TCP));
}
return true;
@ -231,12 +231,12 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unknown )
{
BifEvent::generate_bittorrent_peer_unknown(
BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
id,
bytestring_to_val(data));
to_stringval(data));
}
return true;

89
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -37,12 +37,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_message )
{
BifEvent::generate_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}).release());
BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}));
}
return true;
%}
@ -51,13 +51,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind )
{
BifEvent::generate_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -67,13 +67,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context )
{
BifEvent::generate_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -83,22 +83,19 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind_ack )
{
StringVal *sec_addr;
IntrusivePtr<StringVal> sec_addr;
// Remove the null from the end of the string if it's there.
if ( ${bind.sec_addr}.length() > 0 &&
*(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 )
{
sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
else
{
sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
sec_addr);
BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
std::move(sec_addr));
}
return true;
%}
@ -107,9 +104,9 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context_resp )
{
BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
}
return true;
%}
@ -118,12 +115,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_request )
{
BifEvent::generate_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
}
set_cont_id_opnum_map(${req.context_id},
@ -135,12 +132,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_response )
{
BifEvent::generate_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
}
return true;

26
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -1,8 +1,8 @@
refine flow DHCP_Flow += {
%member{
RecordVal* options;
VectorVal* all_options;
IntrusivePtr<RecordVal> options;
IntrusivePtr<VectorVal> all_options;
%}
%init{
@ -11,10 +11,7 @@ refine flow DHCP_Flow += {
%}
%cleanup{
Unref(options);
options = nullptr;
Unref(all_options);
all_options = nullptr;
%}
@ -22,9 +19,9 @@ refine flow DHCP_Flow += {
%{
if ( ! options )
{
options = new RecordVal(BifType::Record::DHCP::Options);
all_options = new VectorVal(index_vec);
options->Assign(0, all_options->Ref());
options = make_intrusive<RecordVal>(BifType::Record::DHCP::Options);
all_options = make_intrusive<VectorVal>(index_vec);
options->Assign(0, all_options);
}
return true;
@ -56,7 +53,7 @@ refine flow DHCP_Flow += {
std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
auto dhcp_msg_val = make_intrusive<RecordVal>(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid}));
@ -94,14 +91,13 @@ refine flow DHCP_Flow += {
init_options();
BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
dhcp_msg_val,
options);
BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
std::move(dhcp_msg_val),
std::move(options));
options = nullptr;
Unref(all_options);
all_options = nullptr;
}

110
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -29,7 +29,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_header_block )
{
BifEvent::generate_dnp3_header_block(
BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr);
@ -42,11 +42,11 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_request_header )
{
BifEvent::generate_dnp3_application_request_header(
BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
application_control,
application_control,
fc
);
}
@ -57,7 +57,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_response_header )
{
BifEvent::generate_dnp3_application_response_header(
BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -73,7 +73,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_header )
{
BifEvent::generate_dnp3_object_header(
BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high);
@ -86,7 +86,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_prefix )
{
BifEvent::generate_dnp3_object_prefix(
BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), prefix_value);
@ -99,7 +99,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_response_data_object )
{
BifEvent::generate_dnp3_response_data_object(
BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_value);
@ -113,10 +113,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_attribute_common )
{
BifEvent::generate_dnp3_attribute_common(
BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) );
is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
}
return true;
@ -127,7 +127,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_crob )
{
BifEvent::generate_dnp3_crob(
BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -141,7 +141,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_pcb )
{
BifEvent::generate_dnp3_pcb(
BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -155,7 +155,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32wFlag )
{
BifEvent::generate_dnp3_counter_32wFlag(
BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -169,7 +169,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16wFlag )
{
BifEvent::generate_dnp3_counter_16wFlag(
BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -183,7 +183,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32woFlag )
{
BifEvent::generate_dnp3_counter_32woFlag(
BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -197,7 +197,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16woFlag )
{
BifEvent::generate_dnp3_counter_16woFlag(
BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -211,7 +211,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlag )
{
BifEvent::generate_dnp3_frozen_counter_32wFlag(
BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -225,7 +225,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlag )
{
BifEvent::generate_dnp3_frozen_counter_16wFlag(
BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -239,7 +239,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -253,7 +253,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -267,7 +267,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32woFlag )
{
BifEvent::generate_dnp3_frozen_counter_32woFlag(
BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -281,7 +281,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16woFlag )
{
BifEvent::generate_dnp3_frozen_counter_16woFlag(
BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -295,7 +295,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32wFlag )
{
BifEvent::generate_dnp3_analog_input_32wFlag(
BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -309,7 +309,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16wFlag )
{
BifEvent::generate_dnp3_analog_input_16wFlag(
BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -323,7 +323,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32woFlag )
{
BifEvent::generate_dnp3_analog_input_32woFlag(
BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -337,7 +337,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16woFlag )
{
BifEvent::generate_dnp3_analog_input_16woFlag(
BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -351,7 +351,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -365,7 +365,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -379,7 +379,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -393,7 +393,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -407,7 +407,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -421,7 +421,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -435,7 +435,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -449,7 +449,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -463,7 +463,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -477,7 +477,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -491,7 +491,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -505,7 +505,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -519,7 +519,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -533,7 +533,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -547,7 +547,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -561,7 +561,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -575,7 +575,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -589,7 +589,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
@ -603,7 +603,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -617,7 +617,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -631,7 +631,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -645,7 +645,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -659,7 +659,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -673,7 +673,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -687,7 +687,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -701,7 +701,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
@ -715,10 +715,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_file_transport )
{
BifEvent::generate_dnp3_file_transport(
BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), file_handle, block_num, bytestring_to_val(file_data));
is_orig(), file_handle, block_num, to_stringval(file_data));
}
return true;
@ -729,10 +729,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_debug_byte )
{
BifEvent::generate_dnp3_debug_byte (
BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), bytestring_to_val(debug));
is_orig(), to_stringval(debug));
}
return true;

6
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -61,9 +61,9 @@ refine connection GSSAPI_Conn += {
%{
if ( gssapi_neg_result )
{
BifEvent::generate_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
}
return true;

46
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -4,9 +4,9 @@
%}
%code{
RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
IntrusivePtr<RecordVal> BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
auto rv = make_intrusive<RecordVal>(BifType::Record::gtpv1_hdr);
rv->Assign(0, val_mgr->Count(pdu->version()));
rv->Assign(1, val_mgr->Bool(pdu->pt_flag()));
@ -237,7 +237,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
@ -328,8 +328,8 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -337,7 +337,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
@ -397,8 +397,8 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -406,7 +406,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
@ -475,8 +475,8 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -484,7 +484,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
@ -535,8 +535,8 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -544,7 +544,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
@ -569,8 +569,8 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -578,7 +578,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
@ -600,8 +600,8 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
%}
@ -679,7 +679,7 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_message )
BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
switch ( ${pdu.msg_type} ) {
case 16:
@ -759,8 +759,8 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_g_pdu_packet )
BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
inner->BuildPktHdrVal());
BifEvent::enqueue_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
{AdoptRef{}, inner->BuildPktHdrVal()});
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);

7
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection IMAP_Conn += {
bro_analyzer()->StartTLS();
if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@ -59,14 +59,15 @@ refine connection IMAP_Conn += {
if ( ! imap_capabilities )
return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
auto capv = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ )
{
const bytestring& capability = (*capabilities)[i]->cap();
capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data()));
}
BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
return true;
%}

42
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -180,7 +180,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -190,7 +190,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -201,9 +201,9 @@ refine connection KRB_Conn += {
%{
bro_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> RecordVal*
auto make_arg = [this, msg]() -> IntrusivePtr<RecordVal>
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::KDC_Response);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response )
return false;
BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response )
return false;
BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -244,11 +244,11 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_error )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv, ${msg.args1}, 0);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT));
proc_error_arguments(rv, ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv);
proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
}
return true;
%}
@ -258,16 +258,18 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_request )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required}));
RecordVal* rvticket = proc_ticket(${msg.ticket});
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo);
BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
rvticket, rv);
BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
std::move(rvticket), std::move(rv));
}
return true;
%}
@ -277,7 +279,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_response )
{
BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
}
return true;
%}
@ -287,7 +289,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_safe )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::SAFE_Msg);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -335,7 +337,7 @@ refine connection KRB_Conn += {
break;
}
}
BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv);
BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
}
return true;
%}
@ -345,7 +347,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_priv )
{
BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
}
return true;
%}
@ -355,8 +357,8 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_cred )
{
BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
}
return true;

21
src/analyzer/protocol/krb/krb-types.pac
View file

@ -8,8 +8,8 @@ VectorVal* proc_cipher_list(const Array* list);
VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list);
RecordVal* proc_ticket(const KRB_Ticket* ticket);
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket);
%}
%code{
@ -92,9 +92,10 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
return rv;
}
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
{
VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType());
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list)
{
auto tickets = make_intrusive<VectorVal>(internal_type("KRB::Ticket_Vector")->AsVectorType());
for ( uint i = 0; i < list->tickets()->size(); ++i )
{
KRB_Ticket* element = (*list->tickets())[i];
@ -102,11 +103,11 @@ VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
}
return tickets;
}
}
RecordVal* proc_ticket(const KRB_Ticket* ticket)
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Ticket);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket)
{
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Ticket);
rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
@ -115,7 +116,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
return rv;
}
}
%}
type KRB_Principal_Name = record {

281
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -8,15 +8,16 @@
#
%header{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity);
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header);
VectorVal* create_vector_of_count();
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity);
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header);
IntrusivePtr<VectorVal> create_vector_of_count();
%}
%code{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity)
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity)
{
VectorVal* modbus_coils = new VectorVal(BifType::Vector::ModbusCoils);
auto modbus_coils = make_intrusive<VectorVal>(BifType::Vector::ModbusCoils);
for ( uint i = 0; i < quantity; i++ )
{
char currentCoil = (coils[i/8] >> (i % 8)) % 2;
@ -26,9 +27,9 @@
return modbus_coils;
}
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header)
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header)
{
RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders);
auto modbus_header = make_intrusive<RecordVal>(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->Count(header->tid()));
modbus_header->Assign(1, val_mgr->Count(header->pid()));
modbus_header->Assign(2, val_mgr->Count(header->uid()));
@ -36,11 +37,10 @@
return modbus_header;
}
VectorVal* create_vector_of_count()
IntrusivePtr<VectorVal> create_vector_of_count()
{
VectorType* vt = new VectorType(base_type(TYPE_COUNT));
VectorVal* vv = new VectorVal(vt);
Unref(vt);
auto vt = make_intrusive<VectorType>(base_type(TYPE_COUNT));
auto vv = make_intrusive<VectorVal>(vt.get());
return vv;
}
@ -88,10 +88,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_message )
{
BifEvent::generate_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
is_orig());
BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
is_orig());
}
return true;
@ -117,10 +117,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_exception )
{
BifEvent::generate_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.code});
BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.code});
}
return true;
@ -131,11 +131,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_request )
{
BifEvent::generate_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
${message.quantity});
BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
${message.quantity});
}
return true;
@ -146,10 +146,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_response )
{
BifEvent::generate_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
%}
@ -159,10 +159,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_request )
{
BifEvent::generate_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -173,10 +173,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_response )
{
BifEvent::generate_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
@ -188,10 +188,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_holding_registers_request )
{
BifEvent::generate_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -209,18 +209,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_holding_registers_response )
{
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -232,10 +232,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_input_registers_request )
{
BifEvent::generate_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -253,17 +253,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_input_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -287,11 +288,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -314,11 +315,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -330,10 +331,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_request )
{
BifEvent::generate_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -344,10 +345,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_response )
{
BifEvent::generate_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -359,11 +360,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_request )
{
BifEvent::generate_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
}
return true;
@ -374,10 +375,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_response )
{
BifEvent::generate_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -396,17 +397,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_write_multiple_registers_request )
{
VectorVal * t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, t);
BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, std::move(t));
}
return true;
@ -417,10 +419,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_registers_response )
{
BifEvent::generate_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -432,7 +434,7 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_file_record_request )
{
//TODO: this need to be a vector of some Reference Request record type
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// auto r = val_mgr->Count((${message.references[i].ref_type}));
@ -445,9 +447,9 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, l);
// }
BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -458,7 +460,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_file_record_response )
{
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// {
// //TODO: work the reference type in here somewhere
@ -466,9 +468,9 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, r);
// }
BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -479,7 +481,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_request )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// auto r = val_mgr->Count((${message.references[i].ref_type}));
@ -498,9 +500,9 @@ refine flow ModbusTCP_Flow += {
// }
// }
BifEvent::generate_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -512,7 +514,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_response )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// {
// auto r = val_mgr->Count((${message.references[i].ref_type}));
@ -530,9 +532,9 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, k);
// }
BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -543,11 +545,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_request )
{
BifEvent::generate_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -558,11 +560,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_response )
{
BifEvent::generate_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -580,20 +582,21 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_request )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{
auto r = val_mgr->Count(${message.write_register_values[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
std::move(t));
}
return true;
@ -611,17 +614,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -632,10 +636,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_fifo_queue_request )
{
BifEvent::generate_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address});
BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address});
}
return true;
@ -654,17 +658,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_fifo_queue_response )
{
VectorVal* t = create_vector_of_count();
auto t = create_vector_of_count();
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{
auto r = val_mgr->Count(${message.register_data[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;

8
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -15,12 +15,12 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_connack )
{
auto m = new RecordVal(BifType::Record::MQTT::ConnectAckMsg);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->Count(${msg.return_code}));
m->Assign(1, val_mgr->Bool(${msg.session_present}));
BifEvent::generate_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
m);
BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(m));
}
return true;

8
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -44,7 +44,7 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_connect )
{
auto m = new RecordVal(BifType::Record::MQTT::ConnectMsg);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectMsg);
m->Assign(0, make_intrusive<StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, val_mgr->Count(${msg.protocol_version}));
@ -75,9 +75,9 @@ refine flow MQTT_Flow += {
reinterpret_cast<const char*>(${msg.pass.str}.begin())));
}
BifEvent::generate_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
m);
BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(m));
}
// If a connect message was seen, let's say that confirms it.

4
src/analyzer/protocol/mqtt/commands/disconnect.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_disconnect )
{
BifEvent::generate_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingreq.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingreq )
{
BifEvent::generate_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingresp.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingresp )
{
BifEvent::generate_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

8
src/analyzer/protocol/mqtt/commands/puback.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_puback )
{
BifEvent::generate_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/pubcomp.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubcomp )
{
BifEvent::generate_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

12
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -23,7 +23,7 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_publish )
{
auto m = new RecordVal(BifType::Record::MQTT::PublishMsg);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::PublishMsg);
m->Assign(0, val_mgr->Bool(${msg.dup}));
m->Assign(1, val_mgr->Count(${msg.qos}));
m->Assign(2, val_mgr->Bool(${msg.retain}));
@ -41,11 +41,11 @@ refine flow MQTT_Flow += {
m->Assign(5, val_mgr->Count(${msg.payload}.length()));
BifEvent::generate_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id},
m);
BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id},
std::move(m));
}
// If a publish message was seen, let's say that confirms it.

8
src/analyzer/protocol/mqtt/commands/pubrec.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrec )
{
BifEvent::generate_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/pubrel.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrel )
{
BifEvent::generate_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/suback.pac
View file

@ -14,10 +14,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_suback )
{
BifEvent::generate_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
${msg.granted_QoS});
BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
${msg.granted_QoS});
}
return true;

16
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -19,10 +19,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_subscribe )
{
auto topics = new VectorVal(string_vec);
auto qos_levels = new VectorVal(index_vec);
auto topics = make_intrusive<VectorVal>(string_vec);
auto qos_levels = make_intrusive<VectorVal>(index_vec);
for (auto topic: *${msg.topics})
for ( auto topic: *${msg.topics} )
{
auto subscribe_topic = new StringVal(${topic.name.str}.length(),
reinterpret_cast<const char*>(${topic.name.str}.begin()));
@ -31,11 +31,11 @@ refine flow MQTT_Flow += {
qos_levels->Assign(qos_levels->Size(), qos);
}
BifEvent::generate_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
topics,
qos_levels);
BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
std::move(topics),
std::move(qos_levels));
}
return true;

6
src/analyzer/protocol/mqtt/commands/unsuback.pac
View file

@ -13,9 +13,9 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_unsuback )
{
BifEvent::generate_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id});
BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id});
}
return true;

12
src/analyzer/protocol/mqtt/commands/unsubscribe.pac
View file

@ -14,19 +14,19 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_unsubscribe )
{
auto topics = new VectorVal(string_vec);
auto topics = make_intrusive<VectorVal>(string_vec);
for (auto topic: *${msg.topics})
for ( auto topic: *${msg.topics} )
{
auto unsubscribe_topic = new StringVal(${topic.str}.length(),
reinterpret_cast<const char*>(${topic.str}.begin()));
topics->Assign(topics->Size(), unsubscribe_topic);
}
BifEvent::generate_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
topics);
BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
std::move(topics));
}
return true;

60
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -6,13 +6,13 @@ refine flow MySQL_Flow += {
if ( mysql_server_version )
{
if ( ${msg.version} == 10 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake10.server_version})));
BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake9.server_version})));
BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.handshake9.server_version})));
}
return true;
%}
@ -25,13 +25,13 @@ refine flow MySQL_Flow += {
if ( mysql_handshake )
{
if ( ${msg.version} == 10 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v10_response.username})));
BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v9_response.username})));
BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.v9_response.username})));
}
return true;
%}
@ -39,29 +39,29 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{
if ( mysql_command_request )
BifEvent::generate_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.command},
bytestring_to_val(${msg.arg}));
BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.command},
to_stringval(${msg.arg}));
return true;
%}
function proc_err_packet(msg: ERR_Packet): bool
%{
if ( mysql_error )
BifEvent::generate_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.code},
bytestring_to_val(${msg.msg}));
BifEvent::enqueue_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.code},
to_stringval(${msg.msg}));
return true;
%}
function proc_ok_packet(msg: OK_Packet): bool
%{
if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows});
BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows});
return true;
%}
@ -71,9 +71,9 @@ refine flow MySQL_Flow += {
{
// This is a bit fake...
if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
0);
BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
0);
}
if ( ${msg.is_eof} )
@ -83,7 +83,7 @@ refine flow MySQL_Flow += {
return true;
auto vt = internal_type("string_vec")->AsVectorType();
auto vv = new VectorVal(vt);
auto vv = make_intrusive<VectorVal>(vt);
auto& bstring = ${msg.row.first_field.val};
auto ptr = reinterpret_cast<const char*>(bstring.data());
@ -98,9 +98,9 @@ refine flow MySQL_Flow += {
vv->Assign(vv->Size(), make_intrusive<StringVal>(bstring.length(), ptr));
}
BifEvent::generate_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
vv);
BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(vv));
return true;
%}

24
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -110,7 +110,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_negotiate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() )
@ -122,9 +122,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version}));
BifEvent::generate_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
@ -134,7 +134,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_challenge )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() )
@ -146,9 +146,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_target_info() )
result->Assign(3, build_av_record(${val.target_info}, ${val.target_info_fields.length}));
BifEvent::generate_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
@ -158,7 +158,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_authenticate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 )
@ -176,9 +176,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version}));
BifEvent::generate_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
}

8
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -135,7 +135,7 @@ refine flow NTP_Flow += {
if ( ! ntp_message )
return false;
RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
auto rv = make_intrusive<RecordVal>(BifType::Record::NTP::Message);
rv->Assign(0, val_mgr->Count(${msg.version}));
rv->Assign(1, val_mgr->Count(${msg.mode}));
@ -147,9 +147,9 @@ refine flow NTP_Flow += {
else if ( ${msg.mode} == 7 )
rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
BifEvent::generate_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), rv);
BifEvent::enqueue_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), std::move(rv));
return true;
%}
};

8
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -7,7 +7,7 @@ refine flow RADIUS_Flow += {
if ( ! radius_message )
return false;
RecordVal* result = new RecordVal(BifType::Record::RADIUS::Message);
auto result = make_intrusive<RecordVal>(BifType::Record::RADIUS::Message);
result->Assign(0, val_mgr->Count(${msg.code}));
result->Assign(1, val_mgr->Count(${msg.trans_id}));
result->Assign(2, bytestring_to_val(${msg.authenticator}));
@ -41,7 +41,7 @@ refine flow RADIUS_Flow += {
result->Assign(3, attributes);
}
BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result));
return true;
%}
@ -50,8 +50,8 @@ refine flow RADIUS_Flow += {
if ( ! radius_attribute )
return false;
BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
${attr.code}, bytestring_to_val(${attr.value}));
BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
${attr.code}, to_stringval(${attr.value}));
return true;
%}
};

2
src/analyzer/protocol/rdp/RDP.cc
View file

@ -75,7 +75,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
else
{
if ( rdp_native_encrypted_data )
BifEvent::generate_rdp_native_encrypted_data(
BifEvent::enqueue_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len);
}

70
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -9,9 +9,9 @@ refine flow RDP_Flow += {
%{
if ( rdp_connect_request )
{
BifEvent::generate_rdp_connect_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${cr.cookie_value}));
BifEvent::enqueue_rdp_connect_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(${cr.cookie_value}));
}
return true;
@ -21,9 +21,9 @@ refine flow RDP_Flow += {
%{
if ( rdp_negotiation_response )
{
BifEvent::generate_rdp_negotiation_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${nr.selected_protocol});
BifEvent::enqueue_rdp_negotiation_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${nr.selected_protocol});
}
return true;
@ -33,9 +33,9 @@ refine flow RDP_Flow += {
%{
if ( rdp_negotiation_failure )
{
BifEvent::generate_rdp_negotiation_failure(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${nf.failure_code});
BifEvent::enqueue_rdp_negotiation_failure(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${nf.failure_code});
}
return true;
@ -47,9 +47,9 @@ refine flow RDP_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation();
if ( rdp_gcc_server_create_response )
BifEvent::generate_rdp_gcc_server_create_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${gcc_response.result});
BifEvent::enqueue_rdp_gcc_server_create_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${gcc_response.result});
return true;
%}
@ -61,7 +61,7 @@ refine flow RDP_Flow += {
if ( rdp_client_core_data )
{
RecordVal* ec_flags = new RecordVal(BifType::Record::RDP::EarlyCapabilityFlags);
auto ec_flags = make_intrusive<RecordVal>(BifType::Record::RDP::EarlyCapabilityFlags);
ec_flags->Assign(0, val_mgr->Bool(${ccore.SUPPORT_ERRINFO_PDU}));
ec_flags->Assign(1, val_mgr->Bool(${ccore.WANT_32BPP_SESSION}));
ec_flags->Assign(2, val_mgr->Bool(${ccore.SUPPORT_STATUSINFO_PDU}));
@ -72,7 +72,7 @@ refine flow RDP_Flow += {
ec_flags->Assign(7, val_mgr->Bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE}));
ec_flags->Assign(8, val_mgr->Bool(${ccore.SUPPORT_HEARTBEAT_PDU}));
RecordVal* ccd = new RecordVal(BifType::Record::RDP::ClientCoreData);
auto ccd = make_intrusive<RecordVal>(BifType::Record::RDP::ClientCoreData);
ccd->Assign(0, val_mgr->Count(${ccore.version_major}));
ccd->Assign(1, val_mgr->Count(${ccore.version_minor}));
ccd->Assign(2, val_mgr->Count(${ccore.desktop_width}));
@ -91,12 +91,12 @@ refine flow RDP_Flow += {
ccd->Assign(15, val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(18, ec_flags);
ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
BifEvent::generate_rdp_client_core_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
ccd);
BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(ccd));
}
return true;
@ -107,13 +107,13 @@ refine flow RDP_Flow += {
if ( ! rdp_client_security_data )
return false;
RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
auto csd = make_intrusive<RecordVal>(BifType::Record::RDP::ClientSecurityData);
csd->Assign(0, val_mgr->Count(${csec.encryption_methods}));
csd->Assign(1, val_mgr->Count(${csec.ext_encryption_methods}));
BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
csd);
BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(csd));
return true;
%}
@ -124,13 +124,13 @@ refine flow RDP_Flow += {
if ( ${cnetwork.channel_def_array}->size() )
{
VectorVal* channels = new VectorVal(BifType::Vector::RDP::ClientChannelList);
auto channels = make_intrusive<VectorVal>(BifType::Vector::RDP::ClientChannelList);
for ( uint i = 0; i < ${cnetwork.channel_def_array}->size(); ++i )
{
RecordVal* channel_def = new RecordVal(BifType::Record::RDP::ClientChannelDef);
auto channel_def = make_intrusive<RecordVal>(BifType::Record::RDP::ClientChannelDef);
channel_def->Assign(0, bytestring_to_val(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(1, val_mgr->Count(${cnetwork.channel_def_array[i].options}));
channel_def->Assign(2, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
@ -145,12 +145,12 @@ refine flow RDP_Flow += {
channel_def->Assign(11, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
channel_def->Assign(12, val_mgr->Bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
channels->Assign(channels->Size(), channel_def);
channels->Assign(channels->Size(), std::move(channel_def));
}
BifEvent::generate_rdp_client_network_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
channels);
BifEvent::enqueue_rdp_client_network_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(channels));
}
return true;
@ -161,7 +161,7 @@ refine flow RDP_Flow += {
if ( ! rdp_client_cluster_data )
return false;
RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData);
auto ccld = make_intrusive<RecordVal>(BifType::Record::RDP::ClientClusterData);
ccld->Assign(0, val_mgr->Count(${ccluster.flags}));
ccld->Assign(1, val_mgr->Count(${ccluster.redir_session_id}));
ccld->Assign(2, val_mgr->Bool(${ccluster.REDIRECTION_SUPPORTED}));
@ -169,9 +169,9 @@ refine flow RDP_Flow += {
ccld->Assign(4, val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD}));
BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
ccld);
BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(ccld));
return true;
%}
@ -180,7 +180,7 @@ refine flow RDP_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation();
if ( rdp_server_security )
BifEvent::generate_rdp_server_security(connection()->bro_analyzer(),
BifEvent::enqueue_rdp_server_security(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${ssd.encryption_method},
${ssd.encryption_level});
@ -192,7 +192,7 @@ refine flow RDP_Flow += {
%{
if ( rdp_server_certificate )
{
BifEvent::generate_rdp_server_certificate(connection()->bro_analyzer(),
BifEvent::enqueue_rdp_server_certificate(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${cert.cert_type},
${cert.permanently_issued});

6
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -383,9 +383,9 @@ refine connection RDP_Conn += {
if ( rdp_begin_encryption )
{
BifEvent::generate_rdp_begin_encryption(bro_analyzer(),
bro_analyzer()->Conn(),
${method});
BifEvent::enqueue_rdp_begin_encryption(bro_analyzer(),
bro_analyzer()->Conn(),
${method});
}
return is_encrypted_;

16
src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection RDPEUDP_Conn += {
orig_lossy_ = true;
if ( rdpeudp_syn )
BifEvent::generate_rdpeudp_syn(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_rdpeudp_syn(bro_analyzer(), bro_analyzer()->Conn());
state_ = NEED_SYNACK;
return true;
@ -60,7 +60,7 @@ refine connection RDPEUDP_Conn += {
return false;
if ( rdpeudp_synack )
BifEvent::generate_rdpeudp_synack(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_rdpeudp_synack(bro_analyzer(), bro_analyzer()->Conn());
bro_analyzer()->ProtocolConfirmation();
state_ = NEED_ACK;
@ -79,15 +79,15 @@ refine connection RDPEUDP_Conn += {
state_ = ESTABLISHED;
if ( rdpeudp_established )
BifEvent::generate_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 1);
BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 1);
}
if ( state_ == ESTABLISHED && rdpeudp_data )
BifEvent::generate_rdpeudp_data(bro_analyzer(),
BifEvent::enqueue_rdpeudp_data(bro_analyzer(),
bro_analyzer()->Conn(),
is_orig,
1,
bytestring_to_val(data)
to_stringval(data)
);
return true;
@ -102,17 +102,17 @@ refine connection RDPEUDP_Conn += {
if ( state_ == NEED_ACK )
{
if ( rdpeudp_established )
BifEvent::generate_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 2);
BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 2);
state_ = ESTABLISHED;
}
if ( state_ == ESTABLISHED && rdpeudp_data )
BifEvent::generate_rdpeudp_data(bro_analyzer(),
BifEvent::enqueue_rdpeudp_data(bro_analyzer(),
bro_analyzer()->Conn(),
is_orig,
2,
bytestring_to_val(data)
to_stringval(data)
);
return true;

27
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -1,39 +1,46 @@
refine flow RFB_Flow += {
function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool
%{
if (client)
if ( client )
{
if ( rfb_client_version )
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
BifEvent::enqueue_rfb_client_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(major),
to_stringval(minor));
connection()->bro_analyzer()->ProtocolConfirmation();
}
else
else
{
if ( rfb_server_version )
BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
BifEvent::enqueue_rfb_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(major),
to_stringval(minor));
}
return true;
%}
function proc_rfb_share_flag(shared: bool) : bool
%{
if ( rfb_share_flag )
BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
BifEvent::enqueue_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
return true;
%}
function proc_security_types(msg: RFBSecurityType) : bool
%{
if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
return true;
%}
function proc_security_types37(msg: RFBAuthTypeSelected) : bool
%{
if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
return true;
%}
@ -43,9 +50,9 @@ refine flow RFB_Flow += {
{
auto vec_ptr = ${msg.name};
auto name_ptr = &((*vec_ptr)[0]);
BifEvent::generate_rfb_server_parameters(
BifEvent::enqueue_rfb_server_parameters(
connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
new StringVal(${msg.name}->size(), (const char*)name_ptr),
make_intrusive<StringVal>(${msg.name}->size(), (const char*)name_ptr),
${msg.width},
${msg.height});
}
@ -55,7 +62,7 @@ refine flow RFB_Flow += {
function proc_handle_security_result(result : uint32) : bool
%{
if ( rfb_auth_result )
BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
BifEvent::enqueue_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
return true;
%}
};

24
src/analyzer/protocol/sip/sip-analyzer.pac
View file

@ -20,9 +20,9 @@ refine flow SIP_Flow += {
%{
if ( sip_request )
{
BifEvent::generate_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(method), bytestring_to_val(uri),
bytestring_to_val(${vers.vers_str}));
BifEvent::enqueue_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
to_stringval(method), to_stringval(uri),
to_stringval(${vers.vers_str}));
}
proc_sip_message_begin();
@ -35,8 +35,8 @@ refine flow SIP_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation();
if ( sip_reply )
{
BifEvent::generate_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${vers.vers_str}), code, bytestring_to_val(reason));
BifEvent::enqueue_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
to_stringval(${vers.vers_str}), code, to_stringval(reason));
}
proc_sip_message_begin();
@ -51,8 +51,10 @@ refine flow SIP_Flow += {
if ( sip_header )
{
BifEvent::generate_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig(), bytestring_to_val(name)->ToUpper(), bytestring_to_val(value));
auto nameval = to_stringval(name);
nameval->ToUpper();
BifEvent::enqueue_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig(), std::move(nameval), to_stringval(value));
}
if ( build_headers )
@ -80,8 +82,8 @@ refine flow SIP_Flow += {
%{
if ( sip_all_headers )
{
BifEvent::generate_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig(), build_sip_headers_val());
BifEvent::enqueue_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig(), {AdoptRef{}, build_sip_headers_val()});
}
headers.clear();
@ -123,7 +125,7 @@ refine flow SIP_Flow += {
%{
if ( sip_begin_entity )
{
BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
BifEvent::enqueue_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
}
%}
@ -131,7 +133,7 @@ refine flow SIP_Flow += {
%{
if ( sip_end_entity )
{
BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
BifEvent::enqueue_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
}
return true;

12
src/analyzer/protocol/smb/smb1-com-check-directory.pac
View file

@ -3,17 +3,19 @@ refine connection SMB_Conn += {
function proc_smb1_check_directory_request(header: SMB_Header, val: SMB1_check_directory_request): bool
%{
if ( smb1_check_directory_request )
BifEvent::generate_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.directory_name}));
BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.directory_name})});
return true;
%}
function proc_smb1_check_directory_response(header: SMB_Header, val: SMB1_check_directory_response): bool
%{
if ( smb1_check_directory_response )
BifEvent::generate_smb1_check_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header));
BifEvent::enqueue_smb1_check_directory_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}

4
src/analyzer/protocol/smb/smb1-com-close.pac
View file

@ -3,9 +3,9 @@ refine connection SMB_Conn += {
function proc_smb1_close_request(h: SMB_Header, val: SMB1_close_request): bool
%{
if ( smb1_close_request )
BifEvent::generate_smb1_close_request(bro_analyzer(),
BifEvent::enqueue_smb1_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
SMBHeaderVal(h),
${val.file_id});
file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),

11
src/analyzer/protocol/smb/smb1-com-create-directory.pac
View file

@ -3,16 +3,17 @@ refine connection SMB_Conn += {
function proc_smb1_create_directory_request(header: SMB_Header, val: SMB1_create_directory_request): bool
%{
if ( smb1_create_directory_request )
BifEvent::generate_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.directory_name}));
BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.directory_name})});
return true;
%}
function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool
%{
if ( smb1_create_directory_response )
BifEvent::generate_smb1_create_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header));
BifEvent::enqueue_smb1_create_directory_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-echo.pac
View file

@ -3,16 +3,16 @@ refine connection SMB_Conn += {
function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool
%{
if ( smb1_echo_request )
BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
${val.echo_count}, bytestring_to_val(${val.data}));
BifEvent::enqueue_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
${val.echo_count}, to_stringval(${val.data}));
return true;
%}
function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool
%{
if ( smb1_echo_response )
BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
${val.seq_num}, bytestring_to_val(${val.data}));
BifEvent::enqueue_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
${val.seq_num}, to_stringval(${val.data}));
return true;
%}

2
src/analyzer/protocol/smb/smb1-com-logoff-andx.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_logoff_andx(header: SMB_Header, val: SMB1_logoff_andx): bool
%{
if ( smb1_logoff_andx )
BifEvent::generate_smb1_logoff_andx(bro_analyzer(), bro_analyzer()->Conn(), ${val.is_orig});
BifEvent::enqueue_smb1_logoff_andx(bro_analyzer(), bro_analyzer()->Conn(), ${val.is_orig});
return true;
%}

17
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -15,15 +15,17 @@ refine connection SMB_Conn += {
%{
if ( smb1_negotiate_request )
{
VectorVal* dialects = new VectorVal(string_vec);
auto dialects = make_intrusive<VectorVal>(string_vec);
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
{
StringVal* dia = smb_string2stringval((*${val.dialects})[i]->name());
dialects->Assign(i, dia);
}
BifEvent::generate_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header),
dialects);
BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(dialects));
}
return true;
@ -33,7 +35,7 @@ refine connection SMB_Conn += {
%{
if ( smb1_negotiate_response )
{
RecordVal* response = new RecordVal(BifType::Record::SMB1::NegotiateResponse);
auto response = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponse);
RecordVal* core;
RecordVal* lanman;
@ -134,7 +136,10 @@ refine connection SMB_Conn += {
response->Assign(2, ntlm);
break;
}
BifEvent::generate_smb1_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response);
BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(response));
}
return true;

4
src/analyzer/protocol/smb/smb1-com-nt-cancel.pac
View file

@ -3,7 +3,9 @@ refine connection SMB_Conn += {
function proc_smb1_nt_cancel_request(header: SMB_Header, val: SMB1_nt_cancel_request): bool
%{
if ( smb1_nt_cancel_request )
BifEvent::generate_smb1_nt_cancel_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header));
BifEvent::enqueue_smb1_nt_cancel_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}

25
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -1,27 +1,24 @@
refine connection SMB_Conn += {
function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool
%{
StringVal *filename = smb_string2stringval(${val.filename});
auto filename = IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.filename})};
if ( ! ${header.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${header.tid});
if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}
if ( smb1_nt_create_andx_request )
{
BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(),
BifEvent::enqueue_smb1_nt_create_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
filename);
}
else
{
delete filename;
SMBHeaderVal(header),
std::move(filename));
}
return true;
@ -31,15 +28,15 @@ refine connection SMB_Conn += {
%{
if ( smb1_nt_create_andx_response )
{
BifEvent::generate_smb1_nt_create_andx_response(bro_analyzer(),
BifEvent::enqueue_smb1_nt_create_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
SMBHeaderVal(header),
${val.file_id},
${val.end_of_file},
SMB_BuildMACTimes(${val.last_write_time},
{AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.create_time},
${val.last_change_time}));
${val.last_change_time})});
}
return true;

6
src/analyzer/protocol/smb/smb1-com-query-information.pac
View file

@ -3,10 +3,10 @@ refine connection SMB_Conn += {
function proc_smb1_query_information_request(header: SMB_Header, val: SMB1_query_information_request): bool
%{
if ( smb1_query_information_request )
BifEvent::generate_smb1_query_information_request(bro_analyzer(),
BifEvent::enqueue_smb1_query_information_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.filename}));
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.filename})});
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-read-andx.pac
View file

@ -9,9 +9,9 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_request(h: SMB_Header, val: SMB1_read_andx_request): bool
%{
if ( smb1_read_andx_request )
BifEvent::generate_smb1_read_andx_request(bro_analyzer(),
BifEvent::enqueue_smb1_read_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
SMBHeaderVal(h),
${val.file_id},
${val.read_offset},
${val.max_count});
@ -23,9 +23,9 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_response(h: SMB_Header, val: SMB1_read_andx_response): bool
%{
if ( smb1_read_andx_response )
BifEvent::generate_smb1_read_andx_response(bro_analyzer(),
BifEvent::enqueue_smb1_read_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
SMBHeaderVal(h),
${val.data_len});
if ( ! ${h.is_pipe} && ${val.data_len} > 0 )

19
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -12,7 +12,7 @@ refine connection SMB_Conn += {
%{
if ( smb1_session_setup_andx_request )
{
RecordVal* request = new RecordVal(BifType::Record::SMB1::SessionSetupAndXRequest);
auto request = make_intrusive<RecordVal>(BifType::Record::SMB1::SessionSetupAndXRequest);
RecordVal* capabilities;
request->Assign(0, val_mgr->Count(${val.word_count}));
@ -75,7 +75,10 @@ refine connection SMB_Conn += {
break;
}
BifEvent::generate_smb1_session_setup_andx_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), request);
BifEvent::enqueue_smb1_session_setup_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(request));
}
return true;
%}
@ -84,9 +87,9 @@ refine connection SMB_Conn += {
%{
if ( smb1_session_setup_andx_response )
{
RecordVal* response = new RecordVal(BifType::Record::SMB1::SessionSetupAndXResponse);
auto response = make_intrusive<RecordVal>(BifType::Record::SMB1::SessionSetupAndXResponse);
response->Assign(0, val_mgr->Count(${val.word_count}));
switch ( ${val.word_count} )
{
case 3: // pre NT LM 0.12
@ -106,10 +109,10 @@ refine connection SMB_Conn += {
break;
}
BifEvent::generate_smb1_session_setup_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
response);
BifEvent::enqueue_smb1_session_setup_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(response));
}
return true;

18
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( ! smb1_transaction_secondary_request )
return false;
RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
auto args = make_intrusive<RecordVal>(BifType::Record::SMB1::Trans_Sec_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.param_count}));
@ -15,8 +15,8 @@ refine connection SMB_Conn += {
args->Assign(6, val_mgr->Count(${val.data_offset}));
args->Assign(7, val_mgr->Count(${val.data_displacement}));
StringVal* parameters = new StringVal(${val.parameters}.length(),
(const char*)${val.parameters}.data());
auto parameters = make_intrusive<StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data());
IntrusivePtr<StringVal> payload_str;
SMB1_transaction_data* payload = nullptr;
@ -45,12 +45,12 @@ refine connection SMB_Conn += {
payload_str = val_mgr->EmptyString();
}
BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
args,
parameters,
payload_str.release());
BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
std::move(parameters),
std::move(payload_str));
return true;
%}

32
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -53,8 +53,8 @@ refine connection SMB_Conn += {
if ( ! smb1_transaction_request )
return false;
StringVal* parameters = new StringVal(${val.parameters}.length(),
(const char*)${val.parameters}.data());
auto parameters = make_intrusive<StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data());
IntrusivePtr<StringVal> payload_str;
if ( ${val.data_count} > 0 )
@ -62,13 +62,13 @@ refine connection SMB_Conn += {
else
payload_str = val_mgr->EmptyString();
BifEvent::generate_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.name}),
${val.sub_cmd},
parameters,
payload_str.release());
BifEvent::enqueue_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.name})},
${val.sub_cmd},
std::move(parameters),
std::move(payload_str));
return true;
%}
@ -78,8 +78,8 @@ refine connection SMB_Conn += {
if ( ! smb1_transaction_response )
return false;
StringVal* parameters = new StringVal(${val.parameters}.length(),
(const char*)${val.parameters}.data());
auto parameters = make_intrusive<StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data());
IntrusivePtr<StringVal> payload_str;
if ( ${val.data_count} > 0 )
@ -87,11 +87,11 @@ refine connection SMB_Conn += {
else
payload_str = val_mgr->EmptyString();
BifEvent::generate_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
parameters,
payload_str.release());
BifEvent::enqueue_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(parameters),
std::move(payload_str));
return true;
%}
};

18
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( ! smb1_transaction2_secondary_request )
return false;
RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
auto args = make_intrusive<RecordVal>(BifType::Record::SMB1::Trans2_Sec_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.param_count}));
@ -16,15 +16,15 @@ refine connection SMB_Conn += {
args->Assign(7, val_mgr->Count(${val.data_displacement}));
args->Assign(8, val_mgr->Count(${val.FID}));
StringVal* parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
StringVal* payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data());
auto parameters = make_intrusive<StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = make_intrusive<StringVal>(${val.data}.length(), (const char*)${val.data}.data());
BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
args,
parameters,
payload);
BifEvent::enqueue_smb1_transaction2_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
std::move(parameters),
std::move(payload));
return true;
%}

32
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -24,7 +24,7 @@ refine connection SMB_Conn += {
%{
if ( smb1_transaction2_request )
{
RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
auto args = make_intrusive<RecordVal>(BifType::Record::SMB1::Trans2_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.max_param_count}));
@ -38,7 +38,11 @@ refine connection SMB_Conn += {
args->Assign(10, val_mgr->Count(${val.data_offset}));
args->Assign(11, val_mgr->Count(${val.setup_count}));
BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
${val.sub_cmd});
}
return true;
@ -47,7 +51,7 @@ refine connection SMB_Conn += {
function proc_smb1_transaction2_response(header: SMB_Header, val: SMB1_transaction2_response): bool
%{
//if ( smb1_transaction2_response )
// BifEvent::generate_smb1_transaction2_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
// BifEvent::enqueue_smb1_transaction2_response(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd});
return true;
%}
@ -127,15 +131,17 @@ refine connection SMB_Conn += {
%{
if ( smb1_trans2_find_first2_request )
{
RecordVal* result = new RecordVal(BifType::Record::SMB1::Find_First2_Request_Args);
auto result = make_intrusive<RecordVal>(BifType::Record::SMB1::Find_First2_Request_Args);
result->Assign(0, val_mgr->Count(${val.search_attrs}));
result->Assign(1, val_mgr->Count(${val.search_count}));
result->Assign(2, val_mgr->Count(${val.flags}));
result->Assign(3, val_mgr->Count(${val.info_level}));
result->Assign(4, val_mgr->Count(${val.search_storage_type}));
result->Assign(5, smb_string2stringval(${val.file_name}));
BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), result);
BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(result));
}
return true;
@ -211,9 +217,10 @@ refine connection SMB_Conn += {
%{
if ( smb1_trans2_query_path_info_request )
{
BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), \
smb_string2stringval(${val.file_name}));
BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.file_name})});
}
return true;
@ -315,9 +322,10 @@ refine connection SMB_Conn += {
%{
if ( smb1_trans2_get_dfs_referral_request )
{
BifEvent::generate_smb1_trans2_get_dfs_referral_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), \
smb_string2stringval(${val.file_name}));
BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.file_name})});
}
return true;
%}

27
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -3,29 +3,30 @@ refine connection SMB_Conn += {
function proc_smb1_tree_connect_andx_request(header: SMB_Header, val: SMB1_tree_connect_andx_request): bool
%{
if ( smb1_tree_connect_andx_request )
BifEvent::generate_smb1_tree_connect_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.path}),
smb_string2stringval(${val.service}));
BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.path})},
{AdoptRef{}, smb_string2stringval(${val.service})});
return true;
%}
function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
%{
auto service_string = smb_string2stringval(${val.service});
auto service_string = IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.service})};
auto s = reinterpret_cast<const char*>(service_string->Bytes());
if ( strncmp(s, "IPC", 3) == 0 )
set_tree_is_pipe(${header.tid});
if ( smb1_tree_connect_andx_response )
BifEvent::generate_smb1_tree_connect_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
service_string,
${val.byte_count} > ${val.service.a}->size() ? smb_string2stringval(${val.native_file_system[0]}) : val_mgr->EmptyString()->Ref()->AsStringVal());
else
Unref(service_string);
BifEvent::enqueue_smb1_tree_connect_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(service_string),
${val.byte_count} > ${val.service.a}->size() ?
IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.native_file_system[0]})} :
val_mgr->EmptyString());
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac
View file

@ -3,10 +3,10 @@ refine connection SMB_Conn += {
function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool
%{
if ( smb1_tree_disconnect )
BifEvent::generate_smb1_tree_disconnect(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
${val.is_orig});
BifEvent::enqueue_smb1_tree_disconnect(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
${val.is_orig});
return true;
%}

16
src/analyzer/protocol/smb/smb1-com-write-andx.pac
View file

@ -3,12 +3,12 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_request(h: SMB_Header, val: SMB1_write_andx_request): bool
%{
if ( smb1_write_andx_request )
BifEvent::generate_smb1_write_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
${val.file_id},
${val.write_offset},
${val.data_len});
BifEvent::enqueue_smb1_write_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(h),
${val.file_id},
${val.write_offset},
${val.data_len});
if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
{
@ -24,9 +24,9 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_response(h: SMB_Header, val: SMB1_write_andx_response): bool
%{
if ( smb1_write_andx_response )
BifEvent::generate_smb1_write_andx_response(bro_analyzer(),
BifEvent::enqueue_smb1_write_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
SMBHeaderVal(h),
${val.written_bytes});
return true;

36
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -2,10 +2,14 @@
#include "file_analysis/Manager.h"
%}
refine connection SMB_Conn += {
function BuildHeaderVal(hdr: SMB_Header): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB1::Header);
%header{
IntrusivePtr<RecordVal> SMBHeaderVal(SMB_Header* hdr);
%}
%code{
IntrusivePtr<RecordVal> SMBHeaderVal(SMB_Header* hdr)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB1::Header);
//unsigned int status = 0;
//
@ -31,14 +35,16 @@ refine connection SMB_Conn += {
r->Assign(7, val_mgr->Count(${hdr.mid}));
return r;
%}
}
%}
refine connection SMB_Conn += {
function proc_smb_message(h: SMB_Header, is_orig: bool): bool
%{
if ( smb1_message )
{
BifEvent::generate_smb1_message(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(h),
BifEvent::enqueue_smb1_message(bro_analyzer(), bro_analyzer()->Conn(),
SMBHeaderVal(h),
is_orig);
}
return true;
@ -48,9 +54,9 @@ refine connection SMB_Conn += {
%{
if ( smb1_empty_response )
{
BifEvent::generate_smb1_empty_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header));
BifEvent::enqueue_smb1_empty_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header));
}
return true;
%}
@ -61,15 +67,17 @@ refine connection SMB_Conn += {
{
if ( smb1_empty_response )
{
BifEvent::generate_smb1_empty_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(h));
BifEvent::enqueue_smb1_empty_response(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(h));
}
}
else
{
if ( smb1_error )
BifEvent::generate_smb1_error(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h), is_orig);
BifEvent::enqueue_smb1_error(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(h), is_orig);
}
return true;
%}

18
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -4,10 +4,10 @@ refine connection SMB_Conn += {
%{
if ( smb2_close_request )
{
BifEvent::generate_smb2_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}));
BifEvent::enqueue_smb2_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})});
}
file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
@ -20,7 +20,7 @@ refine connection SMB_Conn += {
%{
if ( smb2_close_response )
{
RecordVal* resp = new RecordVal(BifType::Record::SMB2::CloseResponse);
auto resp = make_intrusive<RecordVal>(BifType::Record::SMB2::CloseResponse);
resp->Assign(0, val_mgr->Count(${val.alloc_size}));
resp->Assign(1, val_mgr->Count(${val.eof}));
@ -30,10 +30,10 @@ refine connection SMB_Conn += {
${val.change_time}));
resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
BifEvent::generate_smb2_close_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
resp);
BifEvent::enqueue_smb2_close_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(resp));
}
return true;

24
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -9,20 +9,20 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${h.tree_id});
if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}
if ( smb2_create_request )
{
RecordVal* requestinfo = new RecordVal(BifType::Record::SMB2::CreateRequest);
auto requestinfo = make_intrusive<RecordVal>(BifType::Record::SMB2::CreateRequest);
requestinfo->Assign(0, filename);
requestinfo->Assign(1, val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, val_mgr->Count(${val.create_options}));
BifEvent::generate_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
requestinfo);
BifEvent::enqueue_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(requestinfo));
}
else
{
@ -36,7 +36,7 @@ refine connection SMB_Conn += {
%{
if ( smb2_create_response )
{
RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse);
auto responseinfo = make_intrusive<RecordVal>(BifType::Record::SMB2::CreateResponse);
responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
responseinfo->Assign(1, val_mgr->Count(${val.eof}));
responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
@ -45,10 +45,10 @@ refine connection SMB_Conn += {
${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
responseinfo->Assign(4, val_mgr->Count(${val.create_action}));
BifEvent::generate_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
responseinfo);
BifEvent::enqueue_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(responseinfo));
}
return true;

20
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -22,14 +22,14 @@ refine connection SMB_Conn += {
%{
if ( smb2_negotiate_request )
{
VectorVal* dialects = new VectorVal(index_vec);
auto dialects = make_intrusive<VectorVal>(index_vec);
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
{
dialects->Assign(i, val_mgr->Count((*${val.dialects})[i]));
}
BifEvent::generate_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
dialects);
BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(dialects));
}
return true;
@ -39,7 +39,7 @@ refine connection SMB_Conn += {
%{
if ( smb2_negotiate_response )
{
RecordVal* nr = new RecordVal(BifType::Record::SMB2::NegotiateResponse);
auto nr = make_intrusive<RecordVal>(BifType::Record::SMB2::NegotiateResponse);
nr->Assign(0, val_mgr->Count(${val.dialect_revision}));
nr->Assign(1, val_mgr->Count(${val.security_mode}));
@ -60,9 +60,9 @@ refine connection SMB_Conn += {
nr->Assign(6, cv);
BifEvent::generate_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
nr);
BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(nr));
}
return true;

12
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -26,12 +26,12 @@ refine connection SMB_Conn += {
%{
if ( smb2_read_request )
{
BifEvent::generate_smb2_read_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}),
${val.offset},
${val.read_len});
BifEvent::enqueue_smb2_read_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})},
${val.offset},
${val.read_len});
}
smb2_read_offsets[${h.message_id}] = ${val.offset};

24
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -4,13 +4,13 @@ refine connection SMB_Conn += {
%{
if ( smb2_session_setup_request )
{
RecordVal* req = new RecordVal(BifType::Record::SMB2::SessionSetupRequest);
auto req = make_intrusive<RecordVal>(BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, val_mgr->Count(${val.security_mode}));
BifEvent::generate_smb2_session_setup_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
req);
BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(req));
}
return true;
@ -20,18 +20,18 @@ refine connection SMB_Conn += {
%{
if ( smb2_session_setup_response )
{
RecordVal* flags = new RecordVal(BifType::Record::SMB2::SessionSetupFlags);
auto flags = make_intrusive<RecordVal>(BifType::Record::SMB2::SessionSetupFlags);
flags->Assign(0, val_mgr->Bool(${val.flag_guest}));
flags->Assign(1, val_mgr->Bool(${val.flag_anonymous}));
flags->Assign(2, val_mgr->Bool(${val.flag_encrypt}));
RecordVal* resp = new RecordVal(BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, flags);
auto resp = make_intrusive<RecordVal>(BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags));
BifEvent::generate_smb2_session_setup_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
resp);
BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
std::move(resp));
}
return true;

162
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -28,15 +28,15 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
%{
if ( smb2_file_sattr )
BifEvent::generate_smb2_file_sattr(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs}));
BifEvent::enqueue_smb2_file_sattr(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time})},
{AdoptRef{}, smb2_file_attrs_to_bro(${val.file_attrs})});
return true;
%}
@ -44,11 +44,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
%{
if ( smb2_file_rename )
BifEvent::generate_smb2_file_rename(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
BifEvent::enqueue_smb2_file_rename(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, smb2_string2stringval(${val.filename})});
return true;
%}
@ -56,11 +56,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_delete(val: SMB2_file_disposition_info): bool
%{
if ( smb2_file_delete )
BifEvent::generate_smb2_file_delete(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.delete_pending} > 0));
BifEvent::enqueue_smb2_file_delete(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
(${val.delete_pending} > 0));
return true;
%}
@ -68,11 +68,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_allocation(val: SMB2_file_allocation_info): bool
%{
if ( smb2_file_allocation )
BifEvent::generate_smb2_file_allocation(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.allocation_size}));
BifEvent::enqueue_smb2_file_allocation(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
(${val.allocation_size}));
return true;
%}
@ -80,35 +80,35 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_endoffile(val: SMB2_file_endoffile_info): bool
%{
if ( smb2_file_endoffile )
BifEvent::generate_smb2_file_endoffile(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.endoffile});
BifEvent::enqueue_smb2_file_endoffile(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.endoffile});
return true;
%}
function proc_smb2_set_info_request_file_fullea(val: SMB2_file_fullea_info): bool
%{
if ( smb2_file_fullea )
if ( smb2_file_fullea )
{
VectorVal* eas = new VectorVal(BifType::Vector::SMB2::FileEAs);
auto eas = make_intrusive<VectorVal>(BifType::Vector::SMB2::FileEAs);
for ( auto i = 0u; i < ${val.ea_vector}->size(); ++i )
{
RecordVal* r = new RecordVal(BifType::Record::SMB2::FileEA);
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::FileEA);
r->Assign(0, smb2_string2stringval(${val.ea_vector[i].ea_name}));
r->Assign(1, smb2_string2stringval(${val.ea_vector[i].ea_value}));
eas->Assign(i, r);
eas->Assign(i, std::move(r));
}
BifEvent::generate_smb2_file_fullea(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
eas);
BifEvent::enqueue_smb2_file_fullea(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
std::move(eas));
}
return true;
@ -117,12 +117,12 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_link(val: SMB2_file_link_info): bool
%{
if ( smb2_file_link )
BifEvent::generate_smb2_file_link(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.root_directory},
smb2_string2stringval(${val.file_name}));
BifEvent::enqueue_smb2_file_link(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.root_directory},
{AdoptRef{}, smb2_string2stringval(${val.file_name})});
return true;
%}
@ -130,11 +130,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_mode(val: SMB2_file_mode_info): bool
%{
if ( smb2_file_mode )
BifEvent::generate_smb2_file_mode(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.mode});
BifEvent::enqueue_smb2_file_mode(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.mode});
return true;
%}
@ -142,11 +142,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_pipe(val: SMB2_file_pipe_info): bool
%{
if ( smb2_file_pipe )
BifEvent::generate_smb2_file_pipe(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.read_mode},
BifEvent::enqueue_smb2_file_pipe(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.read_mode},
${val.completion_mode});
return true;
@ -155,11 +155,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_position(val: SMB2_file_position_info): bool
%{
if ( smb2_file_position )
BifEvent::generate_smb2_file_position(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.current_byte_offset});
BifEvent::enqueue_smb2_file_position(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.current_byte_offset});
return true;
%}
@ -167,11 +167,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_shortname(val: SMB2_file_shortname_info): bool
%{
if ( smb2_file_shortname )
BifEvent::generate_smb2_file_shortname(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
BifEvent::enqueue_smb2_file_shortname(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, smb2_string2stringval(${val.filename})});
return true;
%}
@ -179,11 +179,11 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_validdatalength(val: SMB2_file_validdatalength_info): bool
%{
if ( smb2_file_validdatalength )
BifEvent::generate_smb2_file_validdatalength(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.validdatalength});
BifEvent::enqueue_smb2_file_validdatalength(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
${val.validdatalength});
return true;
%}
@ -192,7 +192,7 @@ refine connection SMB_Conn += {
%{
if ( smb2_file_fscontrol )
{
RecordVal* r = new RecordVal(BifType::Record::SMB2::Fscontrol);
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::Fscontrol);
r->Assign(0, val_mgr->Int(${val.free_space_start_filtering}));
r->Assign(1, val_mgr->Int(${val.free_space_start_threshold}));
r->Assign(2, val_mgr->Int(${val.free_space_stop_filtering}));
@ -200,11 +200,11 @@ refine connection SMB_Conn += {
r->Assign(4, val_mgr->Count(${val.default_quota_limit}));
r->Assign(5, val_mgr->Count(${val.file_system_control_flags}));
BifEvent::generate_smb2_file_fscontrol(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
r);
BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
std::move(r));
}
return true;
@ -213,12 +213,12 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_fsobjectid(val: SMB2_file_fsobjectid_info): bool
%{
if ( smb2_file_fsobjectid )
BifEvent::generate_smb2_file_fsobjectid(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
BuildSMB2GUID(${val.object_id}),
smb2_string2stringval(${val.extended_info}));
BifEvent::enqueue_smb2_file_fsobjectid(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, BuildSMB2GUID(${val.object_id})},
{AdoptRef{}, smb2_string2stringval(${val.extended_info})});
return true;
%}

6
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -16,9 +16,9 @@ refine connection SMB_Conn += {
function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
%{
if ( smb2_transform_header )
BifEvent::generate_smb2_transform_header(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2TransformHeaderVal(hdr));
BifEvent::enqueue_smb2_transform_header(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2TransformHeaderVal(hdr)});
return true;
%}

18
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -3,10 +3,10 @@ refine connection SMB_Conn += {
function proc_smb2_tree_connect_request(header: SMB2_Header, val: SMB2_tree_connect_request): bool
%{
if ( smb2_tree_connect_request )
BifEvent::generate_smb2_tree_connect_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(header),
smb2_string2stringval(${val.path}));
BifEvent::enqueue_smb2_tree_connect_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)},
{AdoptRef{}, smb2_string2stringval(${val.path})});
return true;
%}
@ -18,13 +18,13 @@ refine connection SMB_Conn += {
if ( smb2_tree_connect_response )
{
RecordVal* resp = new RecordVal(BifType::Record::SMB2::TreeConnectResponse);
auto resp = make_intrusive<RecordVal>(BifType::Record::SMB2::TreeConnectResponse);
resp->Assign(0, val_mgr->Count(${val.share_type}));
BifEvent::generate_smb2_tree_connect_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(header),
resp);
BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)},
std::move(resp));
}
return true;

12
src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
View file

@ -7,9 +7,9 @@ refine connection SMB_Conn += {
if ( smb2_tree_disconnect_request )
{
BifEvent::generate_smb2_tree_disconnect_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(header));
BifEvent::enqueue_smb2_tree_disconnect_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)});
}
return true;
@ -19,9 +19,9 @@ refine connection SMB_Conn += {
%{
if ( smb2_tree_disconnect_response )
{
BifEvent::generate_smb2_tree_disconnect_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(header));
BifEvent::enqueue_smb2_tree_disconnect_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)});
}
return true;

18
src/analyzer/protocol/smb/smb2-com-write.pac
View file

@ -4,12 +4,12 @@ refine connection SMB_Conn += {
%{
if ( smb2_write_request )
{
BifEvent::generate_smb2_write_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}),
${val.offset},
${val.data_len});
BifEvent::enqueue_smb2_write_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})},
${val.offset},
${val.data_len});
}
if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
@ -27,10 +27,10 @@ refine connection SMB_Conn += {
if ( smb2_write_response )
{
BifEvent::generate_smb2_write_response(bro_analyzer(),
BifEvent::enqueue_smb2_write_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
${val.write_count});
{AdoptRef{}, BuildSMB2HeaderVal(h)},
${val.write_count});
}
return true;

6
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -215,9 +215,9 @@ refine connection SMB_Conn += {
if ( smb2_message )
{
BifEvent::generate_smb2_message(bro_analyzer(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
is_orig);
BifEvent::enqueue_smb2_message(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
is_orig);
}
return true;
%}

150
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -12,12 +12,12 @@ AddrVal* network_address_to_val(const ASN1Encoding* na);
AddrVal* network_address_to_val(const NetworkAddress* na);
Val* asn1_obj_to_val(const ASN1Encoding* obj);
RecordVal* build_hdr(const Header* header);
IntrusivePtr<RecordVal> build_hdr(const Header* header);
RecordVal* build_hdrV3(const Header* header);
VectorVal* build_bindings(const VarBindList* vbl);
RecordVal* build_pdu(const CommonPDU* pdu);
RecordVal* build_trap_pdu(const TrapPDU* pdu);
RecordVal* build_bulk_pdu(const GetBulkRequestPDU* pdu);
IntrusivePtr<RecordVal> build_pdu(const CommonPDU* pdu);
IntrusivePtr<RecordVal> build_trap_pdu(const TrapPDU* pdu);
IntrusivePtr<RecordVal> build_bulk_pdu(const GetBulkRequestPDU* pdu);
%}
%code{
@ -90,9 +90,9 @@ Val* time_ticks_to_val(const TimeTicks* tt)
return asn1_integer_to_val(tt->asn1_integer(), TYPE_COUNT);
}
RecordVal* build_hdr(const Header* header)
IntrusivePtr<RecordVal> build_hdr(const Header* header)
{
RecordVal* rv = new RecordVal(BifType::Record::SNMP::Header);
auto rv = make_intrusive<RecordVal>(BifType::Record::SNMP::Header);
rv->Assign(0, val_mgr->Count(header->version()));
switch ( header->version() ) {
@ -169,9 +169,9 @@ VectorVal* build_bindings(const VarBindList* vbl)
return vv;
}
RecordVal* build_pdu(const CommonPDU* pdu)
IntrusivePtr<RecordVal> build_pdu(const CommonPDU* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::SNMP::PDU);
auto rv = make_intrusive<RecordVal>(BifType::Record::SNMP::PDU);
rv->Assign(0, asn1_integer_to_val(pdu->request_id(), TYPE_INT));
rv->Assign(1, asn1_integer_to_val(pdu->error_status(), TYPE_INT));
rv->Assign(2, asn1_integer_to_val(pdu->error_index(), TYPE_INT));
@ -179,9 +179,9 @@ RecordVal* build_pdu(const CommonPDU* pdu)
return rv;
}
RecordVal* build_trap_pdu(const TrapPDU* pdu)
IntrusivePtr<RecordVal> build_trap_pdu(const TrapPDU* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::SNMP::TrapPDU);
auto rv = make_intrusive<RecordVal>(BifType::Record::SNMP::TrapPDU);
rv->Assign(0, asn1_oid_to_val(pdu->enterprise()));
rv->Assign(1, network_address_to_val(pdu->agent_addr()));
rv->Assign(2, asn1_integer_to_val(pdu->generic_trap(), TYPE_INT));
@ -191,9 +191,9 @@ RecordVal* build_trap_pdu(const TrapPDU* pdu)
return rv;
}
RecordVal* build_bulk_pdu(const GetBulkRequestPDU* pdu)
IntrusivePtr<RecordVal> build_bulk_pdu(const GetBulkRequestPDU* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::SNMP::BulkPDU);
auto rv = make_intrusive<RecordVal>(BifType::Record::SNMP::BulkPDU);
rv->Assign(0, asn1_integer_to_val(pdu->request_id(), TYPE_INT));
rv->Assign(1, asn1_integer_to_val(pdu->non_repeaters(), TYPE_COUNT));
rv->Assign(2, asn1_integer_to_val(pdu->max_repititions(), TYPE_COUNT));
@ -209,11 +209,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_get_request )
return false;
BifEvent::generate_snmp_get_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_get_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -222,11 +222,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_get_next_request )
return false;
BifEvent::generate_snmp_get_next_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_get_next_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -235,11 +235,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_response )
return false;
BifEvent::generate_snmp_response(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_response(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -248,11 +248,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_set_request )
return false;
BifEvent::generate_snmp_set_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_set_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -261,11 +261,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_trap )
return false;
BifEvent::generate_snmp_trap(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_trap_pdu(${pdu}));
BifEvent::enqueue_snmp_trap(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_trap_pdu(${pdu}));
return true;
%}
@ -274,11 +274,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_get_bulk_request )
return false;
BifEvent::generate_snmp_get_bulk_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_bulk_pdu(${pdu}));
BifEvent::enqueue_snmp_get_bulk_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_bulk_pdu(${pdu}));
return true;
%}
@ -287,11 +287,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_inform_request )
return false;
BifEvent::generate_snmp_inform_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_inform_request(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -300,11 +300,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_trapV2 )
return false;
BifEvent::generate_snmp_trapV2(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_trapV2(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -313,11 +313,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_report )
return false;
BifEvent::generate_snmp_report(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
BifEvent::enqueue_snmp_report(bro_analyzer(),
bro_analyzer()->Conn(),
${pdu.header.is_orig},
build_hdr(${pdu.header}),
build_pdu(${pdu.pdu}));
return true;
%}
@ -326,10 +326,10 @@ refine connection SNMP_Conn += {
if ( ! snmp_unknown_header_version )
return false;
BifEvent::generate_snmp_unknown_header_version(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
${rec.header.version});
BifEvent::enqueue_snmp_unknown_header_version(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
${rec.header.version});
return true;
%}
@ -338,11 +338,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_unknown_pdu )
return false;
BifEvent::generate_snmp_unknown_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}),
${rec.tag});
BifEvent::enqueue_snmp_unknown_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}),
${rec.tag});
return true;
%}
@ -351,11 +351,11 @@ refine connection SNMP_Conn += {
if ( ! snmp_unknown_scoped_pdu )
return false;
BifEvent::generate_snmp_unknown_scoped_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}),
${rec.tag});
BifEvent::enqueue_snmp_unknown_scoped_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}),
${rec.tag});
return true;
%}
@ -364,10 +364,10 @@ refine connection SNMP_Conn += {
if ( ! snmp_encrypted_pdu )
return false;
BifEvent::generate_snmp_encrypted_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}));
BifEvent::enqueue_snmp_encrypted_pdu(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.header.is_orig},
build_hdr(${rec.header}));
return true;
%}

94
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -1,10 +1,10 @@
%header{
StringVal* array_to_string(vector<uint8> *a);
IntrusivePtr<StringVal> array_to_string(vector<uint8> *a);
%}
%code{
StringVal* array_to_string(vector<uint8> *a)
IntrusivePtr<StringVal> array_to_string(vector<uint8> *a)
{
int len = a->size();
auto tmp = std::make_unique<char[]>(len);
@ -14,7 +14,7 @@ StringVal* array_to_string(vector<uint8> *a)
while ( len > 0 && tmp[len-1] == '\0' )
--len;
return new StringVal(len, tmp.get());
return make_intrusive<StringVal>(len, tmp.get());
}
%}
@ -24,19 +24,19 @@ refine connection SOCKS_Conn += {
%{
if ( socks_request )
{
RecordVal* sa = new RecordVal(socks_address);
auto sa = make_intrusive<RecordVal>(socks_address);
sa->Assign(0, make_intrusive<AddrVal>(htonl(${request.addr})));
if ( ${request.v4a} )
sa->Assign(1, array_to_string(${request.name}));
BifEvent::generate_socks_request(bro_analyzer(),
bro_analyzer()->Conn(),
4,
${request.command},
sa,
val_mgr->Port(${request.port}, TRANSPORT_TCP)->Ref()->AsPortVal(),
array_to_string(${request.user}));
BifEvent::enqueue_socks_request(bro_analyzer(),
bro_analyzer()->Conn(),
4,
${request.command},
std::move(sa),
val_mgr->Port(${request.port}, TRANSPORT_TCP),
array_to_string(${request.user}));
}
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -48,15 +48,15 @@ refine connection SOCKS_Conn += {
%{
if ( socks_reply )
{
RecordVal* sa = new RecordVal(socks_address);
auto sa = make_intrusive<RecordVal>(socks_address);
sa->Assign(0, make_intrusive<AddrVal>(htonl(${reply.addr})));
BifEvent::generate_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(),
4,
${reply.status},
sa,
val_mgr->Port(${reply.port}, TRANSPORT_TCP)->Ref()->AsPortVal());
BifEvent::enqueue_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(),
4,
${reply.status},
std::move(sa),
val_mgr->Port(${reply.port}, TRANSPORT_TCP));
}
bro_analyzer()->ProtocolConfirmation();
@ -80,7 +80,7 @@ refine connection SOCKS_Conn += {
return false;
}
RecordVal* sa = new RecordVal(socks_address);
auto sa = make_intrusive<RecordVal>(socks_address);
// This is dumb and there must be a better way (checking for presence of a field)...
switch ( ${request.remote_name.addr_type} )
@ -100,20 +100,17 @@ refine connection SOCKS_Conn += {
default:
bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
Unref(sa);
return false;
}
if ( socks_request )
BifEvent::generate_socks_request(bro_analyzer(),
bro_analyzer()->Conn(),
5,
${request.command},
sa,
val_mgr->Port(${request.port}, TRANSPORT_TCP)->Ref()->AsPortVal(),
val_mgr->EmptyString()->Ref()->AsStringVal());
else
Unref(sa);
BifEvent::enqueue_socks_request(bro_analyzer(),
bro_analyzer()->Conn(),
5,
${request.command},
std::move(sa),
val_mgr->Port(${request.port}, TRANSPORT_TCP),
val_mgr->EmptyString());
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -122,8 +119,8 @@ refine connection SOCKS_Conn += {
function socks5_reply(reply: SOCKS5_Reply): bool
%{
RecordVal* sa = new RecordVal(socks_address);
auto sa = make_intrusive<RecordVal>(socks_address);
// This is dumb and there must be a better way (checking for presence of a field)...
switch ( ${reply.bound.addr_type} )
{
@ -142,19 +139,16 @@ refine connection SOCKS_Conn += {
default:
bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
Unref(sa);
return false;
}
if ( socks_reply )
BifEvent::generate_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(),
5,
${reply.reply},
sa,
val_mgr->Port(${reply.port}, TRANSPORT_TCP)->Ref()->AsPortVal());
else
Unref(sa);
BifEvent::enqueue_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(),
5,
${reply.reply},
std::move(sa),
val_mgr->Port(${reply.port}, TRANSPORT_TCP));
bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -166,12 +160,12 @@ refine connection SOCKS_Conn += {
if ( ! socks_login_userpass_request )
return true;
StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
BifEvent::generate_socks_login_userpass_request(bro_analyzer(),
bro_analyzer()->Conn(),
user, pass);
auto user = make_intrusive<StringVal>(${request.username}.length(), (const char*) ${request.username}.begin());
auto pass = make_intrusive<StringVal>(${request.password}.length(), (const char*) ${request.password}.begin());
BifEvent::enqueue_socks_login_userpass_request(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(user), std::move(pass));
return true;
%}
@ -186,13 +180,13 @@ refine connection SOCKS_Conn += {
reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication", fmt("method %d, version %d", auth_method, version));
return true;
%}
function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
%{
if ( socks_login_userpass_reply )
BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
bro_analyzer()->Conn(),
${reply.code});
BifEvent::enqueue_socks_login_userpass_reply(bro_analyzer(),
bro_analyzer()->Conn(),
${reply.code});
return true;
%}

16
src/analyzer/protocol/ssh/SSH.cc
View file

@ -91,9 +91,9 @@ void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void SSH_Analyzer::ProcessEncryptedSegment(int len, bool orig)
{
if ( ssh_encrypted_packet )
BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(),
interp->bro_analyzer()->Conn(),
orig, len);
BifEvent::enqueue_ssh_encrypted_packet(interp->bro_analyzer(),
interp->bro_analyzer()->Conn(),
orig, len);
if ( ! auth_decision_made )
ProcessEncrypted(len, orig);
@ -132,9 +132,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
{
auth_decision_made = true;
if ( ssh_auth_attempted )
BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
if ( ssh_auth_successful )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
return;
}
@ -159,7 +159,7 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
if ( len == userauth_failure_size )
{
if ( ssh_auth_attempted )
BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
return;
}
@ -168,9 +168,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
{
auth_decision_made = true;
if ( ssh_auth_attempted )
BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
if ( ssh_auth_successful )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
return;
}
}

44
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -52,15 +52,15 @@ refine flow SSH_Flow += {
%{
if ( ssh_client_version && ${msg.is_orig } )
{
BifEvent::generate_ssh_client_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.version}));
BifEvent::enqueue_ssh_client_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(${msg.version}));
}
else if ( ssh_server_version )
{
BifEvent::generate_ssh_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.version}));
BifEvent::enqueue_ssh_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(${msg.version}));
}
return true;
%}
@ -70,7 +70,7 @@ refine flow SSH_Flow += {
if ( ! ssh_capabilities )
return false;
RecordVal* result = new RecordVal(BifType::Record::SSH::Capabilities);
auto result = make_intrusive<RecordVal>(BifType::Record::SSH::Capabilities);
result->Assign(0, name_list_to_vector(${msg.kex_algorithms.val}));
result->Assign(1, name_list_to_vector(${msg.server_host_key_algorithms.val}));
@ -103,8 +103,8 @@ refine flow SSH_Flow += {
result->Assign(6, val_mgr->Bool(!${msg.is_orig}));
BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}),
BifEvent::enqueue_ssh_capabilities(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), to_stringval(${msg.cookie}),
result);
return true;
@ -115,9 +115,9 @@ refine flow SSH_Flow += {
%{
if ( ssh2_dh_server_params )
{
BifEvent::generate_ssh2_dh_server_params(connection()->bro_analyzer(),
BifEvent::enqueue_ssh2_dh_server_params(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.p.val}), bytestring_to_val(${msg.g.val}));
to_stringval(${msg.p.val}), to_stringval(${msg.g.val}));
}
return true;
%}
@ -126,9 +126,9 @@ refine flow SSH_Flow += {
%{
if ( ssh2_ecc_key )
{
BifEvent::generate_ssh2_ecc_key(connection()->bro_analyzer(),
BifEvent::enqueue_ssh2_ecc_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig, bytestring_to_val(q));
is_orig, to_stringval(q));
}
return true;
%}
@ -137,10 +137,10 @@ refine flow SSH_Flow += {
%{
if ( ssh2_gss_error )
{
BifEvent::generate_ssh2_gss_error(connection()->bro_analyzer(),
BifEvent::enqueue_ssh2_gss_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.major_status}, ${msg.minor_status},
bytestring_to_val(${msg.message.val}));
to_stringval(${msg.message.val}));
}
return true;
%}
@ -149,9 +149,9 @@ refine flow SSH_Flow += {
%{
if ( ssh2_server_host_key )
{
BifEvent::generate_ssh2_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${key}));
BifEvent::enqueue_ssh2_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(${key}));
}
return true;
%}
@ -160,10 +160,10 @@ refine flow SSH_Flow += {
%{
if ( ssh1_server_host_key )
{
BifEvent::generate_ssh1_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${p}),
bytestring_to_val(${e}));
BifEvent::enqueue_ssh1_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
to_stringval(${p}),
to_stringval(${e}));
}
return true;
%}

34
src/analyzer/protocol/ssl/proc-client-hello.pac
View file

@ -16,20 +16,23 @@
if ( ssl_client_hello )
{
vector<int>* cipher_suites = new vector<int>();
if ( cipher_suites16 )
std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*cipher_suites));
else
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*cipher_suites), to_int());
vector<int> cipher_suites;
VectorVal* cipher_vec = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( unsigned int i = 0; i < cipher_suites->size(); ++i )
if ( cipher_suites16 )
std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(cipher_suites));
else
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(cipher_suites), to_int());
auto cipher_vec = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( unsigned int i = 0; i < cipher_suites.size(); ++i )
{
auto ciph = val_mgr->Count((*cipher_suites)[i]);
auto ciph = val_mgr->Count(cipher_suites[i]);
cipher_vec->Assign(i, ciph);
}
VectorVal* comp_vec = new VectorVal(internal_type("index_vec")->AsVectorType());
auto comp_vec = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( compression_methods )
{
for ( unsigned int i = 0; i < compression_methods->size(); ++i )
@ -39,13 +42,12 @@
}
}
BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
version, record_version(), ts, new StringVal(client_random.length(),
(const char*) client_random.data()),
to_string_val(session_id),
cipher_vec, comp_vec);
delete cipher_suites;
BifEvent::enqueue_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
version, record_version(), ts,
make_intrusive<StringVal>(client_random.length(),
(const char*) client_random.data()),
{AdoptRef{}, to_string_val(session_id)},
std::move(cipher_vec), std::move(comp_vec));
}
return true;

9
src/analyzer/protocol/ssl/proc-server-hello.pac
View file

@ -25,11 +25,12 @@
if ( v2 == 0 && server_random.length() >= 4 )
ts = ntohl(*((uint32*)server_random.data()));
BifEvent::generate_ssl_server_hello(bro_analyzer(),
BifEvent::enqueue_ssl_server_hello(bro_analyzer(),
bro_analyzer()->Conn(),
version, record_version(), ts, new StringVal(server_random.length(),
(const char*) server_random.data()),
to_string_val(session_id),
version, record_version(), ts,
make_intrusive<StringVal>(server_random.length(),
(const char*) server_random.data()),
{AdoptRef{}, to_string_val(session_id)},
ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
delete ciphers;

2
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -18,7 +18,7 @@ refine connection SSL_Conn += {
function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
%{
if ( ssl_established )
BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
return true;
%}

14
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -32,7 +32,7 @@ refine connection SSL_Conn += {
function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
%{
if ( ssl_alert )
BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
BifEvent::enqueue_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, level, desc);
return true;
%}
@ -52,11 +52,11 @@ refine connection SSL_Conn += {
{
established_ = true;
if ( ssl_established )
BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
}
if ( ssl_encrypted_data )
BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
BifEvent::enqueue_ssl_encrypted_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
return true;
@ -65,7 +65,7 @@ refine connection SSL_Conn += {
function proc_plaintext_record(rec : SSLRecord) : bool
%{
if ( ssl_plaintext_data )
BifEvent::generate_ssl_plaintext_data(bro_analyzer(),
BifEvent::enqueue_ssl_plaintext_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
return true;
@ -74,9 +74,9 @@ refine connection SSL_Conn += {
function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
%{
if ( ssl_heartbeat )
BifEvent::generate_ssl_heartbeat(bro_analyzer(),
BifEvent::enqueue_ssl_heartbeat(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
new StringVal(data.length(), (const char*) data.data()));
make_intrusive<StringVal>(data.length(), (const char*) data.data()));
return true;
%}
@ -96,7 +96,7 @@ refine connection SSL_Conn += {
function proc_ccs(rec: SSLRecord) : bool
%{
if ( ssl_change_cipher_spec )
BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(),
BifEvent::enqueue_ssl_change_cipher_spec(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig});
return true;

153
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -34,10 +34,10 @@ refine connection Handshake_Conn += {
%{
if ( ssl_session_ticket_handshake )
{
BifEvent::generate_ssl_session_ticket_handshake(bro_analyzer(),
BifEvent::enqueue_ssl_session_ticket_handshake(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.ticket_lifetime_hint},
new StringVal(${rec.data}.length(), (const char*) ${rec.data}.data()));
make_intrusive<StringVal>(${rec.data}.length(), (const char*) ${rec.data}.data()));
}
return true;
%}
@ -64,9 +64,9 @@ refine connection Handshake_Conn += {
const unsigned char* data = sourcedata.begin() + 4;
if ( ssl_extension )
BifEvent::generate_ssl_extension(bro_analyzer(),
BifEvent::enqueue_ssl_extension(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, type,
new StringVal(length, reinterpret_cast<const char*>(data)));
make_intrusive<StringVal>(length, reinterpret_cast<const char*>(data)));
return true;
%}
@ -75,7 +75,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_ec_point_formats )
return true;
VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
auto points = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( point_format_list )
{
@ -83,8 +83,8 @@ refine connection Handshake_Conn += {
points->Assign(i, val_mgr->Count((*point_format_list)[i]));
}
BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, points);
BifEvent::enqueue_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(points));
return true;
%}
@ -94,7 +94,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_elliptic_curves )
return true;
VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
auto curves = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( list )
{
@ -102,8 +102,8 @@ refine connection Handshake_Conn += {
curves->Assign(i, val_mgr->Count((*list)[i]));
}
BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, curves);
BifEvent::enqueue_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(curves));
return true;
%}
@ -113,7 +113,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
auto nglist = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( keyshare )
{
@ -121,7 +121,7 @@ refine connection Handshake_Conn += {
nglist->Assign(i, val_mgr->Count((*keyshare)[i]->namedgroup()));
}
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
return true;
%}
@ -131,10 +131,10 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
auto nglist = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
nglist->Assign(0u, val_mgr->Count(keyshare->namedgroup()));
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
return true;
%}
@ -143,10 +143,10 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
auto nglist = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
nglist->Assign(0u, val_mgr->Count(namedgroup));
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
return true;
%}
@ -155,7 +155,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_signature_algorithm )
return true;
VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
auto slist = make_intrusive<VectorVal>(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
if ( supported_signature_algorithms )
{
@ -168,7 +168,7 @@ refine connection Handshake_Conn += {
}
}
BifEvent::generate_ssl_extension_signature_algorithm(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, slist);
BifEvent::enqueue_ssl_extension_signature_algorithm(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(slist));
return true;
%}
@ -178,7 +178,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_application_layer_protocol_negotiation )
return true;
VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
auto plist = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
if ( protocols )
{
@ -186,15 +186,15 @@ refine connection Handshake_Conn += {
plist->Assign(i, make_intrusive<StringVal>((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data()));
}
BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, plist);
BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(plist));
return true;
%}
function proc_server_name(rec: HandshakeRecord, list: ServerName[]) : bool
%{
VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType());
auto servers = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
if ( list )
{
@ -215,10 +215,8 @@ refine connection Handshake_Conn += {
}
if ( ssl_extension_server_name )
BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, servers);
else
Unref(servers);
BifEvent::enqueue_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(servers));
return true;
%}
@ -228,7 +226,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
auto versions = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( versions_list )
{
@ -236,8 +234,8 @@ refine connection Handshake_Conn += {
versions->Assign(i, val_mgr->Count((*versions_list)[i]));
}
BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, versions);
BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(versions));
return true;
%}
@ -247,11 +245,11 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
auto versions = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
versions->Assign(0u, val_mgr->Count(version));
BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, versions);
BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(versions));
return true;
%}
@ -261,7 +259,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_psk_key_exchange_modes )
return true;
VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
auto modes = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
if ( mode_list )
{
@ -269,8 +267,8 @@ refine connection Handshake_Conn += {
modes->Assign(i, val_mgr->Count((*mode_list)[i]));
}
BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, modes);
BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(modes));
return true;
%}
@ -316,10 +314,10 @@ refine connection Handshake_Conn += {
bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
if ( ssl_stapled_ocsp )
BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
BifEvent::enqueue_ssl_stapled_ocsp(bro_analyzer(),
bro_analyzer()->Conn(),
${rec.is_orig},
new StringVal(response.length(), (const char*) response.data()));
make_intrusive<StringVal>(response.length(), (const char*) response.data()));
file_mgr->EndOfFile(file_id);
}
@ -337,12 +335,15 @@ refine connection Handshake_Conn += {
return true;
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
BifEvent::enqueue_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
${kex.params.curve},
make_intrusive<StringVal>(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
if ( ssl_server_signature )
{
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
auto ha = make_intrusive<RecordVal>(BifType::Record::SSL::SignatureAndHashAlgorithm);
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
{
ha->Assign(0, val_mgr->Count(${kex.signed_params.algorithm.HashAlgorithm}));
@ -355,8 +356,10 @@ refine connection Handshake_Conn += {
ha->Assign(1, val_mgr->Count(256));
}
BifEvent::generate_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
BifEvent::enqueue_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(ha),
make_intrusive<StringVal>(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
}
return true;
@ -368,8 +371,10 @@ refine connection Handshake_Conn += {
return true;
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
BifEvent::enqueue_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
${kex.params.curve},
make_intrusive<StringVal>(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
return true;
%}
@ -377,7 +382,9 @@ refine connection Handshake_Conn += {
function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
%{
if ( ssl_rsa_client_pms )
BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
BifEvent::enqueue_ssl_rsa_client_pms(bro_analyzer(),
bro_analyzer()->Conn(),
make_intrusive<StringVal>(rsa_pms.length(), (const char*)rsa_pms.data()));
return true;
%}
@ -385,7 +392,9 @@ refine connection Handshake_Conn += {
function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
%{
if ( ssl_dh_client_params )
BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
BifEvent::enqueue_ssl_dh_client_params(bro_analyzer(),
bro_analyzer()->Conn(),
make_intrusive<StringVal>(Yc.length(), (const char*)Yc.data()));
return true;
%}
@ -393,7 +402,9 @@ refine connection Handshake_Conn += {
function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
%{
if ( ssl_ecdh_client_params )
BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
BifEvent::enqueue_ssl_ecdh_client_params(bro_analyzer(),
bro_analyzer()->Conn(),
make_intrusive<StringVal>(point.length(), (const char*)point.data()));
return true;
%}
@ -403,17 +414,17 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_signed_certificate_timestamp )
return true;
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
auto ha = make_intrusive<RecordVal>(BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, val_mgr->Count(digitally_signed_algorithms->HashAlgorithm()));
ha->Assign(1, val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm()));
BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig},
version,
new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
timestamp,
ha,
new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
std::move(ha),
make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
);
return true;
@ -422,16 +433,17 @@ refine connection Handshake_Conn += {
function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
%{
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
BifEvent::enqueue_ssl_dh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
new StringVal(p.length(), (const char*) p.data()),
new StringVal(g.length(), (const char*) g.data()),
new StringVal(Ys.length(), (const char*) Ys.data())
make_intrusive<StringVal>(p.length(), (const char*) p.data()),
make_intrusive<StringVal>(g.length(), (const char*) g.data()),
make_intrusive<StringVal>(Ys.length(), (const char*) Ys.data())
);
if ( ssl_server_signature )
{
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
auto ha = make_intrusive<RecordVal>(BifType::Record::SSL::SignatureAndHashAlgorithm);
if ( ${signed_params.uses_signature_and_hashalgorithm} )
{
ha->Assign(0, val_mgr->Count(${signed_params.algorithm.HashAlgorithm}));
@ -444,9 +456,9 @@ refine connection Handshake_Conn += {
ha->Assign(1, val_mgr->Count(256));
}
BifEvent::generate_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), ha,
new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
BifEvent::enqueue_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), std::move(ha),
make_intrusive<StringVal>(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
);
}
@ -456,11 +468,11 @@ refine connection Handshake_Conn += {
function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
%{
if ( ssl_dh_server_params )
BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
BifEvent::enqueue_ssl_dh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
new StringVal(p.length(), (const char*) p.data()),
new StringVal(g.length(), (const char*) g.data()),
new StringVal(Ys.length(), (const char*) Ys.data())
make_intrusive<StringVal>(p.length(), (const char*) p.data()),
make_intrusive<StringVal>(g.length(), (const char*) g.data()),
make_intrusive<StringVal>(Ys.length(), (const char*) Ys.data())
);
return true;
@ -469,7 +481,7 @@ refine connection Handshake_Conn += {
function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool
%{
if ( ssl_handshake_message )
BifEvent::generate_ssl_handshake_message(bro_analyzer(),
BifEvent::enqueue_ssl_handshake_message(bro_analyzer(),
bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length));
return true;
@ -480,7 +492,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_pre_shared_key_server_hello )
return true;
VectorVal* slist = new VectorVal(internal_type("psk_identity_vec")->AsVectorType());
auto slist = make_intrusive<VectorVal>(internal_type("psk_identity_vec")->AsVectorType());
if ( identities && identities->identities() )
{
@ -493,15 +505,16 @@ refine connection Handshake_Conn += {
}
}
VectorVal* blist = new VectorVal(internal_type("string_vec")->AsVectorType());
auto blist = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
if ( binders && binders->binders() )
{
for ( auto&& binder : *(binders->binders()) )
blist->Assign(blist->Size(), make_intrusive<StringVal>(binder->binder().length(), (const char*) binder->binder().data()));
}
BifEvent::generate_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, slist, blist);
BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(slist), std::move(blist));
return true;
%}
@ -511,7 +524,7 @@ refine connection Handshake_Conn += {
if ( ! ssl_extension_pre_shared_key_client_hello )
return true;
BifEvent::generate_ssl_extension_pre_shared_key_server_hello(bro_analyzer(),
BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, selected_identity);
return true;

8
src/analyzer/protocol/syslog/syslog-analyzer.pac
View file

@ -15,20 +15,20 @@ flow Syslog_Flow
return true;
if ( ${m.has_pri} )
BifEvent::generate_syslog_message(
BifEvent::enqueue_syslog_message(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${m.PRI.facility},
${m.PRI.severity},
new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
make_intrusive<StringVal>(${m.msg}.length(), (const char*)${m.msg}.begin())
);
else
BifEvent::generate_syslog_message(
BifEvent::enqueue_syslog_message(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
999,
999,
new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
make_intrusive<StringVal>(${m.msg}.length(), (const char*)${m.msg}.begin())
);
return true;

2
src/analyzer/protocol/xmpp/xmpp-analyzer.pac
View file

@ -33,7 +33,7 @@ refine connection XMPP_Conn += {
{
bro_analyzer()->StartTLS();
if ( xmpp_starttls )
BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else if ( !is_orig && token == "proceed" )
reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");

6
src/binpac_bro.h
View file

@ -8,6 +8,7 @@ namespace analyzer { class Analyzer; }
#include "util.h"
#include "Val.h"
#include "IntrusivePtr.h"
#include "event.bif.func_h"
#include "analyzer/Analyzer.h"
#include "file_analysis/Analyzer.h"
@ -32,4 +33,9 @@ inline StringVal* bytestring_to_val(const_bytestring const &str)
return new StringVal(str.length(), (const char*) str.begin());
}
inline IntrusivePtr<StringVal> to_stringval(const_bytestring const& str)
{
return make_intrusive<StringVal>(str.length(), (const char*) str.begin());
}
} // namespace binpac

4
testing/btest/plugins/protocol-plugin/src/foo-analyzer.pac
View file

@ -3,8 +3,8 @@ refine connection Foo_Conn += {
function Foo_data(msg: Foo_Message): bool
%{
StringVal* data = new StringVal(${msg.data}.length(), (const char*) ${msg.data}.data());
BifEvent::generate_foo_message(bro_analyzer(), bro_analyzer()->Conn(), data);
auto data = make_intrusive<StringVal>(${msg.data}.length(), (const char*) ${msg.data}.data());
BifEvent::enqueue_foo_message(bro_analyzer(), bro_analyzer()->Conn(), std::move(data));
return true;
%}