Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Mark global val_mgr as deprecated and fix uses of it to use namespaced version

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-07-02 13:08:41 -07:00
parent 3098dd6fbb
commit 86fdf0eaa9
134 changed files with 1579 additions and 1580 deletions
Download patch file Download diff file Expand all files Collapse all files

2
auxil/bifcl

@ -1 +1 @@
Subproject commit 6c3b3c7f0a0df6736f6568bb3503dd03c0733b4d Subproject commit 66e7e189d3a7d2b62b859e0e7e004f175a7d9563

8
src/CompHash.cc
View file

@ -764,9 +764,9 @@ const char* CompositeHash::RecoverOneVal(
if ( tag == zeek::TYPE_ENUM ) if ( tag == zeek::TYPE_ENUM )
*pval = t->AsEnumType()->GetVal(*kp); *pval = t->AsEnumType()->GetVal(*kp);
else if ( tag == zeek::TYPE_BOOL ) else if ( tag == zeek::TYPE_BOOL )
*pval = val_mgr->Bool(*kp); *pval = zeek::val_mgr->Bool(*kp);
else if ( tag == zeek::TYPE_INT ) else if ( tag == zeek::TYPE_INT )
*pval = val_mgr->Int(*kp); *pval = zeek::val_mgr->Int(*kp);
else else
{ {
reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()"); reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
@ -783,11 +783,11 @@ const char* CompositeHash::RecoverOneVal(
switch ( tag ) { switch ( tag ) {
case zeek::TYPE_COUNT: case zeek::TYPE_COUNT:
case zeek::TYPE_COUNTER: case zeek::TYPE_COUNTER:
*pval = val_mgr->Count(*kp); *pval = zeek::val_mgr->Count(*kp);
break; break;
case zeek::TYPE_PORT: case zeek::TYPE_PORT:
*pval = val_mgr->Port(*kp); *pval = zeek::val_mgr->Port(*kp);
break; break;
default: default:

36
src/Conn.cc
View file

@ -266,8 +266,8 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
EnqueueEvent(e, nullptr, EnqueueEvent(e, nullptr,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
val_mgr->Count(threshold) zeek::val_mgr->Count(threshold)
); );
} }
@ -352,14 +352,14 @@ const zeek::RecordValPtr& Connection::ConnVal()
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(orig_addr)); id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(orig_addr));
id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type)); id_val->Assign(1, zeek::val_mgr->Port(ntohs(orig_port), prot_type));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(resp_addr)); id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(resp_addr));
id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type)); id_val->Assign(3, zeek::val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint); auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
orig_endp->Assign(0, val_mgr->Count(0)); orig_endp->Assign(0, zeek::val_mgr->Count(0));
orig_endp->Assign(1, val_mgr->Count(0)); orig_endp->Assign(1, zeek::val_mgr->Count(0));
orig_endp->Assign(4, val_mgr->Count(orig_flow_label)); orig_endp->Assign(4, zeek::val_mgr->Count(orig_flow_label));
const int l2_len = sizeof(orig_l2_addr); const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{}; char null[l2_len]{};
@ -368,9 +368,9 @@ const zeek::RecordValPtr& Connection::ConnVal()
orig_endp->Assign(5, zeek::make_intrusive<zeek::StringVal>(fmt_mac(orig_l2_addr, l2_len))); orig_endp->Assign(5, zeek::make_intrusive<zeek::StringVal>(fmt_mac(orig_l2_addr, l2_len)));
auto resp_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint); auto resp_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
resp_endp->Assign(0, val_mgr->Count(0)); resp_endp->Assign(0, zeek::val_mgr->Count(0));
resp_endp->Assign(1, val_mgr->Count(0)); resp_endp->Assign(1, zeek::val_mgr->Count(0));
resp_endp->Assign(4, val_mgr->Count(resp_flow_label)); resp_endp->Assign(4, zeek::val_mgr->Count(resp_flow_label));
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 ) if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, zeek::make_intrusive<zeek::StringVal>(fmt_mac(resp_l2_addr, l2_len))); resp_endp->Assign(5, zeek::make_intrusive<zeek::StringVal>(fmt_mac(resp_l2_addr, l2_len)));
@ -380,7 +380,7 @@ const zeek::RecordValPtr& Connection::ConnVal()
conn_val->Assign(2, std::move(resp_endp)); conn_val->Assign(2, std::move(resp_endp));
// 3 and 4 are set below. // 3 and 4 are set below.
conn_val->Assign(5, zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set)); // service conn_val->Assign(5, zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set)); // service
conn_val->Assign(6, val_mgr->EmptyString()); // history conn_val->Assign(6, zeek::val_mgr->EmptyString()); // history
if ( ! uid ) if ( ! uid )
uid.Set(bits_per_uid); uid.Set(bits_per_uid);
@ -391,10 +391,10 @@ const zeek::RecordValPtr& Connection::ConnVal()
conn_val->Assign(8, encapsulation->ToVal()); conn_val->Assign(8, encapsulation->ToVal());
if ( vlan != 0 ) if ( vlan != 0 )
conn_val->Assign(9, val_mgr->Int(vlan)); conn_val->Assign(9, zeek::val_mgr->Int(vlan));
if ( inner_vlan != 0 ) if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->Int(inner_vlan)); conn_val->Assign(10, zeek::val_mgr->Int(inner_vlan));
} }
@ -404,7 +404,7 @@ const zeek::RecordValPtr& Connection::ConnVal()
conn_val->Assign(3, zeek::make_intrusive<zeek::TimeVal>(start_time)); // ### conn_val->Assign(3, zeek::make_intrusive<zeek::TimeVal>(start_time)); // ###
conn_val->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(last_time - start_time)); conn_val->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(last_time - start_time));
conn_val->Assign(6, zeek::make_intrusive<zeek::StringVal>(history.c_str())); conn_val->Assign(6, zeek::make_intrusive<zeek::StringVal>(history.c_str()));
conn_val->Assign(11, val_mgr->Bool(is_successful)); conn_val->Assign(11, zeek::val_mgr->Bool(is_successful));
conn_val->SetOrigin(this); conn_val->SetOrigin(this);
@ -698,7 +698,7 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
if ( conn_val ) if ( conn_val )
{ {
zeek::RecordVal* endp = conn_val->GetField(is_orig ? 1 : 2)->AsRecordVal(); zeek::RecordVal* endp = conn_val->GetField(is_orig ? 1 : 2)->AsRecordVal();
endp->Assign(4, val_mgr->Count(flow_label)); endp->Assign(4, zeek::val_mgr->Count(flow_label));
} }
if ( connection_flow_label_changed && if ( connection_flow_label_changed &&
@ -706,9 +706,9 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
{ {
EnqueueEvent(connection_flow_label_changed, nullptr, EnqueueEvent(connection_flow_label_changed, nullptr,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
val_mgr->Count(my_flow_label), zeek::val_mgr->Count(my_flow_label),
val_mgr->Count(flow_label) zeek::val_mgr->Count(flow_label)
); );
} }

2
src/DNS_Mgr.cc
View file

@ -721,7 +721,7 @@ zeek::ValPtr DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
r->Assign(0, zeek::make_intrusive<zeek::TimeVal>(dm->CreationTime())); r->Assign(0, zeek::make_intrusive<zeek::TimeVal>(dm->CreationTime()));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(dm->ReqHost() ? dm->ReqHost() : "")); r->Assign(1, zeek::make_intrusive<zeek::StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
r->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dm->ReqAddr())); r->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->Bool(dm->Valid())); r->Assign(3, zeek::val_mgr->Bool(dm->Valid()));
auto h = dm->Host(); auto h = dm->Host();
r->Assign(4, h ? std::move(h) : zeek::make_intrusive<zeek::StringVal>("<none>")); r->Assign(4, h ? std::move(h) : zeek::make_intrusive<zeek::StringVal>("<none>"));

48
src/Expr.cc
View file

@ -683,11 +683,11 @@ ValPtr BinaryExpr::Fold(Val* v1, Val* v2) const
else if ( ret_type->Tag() == zeek::TYPE_DOUBLE ) else if ( ret_type->Tag() == zeek::TYPE_DOUBLE )
return zeek::make_intrusive<zeek::DoubleVal>(d3); return zeek::make_intrusive<zeek::DoubleVal>(d3);
else if ( ret_type->InternalType() == zeek::TYPE_INTERNAL_UNSIGNED ) else if ( ret_type->InternalType() == zeek::TYPE_INTERNAL_UNSIGNED )
return val_mgr->Count(u3); return zeek::val_mgr->Count(u3);
else if ( ret_type->Tag() == zeek::TYPE_BOOL ) else if ( ret_type->Tag() == zeek::TYPE_BOOL )
return val_mgr->Bool(i3); return zeek::val_mgr->Bool(i3);
else else
return val_mgr->Int(i3); return zeek::val_mgr->Int(i3);
} }
ValPtr BinaryExpr::StringFold(Val* v1, Val* v2) const ValPtr BinaryExpr::StringFold(Val* v1, Val* v2) const
@ -721,7 +721,7 @@ ValPtr BinaryExpr::StringFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::StringFold", expr_name(tag)); BadTag("BinaryExpr::StringFold", expr_name(tag));
} }
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
} }
@ -797,7 +797,7 @@ ValPtr BinaryExpr::SetFold(Val* v1, Val* v2) const
return nullptr; return nullptr;
} }
return val_mgr->Bool(res); return zeek::val_mgr->Bool(res);
} }
ValPtr BinaryExpr::AddrFold(Val* v1, Val* v2) const ValPtr BinaryExpr::AddrFold(Val* v1, Val* v2) const
@ -831,7 +831,7 @@ ValPtr BinaryExpr::AddrFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::AddrFold", expr_name(tag)); BadTag("BinaryExpr::AddrFold", expr_name(tag));
} }
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
} }
ValPtr BinaryExpr::SubNetFold(Val* v1, Val* v2) const ValPtr BinaryExpr::SubNetFold(Val* v1, Val* v2) const
@ -844,7 +844,7 @@ ValPtr BinaryExpr::SubNetFold(Val* v1, Val* v2) const
if ( tag == EXPR_NE ) if ( tag == EXPR_NE )
result = ! result; result = ! result;
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
} }
void BinaryExpr::SwapOps() void BinaryExpr::SwapOps()
@ -956,9 +956,9 @@ ValPtr IncrExpr::DoSingleEval(Frame* f, Val* v) const
const auto& ret_type = IsVector(GetType()->Tag()) ? GetType()->Yield() : GetType(); const auto& ret_type = IsVector(GetType()->Tag()) ? GetType()->Yield() : GetType();
if ( ret_type->Tag() == zeek::TYPE_INT ) if ( ret_type->Tag() == zeek::TYPE_INT )
return val_mgr->Int(k); return zeek::val_mgr->Int(k);
else else
return val_mgr->Count(k); return zeek::val_mgr->Count(k);
} }
@ -1016,7 +1016,7 @@ ComplementExpr::ComplementExpr(ExprPtr arg_op)
ValPtr ComplementExpr::Fold(Val* v) const ValPtr ComplementExpr::Fold(Val* v) const
{ {
return val_mgr->Count(~ v->InternalUnsigned()); return zeek::val_mgr->Count(~ v->InternalUnsigned());
} }
NotExpr::NotExpr(ExprPtr arg_op) NotExpr::NotExpr(ExprPtr arg_op)
@ -1035,7 +1035,7 @@ NotExpr::NotExpr(ExprPtr arg_op)
ValPtr NotExpr::Fold(Val* v) const ValPtr NotExpr::Fold(Val* v) const
{ {
return val_mgr->Bool(! v->InternalInt()); return zeek::val_mgr->Bool(! v->InternalInt());
} }
PosExpr::PosExpr(ExprPtr arg_op) PosExpr::PosExpr(ExprPtr arg_op)
@ -1070,7 +1070,7 @@ ValPtr PosExpr::Fold(Val* v) const
if ( t == zeek::TYPE_DOUBLE || t == zeek::TYPE_INTERVAL || t == zeek::TYPE_INT ) if ( t == zeek::TYPE_DOUBLE || t == zeek::TYPE_INTERVAL || t == zeek::TYPE_INT )
return {zeek::NewRef{}, v}; return {zeek::NewRef{}, v};
else else
return val_mgr->Int(v->CoerceToInt()); return zeek::val_mgr->Int(v->CoerceToInt());
} }
NegExpr::NegExpr(ExprPtr arg_op) NegExpr::NegExpr(ExprPtr arg_op)
@ -1105,7 +1105,7 @@ ValPtr NegExpr::Fold(Val* v) const
else if ( v->GetType()->Tag() == zeek::TYPE_INTERVAL ) else if ( v->GetType()->Tag() == zeek::TYPE_INTERVAL )
return zeek::make_intrusive<zeek::IntervalVal>(- v->InternalDouble()); return zeek::make_intrusive<zeek::IntervalVal>(- v->InternalDouble());
else else
return val_mgr->Int(- v->CoerceToInt()); return zeek::val_mgr->Int(- v->CoerceToInt());
} }
SizeExpr::SizeExpr(ExprPtr arg_op) SizeExpr::SizeExpr(ExprPtr arg_op)
@ -1609,7 +1609,7 @@ ValPtr BoolExpr::Eval(Frame* f) const
(! op1->IsZero() && ! op2->IsZero()) : (! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero()); (! op1->IsZero() || ! op2->IsZero());
result->Assign(i, val_mgr->Bool(local_result)); result->Assign(i, zeek::val_mgr->Bool(local_result));
} }
else else
result->Assign(i, nullptr); result->Assign(i, nullptr);
@ -1762,9 +1762,9 @@ ValPtr EqExpr::Fold(Val* v1, Val* v2) const
RE_Matcher* re = v1->AsPattern(); RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString(); const BroString* s = v2->AsString();
if ( tag == EXPR_EQ ) if ( tag == EXPR_EQ )
return val_mgr->Bool(re->MatchExactly(s)); return zeek::val_mgr->Bool(re->MatchExactly(s));
else else
return val_mgr->Bool(! re->MatchExactly(s)); return zeek::val_mgr->Bool(! re->MatchExactly(s));
} }
else else
@ -2944,7 +2944,7 @@ HasFieldExpr::~HasFieldExpr()
ValPtr HasFieldExpr::Fold(Val* v) const ValPtr HasFieldExpr::Fold(Val* v) const
{ {
auto rv = v->AsRecordVal(); auto rv = v->AsRecordVal();
return val_mgr->Bool(rv->GetField(field) != nullptr); return zeek::val_mgr->Bool(rv->GetField(field) != nullptr);
} }
void HasFieldExpr::ExprDescribe(ODesc* d) const void HasFieldExpr::ExprDescribe(ODesc* d) const
@ -3459,10 +3459,10 @@ ValPtr ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) const
return zeek::make_intrusive<zeek::DoubleVal>(v->CoerceToDouble()); return zeek::make_intrusive<zeek::DoubleVal>(v->CoerceToDouble());
case zeek::TYPE_INTERNAL_INT: case zeek::TYPE_INTERNAL_INT:
return val_mgr->Int(v->CoerceToInt()); return zeek::val_mgr->Int(v->CoerceToInt());
case zeek::TYPE_INTERNAL_UNSIGNED: case zeek::TYPE_INTERNAL_UNSIGNED:
return val_mgr->Count(v->CoerceToUnsigned()); return zeek::val_mgr->Count(v->CoerceToUnsigned());
default: default:
RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold"); RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold");
@ -3949,7 +3949,7 @@ ValPtr InExpr::Fold(Val* v1, Val* v2) const
{ {
RE_Matcher* re = v1->AsPattern(); RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString(); const BroString* s = v2->AsString();
return val_mgr->Bool(re->MatchAnywhere(s) != 0); return zeek::val_mgr->Bool(re->MatchAnywhere(s) != 0);
} }
if ( v2->GetType()->Tag() == zeek::TYPE_STRING ) if ( v2->GetType()->Tag() == zeek::TYPE_STRING )
@ -3960,12 +3960,12 @@ ValPtr InExpr::Fold(Val* v1, Val* v2) const
// Could do better here e.g. Boyer-Moore if done repeatedly. // Could do better here e.g. Boyer-Moore if done repeatedly.
auto s = reinterpret_cast<const unsigned char*>(s1->CheckString()); auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1; auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
return val_mgr->Bool(res); return zeek::val_mgr->Bool(res);
} }
if ( v1->GetType()->Tag() == zeek::TYPE_ADDR && if ( v1->GetType()->Tag() == zeek::TYPE_ADDR &&
v2->GetType()->Tag() == zeek::TYPE_SUBNET ) v2->GetType()->Tag() == zeek::TYPE_SUBNET )
return val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr())); return zeek::val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr()));
bool res; bool res;
@ -3974,7 +3974,7 @@ ValPtr InExpr::Fold(Val* v1, Val* v2) const
else else
res = (bool)v2->AsTableVal()->Find({zeek::NewRef{}, v1}); res = (bool)v2->AsTableVal()->Find({zeek::NewRef{}, v1});
return val_mgr->Bool(res); return zeek::val_mgr->Bool(res);
} }
CallExpr::CallExpr(ExprPtr arg_func, ListExprPtr arg_args, bool in_hook) CallExpr::CallExpr(ExprPtr arg_func, ListExprPtr arg_args, bool in_hook)
@ -4809,7 +4809,7 @@ ValPtr IsExpr::Fold(Val* v) const
if ( IsError() ) if ( IsError() )
return nullptr; return nullptr;
return val_mgr->Bool(can_cast_value_to_type(v, t.get())); return zeek::val_mgr->Bool(can_cast_value_to_type(v, t.get()));
} }
void IsExpr::ExprDescribe(ODesc* d) const void IsExpr::ExprDescribe(ODesc* d) const

6
src/Func.cc
View file

@ -345,7 +345,7 @@ zeek::ValPtr BroFunc::Invoke(zeek::Args* args, zeek::detail::Frame* parent) cons
{ {
// Can only happen for events and hooks. // Can only happen for events and hooks.
assert(Flavor() == zeek::FUNC_FLAVOR_EVENT || Flavor() == zeek::FUNC_FLAVOR_HOOK); assert(Flavor() == zeek::FUNC_FLAVOR_EVENT || Flavor() == zeek::FUNC_FLAVOR_HOOK);
return Flavor() == zeek::FUNC_FLAVOR_HOOK ? val_mgr->True() : nullptr; return Flavor() == zeek::FUNC_FLAVOR_HOOK ? zeek::val_mgr->True() : nullptr;
} }
auto f = zeek::make_intrusive<zeek::detail::Frame>(frame_size, this, args); auto f = zeek::make_intrusive<zeek::detail::Frame>(frame_size, this, args);
@ -431,7 +431,7 @@ zeek::ValPtr BroFunc::Invoke(zeek::Args* args, zeek::detail::Frame* parent) cons
if ( flow == FLOW_BREAK ) if ( flow == FLOW_BREAK )
{ {
// Short-circuit execution of remaining hook handler bodies. // Short-circuit execution of remaining hook handler bodies.
result = val_mgr->False(); result = zeek::val_mgr->False();
break; break;
} }
} }
@ -442,7 +442,7 @@ zeek::ValPtr BroFunc::Invoke(zeek::Args* args, zeek::detail::Frame* parent) cons
if ( Flavor() == zeek::FUNC_FLAVOR_HOOK ) if ( Flavor() == zeek::FUNC_FLAVOR_HOOK )
{ {
if ( ! result ) if ( ! result )
result = val_mgr->True(); result = zeek::val_mgr->True();
} }
// Warn if the function returns something, but we returned from // Warn if the function returns something, but we returned from

158
src/IP.cc
View file

@ -22,13 +22,13 @@ static zeek::VectorValPtr BuildOptionsVal(const u_char* data, int len)
static auto ip6_option_type = zeek::id::find_type<zeek::RecordType>("ip6_option"); static auto ip6_option_type = zeek::id::find_type<zeek::RecordType>("ip6_option");
const struct ip6_opt* opt = (const struct ip6_opt*) data; const struct ip6_opt* opt = (const struct ip6_opt*) data;
auto rv = zeek::make_intrusive<zeek::RecordVal>(ip6_option_type); auto rv = zeek::make_intrusive<zeek::RecordVal>(ip6_option_type);
rv->Assign(0, val_mgr->Count(opt->ip6o_type)); rv->Assign(0, zeek::val_mgr->Count(opt->ip6o_type));
if ( opt->ip6o_type == 0 ) if ( opt->ip6o_type == 0 )
{ {
// Pad1 option // Pad1 option
rv->Assign(1, val_mgr->Count(0)); rv->Assign(1, zeek::val_mgr->Count(0));
rv->Assign(2, val_mgr->EmptyString()); rv->Assign(2, zeek::val_mgr->EmptyString());
data += sizeof(uint8_t); data += sizeof(uint8_t);
len -= sizeof(uint8_t); len -= sizeof(uint8_t);
} }
@ -36,7 +36,7 @@ static zeek::VectorValPtr BuildOptionsVal(const u_char* data, int len)
{ {
// PadN or other option // PadN or other option
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->Count(opt->ip6o_len)); rv->Assign(1, zeek::val_mgr->Count(opt->ip6o_len));
rv->Assign(2, zeek::make_intrusive<zeek::StringVal>( rv->Assign(2, zeek::make_intrusive<zeek::StringVal>(
new zeek::BroString(data + off, opt->ip6o_len, true))); new zeek::BroString(data + off, opt->ip6o_len, true)));
data += opt->ip6o_len + off; data += opt->ip6o_len + off;
@ -59,11 +59,11 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_hdr_type = zeek::id::find_type<zeek::RecordType>("ip6_hdr"); static auto ip6_hdr_type = zeek::id::find_type<zeek::RecordType>("ip6_hdr");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_hdr_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_hdr_type);
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data; const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20)); rv->Assign(0, zeek::val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff)); rv->Assign(1, zeek::val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen))); rv->Assign(2, zeek::val_mgr->Count(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->Count(ip6->ip6_nxt)); rv->Assign(3, zeek::val_mgr->Count(ip6->ip6_nxt));
rv->Assign(4, val_mgr->Count(ip6->ip6_hlim)); rv->Assign(4, zeek::val_mgr->Count(ip6->ip6_hlim));
rv->Assign(5, zeek::make_intrusive<zeek::AddrVal>(IPAddr(ip6->ip6_src))); rv->Assign(5, zeek::make_intrusive<zeek::AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, zeek::make_intrusive<zeek::AddrVal>(IPAddr(ip6->ip6_dst))); rv->Assign(6, zeek::make_intrusive<zeek::AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain ) if ( ! chain )
@ -78,8 +78,8 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_hopopts_type = zeek::id::find_type<zeek::RecordType>("ip6_hopopts"); static auto ip6_hopopts_type = zeek::id::find_type<zeek::RecordType>("ip6_hopopts");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_hopopts_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_hopopts_type);
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data; const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt)); rv->Assign(0, zeek::val_mgr->Count(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->Count(hbh->ip6h_len)); rv->Assign(1, zeek::val_mgr->Count(hbh->ip6h_len));
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -91,8 +91,8 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_dstopts_type = zeek::id::find_type<zeek::RecordType>("ip6_dstopts"); static auto ip6_dstopts_type = zeek::id::find_type<zeek::RecordType>("ip6_dstopts");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_dstopts_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_dstopts_type);
const struct ip6_dest* dst = (const struct ip6_dest*)data; const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->Count(dst->ip6d_nxt)); rv->Assign(0, zeek::val_mgr->Count(dst->ip6d_nxt));
rv->Assign(1, val_mgr->Count(dst->ip6d_len)); rv->Assign(1, zeek::val_mgr->Count(dst->ip6d_len));
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
} }
@ -103,10 +103,10 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_routing_type = zeek::id::find_type<zeek::RecordType>("ip6_routing"); static auto ip6_routing_type = zeek::id::find_type<zeek::RecordType>("ip6_routing");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_routing_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_routing_type);
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data; const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->Count(rt->ip6r_nxt)); rv->Assign(0, zeek::val_mgr->Count(rt->ip6r_nxt));
rv->Assign(1, val_mgr->Count(rt->ip6r_len)); rv->Assign(1, zeek::val_mgr->Count(rt->ip6r_len));
rv->Assign(2, val_mgr->Count(rt->ip6r_type)); rv->Assign(2, zeek::val_mgr->Count(rt->ip6r_type));
rv->Assign(3, val_mgr->Count(rt->ip6r_segleft)); rv->Assign(3, zeek::val_mgr->Count(rt->ip6r_segleft));
uint16_t off = 4 * sizeof(uint8_t); uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data + off, Length() - off, true))); rv->Assign(4, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data + off, Length() - off, true)));
} }
@ -117,12 +117,12 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_fragment_type = zeek::id::find_type<zeek::RecordType>("ip6_fragment"); static auto ip6_fragment_type = zeek::id::find_type<zeek::RecordType>("ip6_fragment");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_fragment_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_fragment_type);
const struct ip6_frag* frag = (const struct ip6_frag*)data; const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->Count(frag->ip6f_nxt)); rv->Assign(0, zeek::val_mgr->Count(frag->ip6f_nxt));
rv->Assign(1, val_mgr->Count(frag->ip6f_reserved)); rv->Assign(1, zeek::val_mgr->Count(frag->ip6f_reserved));
rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3)); rv->Assign(2, zeek::val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1)); rv->Assign(3, zeek::val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001)); rv->Assign(4, zeek::val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident))); rv->Assign(5, zeek::val_mgr->Count(ntohl(frag->ip6f_ident)));
} }
break; break;
@ -130,16 +130,16 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
{ {
static auto ip6_ah_type = zeek::id::find_type<zeek::RecordType>("ip6_ah"); static auto ip6_ah_type = zeek::id::find_type<zeek::RecordType>("ip6_ah");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_ah_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_ah_type);
rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt)); rv->Assign(0, zeek::val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len)); rv->Assign(1, zeek::val_mgr->Count(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1]))); rv->Assign(2, zeek::val_mgr->Count(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1]))); rv->Assign(3, zeek::val_mgr->Count(ntohl(((uint32_t*)data)[1])));
if ( Length() >= 12 ) if ( Length() >= 12 )
{ {
// Sequence Number and ICV fields can only be extracted if // Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header. // Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2]))); rv->Assign(4, zeek::val_mgr->Count(ntohl(((uint32_t*)data)[2])));
uint16_t off = 3 * sizeof(uint32_t); uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data + off, Length() - off, true))); rv->Assign(5, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data + off, Length() - off, true)));
} }
@ -151,8 +151,8 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_esp_type = zeek::id::find_type<zeek::RecordType>("ip6_esp"); static auto ip6_esp_type = zeek::id::find_type<zeek::RecordType>("ip6_esp");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_esp_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_esp_type);
const uint32_t* esp = (const uint32_t*)data; const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->Count(ntohl(esp[0]))); rv->Assign(0, zeek::val_mgr->Count(ntohl(esp[0])));
rv->Assign(1, val_mgr->Count(ntohl(esp[1]))); rv->Assign(1, zeek::val_mgr->Count(ntohl(esp[1])));
} }
break; break;
@ -162,15 +162,15 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
static auto ip6_mob_type = zeek::id::find_type<zeek::RecordType>("ip6_mobility_hdr"); static auto ip6_mob_type = zeek::id::find_type<zeek::RecordType>("ip6_mobility_hdr");
rv = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_type); rv = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_type);
const struct ip6_mobility* mob = (const struct ip6_mobility*) data; const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->Count(mob->ip6mob_payload)); rv->Assign(0, zeek::val_mgr->Count(mob->ip6mob_payload));
rv->Assign(1, val_mgr->Count(mob->ip6mob_len)); rv->Assign(1, zeek::val_mgr->Count(mob->ip6mob_len));
rv->Assign(2, val_mgr->Count(mob->ip6mob_type)); rv->Assign(2, zeek::val_mgr->Count(mob->ip6mob_type));
rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv)); rv->Assign(3, zeek::val_mgr->Count(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum))); rv->Assign(4, zeek::val_mgr->Count(ntohs(mob->ip6mob_chksum)));
static auto ip6_mob_msg_type = zeek::id::find_type<zeek::RecordType>("ip6_mobility_msg"); static auto ip6_mob_msg_type = zeek::id::find_type<zeek::RecordType>("ip6_mobility_msg");
auto msg = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_msg_type); auto msg = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_msg_type);
msg->Assign(0, val_mgr->Count(mob->ip6mob_type)); msg->Assign(0, zeek::val_mgr->Count(mob->ip6mob_type));
uint16_t off = sizeof(ip6_mobility); uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off; const u_char* msg_data = data + off;
@ -188,7 +188,7 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 0: case 0:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_brr_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mob_brr_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
off += sizeof(uint16_t); off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off)); m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, std::move(m)); msg->Assign(1, std::move(m));
@ -198,8 +198,8 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 1: case 1:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_hoti_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_hoti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, std::move(m)); msg->Assign(2, std::move(m));
@ -209,8 +209,8 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 2: case 2:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_coti_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_coti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, std::move(m)); msg->Assign(3, std::move(m));
@ -220,9 +220,9 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 3: case 3:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_hot_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_hot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, std::move(m)); msg->Assign(4, std::move(m));
@ -232,9 +232,9 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 4: case 4:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_cot_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_cot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, zeek::val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, std::move(m)); msg->Assign(5, std::move(m));
@ -244,12 +244,12 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 5: case 5:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_bu_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_bu_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, zeek::val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000)); m->Assign(1, zeek::val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000)); m->Assign(2, zeek::val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000)); m->Assign(3, zeek::val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000)); m->Assign(4, zeek::val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(5, zeek::val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off)); m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, std::move(m)); msg->Assign(6, std::move(m));
@ -259,10 +259,10 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 6: case 6:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_back_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_back_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data))); m->Assign(0, zeek::val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80)); m->Assign(1, zeek::val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(2, zeek::val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(3, zeek::val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off)); m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, std::move(m)); msg->Assign(7, std::move(m));
@ -272,7 +272,7 @@ zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
case 7: case 7:
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_be_type); auto m = zeek::make_intrusive<zeek::RecordVal>(ip6_mobility_be_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data))); m->Assign(0, zeek::val_mgr->Count(*((uint8_t*)msg_data)));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t)); const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, zeek::make_intrusive<zeek::AddrVal>(IPAddr(*hoa))); m->Assign(1, zeek::make_intrusive<zeek::AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr); off += sizeof(uint16_t) + sizeof(in6_addr);
@ -334,12 +334,12 @@ zeek::RecordValPtr IP_Hdr::ToIPHdrVal() const
{ {
static auto ip4_hdr_type = zeek::id::find_type<zeek::RecordType>("ip4_hdr"); static auto ip4_hdr_type = zeek::id::find_type<zeek::RecordType>("ip4_hdr");
rval = zeek::make_intrusive<zeek::RecordVal>(ip4_hdr_type); rval = zeek::make_intrusive<zeek::RecordVal>(ip4_hdr_type);
rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4)); rval->Assign(0, zeek::val_mgr->Count(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->Count(ip4->ip_tos)); rval->Assign(1, zeek::val_mgr->Count(ip4->ip_tos));
rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len))); rval->Assign(2, zeek::val_mgr->Count(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id))); rval->Assign(3, zeek::val_mgr->Count(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->Count(ip4->ip_ttl)); rval->Assign(4, zeek::val_mgr->Count(ip4->ip_ttl));
rval->Assign(5, val_mgr->Count(ip4->ip_p)); rval->Assign(5, zeek::val_mgr->Count(ip4->ip_p));
rval->Assign(6, zeek::make_intrusive<zeek::AddrVal>(ip4->ip_src.s_addr)); rval->Assign(6, zeek::make_intrusive<zeek::AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, zeek::make_intrusive<zeek::AddrVal>(ip4->ip_dst.s_addr)); rval->Assign(7, zeek::make_intrusive<zeek::AddrVal>(ip4->ip_dst.s_addr));
} }
@ -391,15 +391,15 @@ zeek::RecordValPtr IP_Hdr::ToPktHdrVal(zeek::RecordValPtr pkt_hdr, int sindex) c
int tcp_hdr_len = tp->th_off * 4; int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len; int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP)); tcp_hdr->Assign(0, zeek::val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP)); tcp_hdr->Assign(1, zeek::val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq)))); tcp_hdr->Assign(2, zeek::val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack)))); tcp_hdr->Assign(3, zeek::val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len)); tcp_hdr->Assign(4, zeek::val_mgr->Count(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->Count(data_len)); tcp_hdr->Assign(5, zeek::val_mgr->Count(data_len));
tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2)); tcp_hdr->Assign(6, zeek::val_mgr->Count(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags)); tcp_hdr->Assign(7, zeek::val_mgr->Count(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win))); tcp_hdr->Assign(8, zeek::val_mgr->Count(ntohs(tp->th_win)));
pkt_hdr->Assign(sindex + 2, std::move(tcp_hdr)); pkt_hdr->Assign(sindex + 2, std::move(tcp_hdr));
break; break;
@ -410,9 +410,9 @@ zeek::RecordValPtr IP_Hdr::ToPktHdrVal(zeek::RecordValPtr pkt_hdr, int sindex) c
const struct udphdr* up = (const struct udphdr*) data; const struct udphdr* up = (const struct udphdr*) data;
auto udp_hdr = zeek::make_intrusive<zeek::RecordVal>(udp_hdr_type); auto udp_hdr = zeek::make_intrusive<zeek::RecordVal>(udp_hdr_type);
udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP)); udp_hdr->Assign(0, zeek::val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP)); udp_hdr->Assign(1, zeek::val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen))); udp_hdr->Assign(2, zeek::val_mgr->Count(ntohs(up->uh_ulen)));
pkt_hdr->Assign(sindex + 3, std::move(udp_hdr)); pkt_hdr->Assign(sindex + 3, std::move(udp_hdr));
break; break;
@ -423,7 +423,7 @@ zeek::RecordValPtr IP_Hdr::ToPktHdrVal(zeek::RecordValPtr pkt_hdr, int sindex) c
const struct icmp* icmpp = (const struct icmp *) data; const struct icmp* icmpp = (const struct icmp *) data;
auto icmp_hdr = zeek::make_intrusive<zeek::RecordVal>(icmp_hdr_type); auto icmp_hdr = zeek::make_intrusive<zeek::RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type)); icmp_hdr->Assign(0, zeek::val_mgr->Count(icmpp->icmp_type));
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr)); pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break; break;
@ -434,7 +434,7 @@ zeek::RecordValPtr IP_Hdr::ToPktHdrVal(zeek::RecordValPtr pkt_hdr, int sindex) c
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data; const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
auto icmp_hdr = zeek::make_intrusive<zeek::RecordVal>(icmp_hdr_type); auto icmp_hdr = zeek::make_intrusive<zeek::RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type)); icmp_hdr->Assign(0, zeek::val_mgr->Count(icmpp->icmp6_type));
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr)); pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break; break;
@ -693,7 +693,7 @@ zeek::VectorValPtr IPv6_Hdr_Chain::ToVal() const
auto v = chain[i]->ToVal(); auto v = chain[i]->ToVal();
auto ext_hdr = zeek::make_intrusive<zeek::RecordVal>(ip6_ext_hdr_type); auto ext_hdr = zeek::make_intrusive<zeek::RecordVal>(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type(); uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->Count(type)); ext_hdr->Assign(0, zeek::val_mgr->Count(type));
switch (type) { switch (type) {
case IPPROTO_HOPOPTS: case IPPROTO_HOPOPTS:

10
src/OpaqueVal.cc
View file

@ -174,7 +174,7 @@ bool HashVal::Init()
StringValPtr HashVal::Get() StringValPtr HashVal::Get()
{ {
if ( ! valid ) if ( ! valid )
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
auto result = DoGet(); auto result = DoGet();
valid = false; valid = false;
@ -205,7 +205,7 @@ bool HashVal::DoFeed(const void*, size_t)
StringValPtr HashVal::DoGet() StringValPtr HashVal::DoGet()
{ {
assert(! "missing implementation of DoGet()"); assert(! "missing implementation of DoGet()");
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
} }
HashVal::HashVal(zeek::OpaqueTypePtr t) : OpaqueVal(std::move(t)) HashVal::HashVal(zeek::OpaqueTypePtr t) : OpaqueVal(std::move(t))
@ -280,7 +280,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
StringValPtr MD5Val::DoGet() StringValPtr MD5Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
u_char digest[MD5_DIGEST_LENGTH]; u_char digest[MD5_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);
@ -400,7 +400,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
StringValPtr SHA1Val::DoGet() StringValPtr SHA1Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
u_char digest[SHA_DIGEST_LENGTH]; u_char digest[SHA_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);
@ -523,7 +523,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
StringValPtr SHA256Val::DoGet() StringValPtr SHA256Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
u_char digest[SHA256_DIGEST_LENGTH]; u_char digest[SHA256_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);

2
src/RuleAction.cc
View file

@ -24,7 +24,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
mgr.Enqueue(signature_match, mgr.Enqueue(signature_match,
zeek::IntrusivePtr{zeek::AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)}, zeek::IntrusivePtr{zeek::AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
zeek::make_intrusive<zeek::StringVal>(msg), zeek::make_intrusive<zeek::StringVal>(msg),
data ? zeek::make_intrusive<zeek::StringVal>(len, (const char*)data) : val_mgr->EmptyString() data ? zeek::make_intrusive<zeek::StringVal>(len, (const char*)data) : zeek::val_mgr->EmptyString()
); );
} }

2
src/RuleCondition.cc
View file

@ -175,7 +175,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
if ( data ) if ( data )
args.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, (const char*) data)); args.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, (const char*) data));
else else
args.emplace_back(val_mgr->EmptyString()); args.emplace_back(zeek::val_mgr->EmptyString());
bool result = false; bool result = false;

4
src/RuleMatcher.cc
View file

@ -85,8 +85,8 @@ zeek::Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
auto* val = new zeek::RecordVal(signature_state); auto* val = new zeek::RecordVal(signature_state);
val->Assign(0, zeek::make_intrusive<zeek::StringVal>(rule->ID())); val->Assign(0, zeek::make_intrusive<zeek::StringVal>(rule->ID()));
val->Assign(1, state->GetAnalyzer()->ConnVal()); val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->Bool(state->is_orig)); val->Assign(2, zeek::val_mgr->Bool(state->is_orig));
val->Assign(3, val_mgr->Count(state->payload_size)); val->Assign(3, zeek::val_mgr->Count(state->payload_size));
return val; return val;
} }

4
src/SmithWaterman.cc
View file

@ -82,13 +82,13 @@ zeek::VectorVal* BroSubstring::VecToPolicy(Vec* vec)
auto align_val = zeek::make_intrusive<zeek::RecordVal>(sw_align_type); auto align_val = zeek::make_intrusive<zeek::RecordVal>(sw_align_type);
align_val->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(*align.string))); align_val->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(*align.string)));
align_val->Assign(1, val_mgr->Count(align.index)); align_val->Assign(1, zeek::val_mgr->Count(align.index));
aligns->Assign(j + 1, std::move(align_val)); aligns->Assign(j + 1, std::move(align_val));
} }
st_val->Assign(1, std::move(aligns)); st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment())); st_val->Assign(2, zeek::val_mgr->Bool(bst->IsNewAlignment()));
result->Assign(i + 1, std::move(st_val)); result->Assign(i + 1, std::move(st_val));
} }
} }

4
src/Stats.cc
View file

@ -314,7 +314,7 @@ void ProfileLogger::Log()
{ {
mgr.Dispatch(new Event(profiling_update, { mgr.Dispatch(new Event(profiling_update, {
zeek::make_intrusive<zeek::Val>(zeek::IntrusivePtr{zeek::NewRef{}, file}), zeek::make_intrusive<zeek::Val>(zeek::IntrusivePtr{zeek::NewRef{}, file}),
val_mgr->Bool(expensive), zeek::val_mgr->Bool(expensive),
})); }));
} }
} }
@ -372,7 +372,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
mgr.Enqueue(load_sample, mgr.Enqueue(load_sample,
zeek::IntrusivePtr{zeek::NewRef{}, load_samples}, zeek::IntrusivePtr{zeek::NewRef{}, load_samples},
zeek::make_intrusive<zeek::IntervalVal>(dtime, Seconds), zeek::make_intrusive<zeek::IntervalVal>(dtime, Seconds),
val_mgr->Int(dmem) zeek::val_mgr->Int(dmem)
); );
} }

2
src/Stmt.cc
View file

@ -1234,7 +1234,7 @@ ValPtr ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
// Set the loop variable to the current index, and make // Set the loop variable to the current index, and make
// another pass over the loop body. // another pass over the loop body.
f->SetElement((*loop_vars)[0], val_mgr->Count(i)); f->SetElement((*loop_vars)[0], zeek::val_mgr->Count(i));
flow = FLOW_NEXT; flow = FLOW_NEXT;
ret = body->Exec(f, flow); ret = body->Exec(f, flow);

4
src/TunnelEncapsulation.cc
View file

@ -22,9 +22,9 @@ zeek::RecordValPtr EncapsulatingConn::ToVal() const
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr)); id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr));
id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto)); id_val->Assign(1, zeek::val_mgr->Port(ntohs(src_port), proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr)); id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto)); id_val->Assign(3, zeek::val_mgr->Port(ntohs(dst_port), proto));
rv->Assign(0, std::move(id_val)); rv->Assign(0, std::move(id_val));
rv->Assign(1, zeek::BifType::Enum::Tunnel::Type->GetVal(type)); rv->Assign(1, zeek::BifType::Enum::Tunnel::Type->GetVal(type));

2
src/Type.cc
View file

@ -814,7 +814,7 @@ TableValPtr RecordType::GetRecordFieldsVal(const RecordVal* rv) const
string s = container_type_name(ft.get()); string s = container_type_name(ft.get());
nr->Assign(0, zeek::make_intrusive<zeek::StringVal>(s)); nr->Assign(0, zeek::make_intrusive<zeek::StringVal>(s));
nr->Assign(1, val_mgr->Bool(logged)); nr->Assign(1, zeek::val_mgr->Bool(logged));
nr->Assign(2, std::move(fv)); nr->Assign(2, std::move(fv));
nr->Assign(3, FieldDefault(i)); nr->Assign(3, FieldDefault(i));
auto field_name = zeek::make_intrusive<zeek::StringVal>(FieldName(i)); auto field_name = zeek::make_intrusive<zeek::StringVal>(FieldName(i));

36
src/Val.cc
View file

@ -265,19 +265,19 @@ ValPtr Val::SizeVal() const
// Return abs value. However abs() only works on ints and llabs // Return abs value. However abs() only works on ints and llabs
// doesn't work on Mac OS X 10.5. So we do it by hand // doesn't work on Mac OS X 10.5. So we do it by hand
if ( val.int_val < 0 ) if ( val.int_val < 0 )
return val_mgr->Count(-val.int_val); return zeek::val_mgr->Count(-val.int_val);
else else
return val_mgr->Count(val.int_val); return zeek::val_mgr->Count(val.int_val);
case TYPE_INTERNAL_UNSIGNED: case TYPE_INTERNAL_UNSIGNED:
return val_mgr->Count(val.uint_val); return zeek::val_mgr->Count(val.uint_val);
case TYPE_INTERNAL_DOUBLE: case TYPE_INTERNAL_DOUBLE:
return make_intrusive<zeek::DoubleVal>(fabs(val.double_val)); return make_intrusive<zeek::DoubleVal>(fabs(val.double_val));
case TYPE_INTERNAL_OTHER: case TYPE_INTERNAL_OTHER:
if ( type->Tag() == TYPE_FUNC ) if ( type->Tag() == TYPE_FUNC )
return val_mgr->Count(val.func_val->GetType()->ParamList()->GetTypes().size()); return zeek::val_mgr->Count(val.func_val->GetType()->ParamList()->GetTypes().size());
if ( type->Tag() == TYPE_FILE ) if ( type->Tag() == TYPE_FILE )
return make_intrusive<zeek::DoubleVal>(val.file_val->Size()); return make_intrusive<zeek::DoubleVal>(val.file_val->Size());
@ -287,7 +287,7 @@ ValPtr Val::SizeVal() const
break; break;
} }
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
} }
unsigned int Val::MemoryAllocation() const unsigned int Val::MemoryAllocation() const
@ -743,7 +743,7 @@ void IntervalVal::ValDescribe(ODesc* d) const
ValPtr PortVal::SizeVal() const ValPtr PortVal::SizeVal() const
{ {
return val_mgr->Int(val.uint_val); return zeek::val_mgr->Int(val.uint_val);
} }
uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type) uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type)
@ -862,9 +862,9 @@ unsigned int AddrVal::MemoryAllocation() const
ValPtr AddrVal::SizeVal() const ValPtr AddrVal::SizeVal() const
{ {
if ( val.addr_val->GetFamily() == IPv4 ) if ( val.addr_val->GetFamily() == IPv4 )
return val_mgr->Count(32); return zeek::val_mgr->Count(32);
else else
return val_mgr->Count(128); return zeek::val_mgr->Count(128);
} }
ValPtr AddrVal::DoClone(CloneState* state) ValPtr AddrVal::DoClone(CloneState* state)
@ -990,7 +990,7 @@ StringVal::StringVal(const string& s) : StringVal(s.length(), s.data())
ValPtr StringVal::SizeVal() const ValPtr StringVal::SizeVal() const
{ {
return val_mgr->Count(val.string_val->Len()); return zeek::val_mgr->Count(val.string_val->Len());
} }
int StringVal::Len() int StringVal::Len()
@ -1201,7 +1201,7 @@ ListVal::~ListVal()
ValPtr ListVal::SizeVal() const ValPtr ListVal::SizeVal() const
{ {
return val_mgr->Count(vals.size()); return zeek::val_mgr->Count(vals.size());
} }
RE_Matcher* ListVal::BuildRE() const RE_Matcher* ListVal::BuildRE() const
@ -1580,7 +1580,7 @@ bool TableVal::Assign(Val* index, HashKey* k, Val* new_val)
ValPtr TableVal::SizeVal() const ValPtr TableVal::SizeVal() const
{ {
return val_mgr->Count(Size()); return zeek::val_mgr->Count(Size());
} }
bool TableVal::AddTo(Val* val, bool is_first_init) const bool TableVal::AddTo(Val* val, bool is_first_init) const
@ -1904,7 +1904,7 @@ const ValPtr& TableVal::Find(const ValPtr& index)
if ( v->GetVal() ) if ( v->GetVal() )
return v->GetVal(); return v->GetVal();
return val_mgr->True(); return zeek::val_mgr->True();
} }
return Val::nil; return Val::nil;
@ -1928,7 +1928,7 @@ const ValPtr& TableVal::Find(const ValPtr& index)
if ( v->GetVal() ) if ( v->GetVal() )
return v->GetVal(); return v->GetVal();
return val_mgr->True(); return zeek::val_mgr->True();
} }
} }
} }
@ -2752,7 +2752,7 @@ RecordVal::~RecordVal()
ValPtr RecordVal::SizeVal() const ValPtr RecordVal::SizeVal() const
{ {
return val_mgr->Count(GetType()->AsRecordType()->NumFields()); return zeek::val_mgr->Count(GetType()->AsRecordType()->NumFields());
} }
void RecordVal::Assign(int field, ValPtr new_val) void RecordVal::Assign(int field, ValPtr new_val)
@ -3008,7 +3008,7 @@ unsigned int RecordVal::MemoryAllocation() const
ValPtr EnumVal::SizeVal() const ValPtr EnumVal::SizeVal() const
{ {
return val_mgr->Int(val.int_val); return zeek::val_mgr->Int(val.int_val);
} }
void EnumVal::ValDescribe(ODesc* d) const void EnumVal::ValDescribe(ODesc* d) const
@ -3042,7 +3042,7 @@ VectorVal::~VectorVal()
ValPtr VectorVal::SizeVal() const ValPtr VectorVal::SizeVal() const
{ {
return val_mgr->Count(uint32_t(val.vector_val->size())); return zeek::val_mgr->Count(uint32_t(val.vector_val->size()));
} }
bool VectorVal::Assign(unsigned int index, ValPtr element) bool VectorVal::Assign(unsigned int index, ValPtr element)
@ -3258,7 +3258,7 @@ ValPtr check_and_promote(ValPtr v,
return nullptr; return nullptr;
} }
else if ( t_tag == TYPE_INT ) else if ( t_tag == TYPE_INT )
promoted_v = val_mgr->Int(v->CoerceToInt()); promoted_v = zeek::val_mgr->Int(v->CoerceToInt());
else // enum else // enum
{ {
reporter->InternalError("bad internal type in check_and_promote()"); reporter->InternalError("bad internal type in check_and_promote()");
@ -3274,7 +3274,7 @@ ValPtr check_and_promote(ValPtr v,
return nullptr; return nullptr;
} }
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER ) else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = val_mgr->Count(v->CoerceToUnsigned()); promoted_v = zeek::val_mgr->Count(v->CoerceToUnsigned());
else // port else // port
{ {
reporter->InternalError("bad internal type in check_and_promote()"); reporter->InternalError("bad internal type in check_and_promote()");

18
src/Val.h
View file

@ -426,28 +426,28 @@ public:
ValManager(); ValManager();
[[deprecated("Remove in v4.1. Use val_mgr->True() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->True() instead.")]]
inline Val* GetTrue() const inline Val* GetTrue() const
{ return b_true->Ref(); } { return b_true->Ref(); }
inline const ValPtr& True() const inline const ValPtr& True() const
{ return b_true; } { return b_true; }
[[deprecated("Remove in v4.1. Use val_mgr->False() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->False() instead.")]]
inline Val* GetFalse() const inline Val* GetFalse() const
{ return b_false->Ref(); } { return b_false->Ref(); }
inline const ValPtr& False() const inline const ValPtr& False() const
{ return b_false; } { return b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Bool() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->Bool() instead.")]]
inline Val* GetBool(bool b) const inline Val* GetBool(bool b) const
{ return b ? b_true->Ref() : b_false->Ref(); } { return b ? b_true->Ref() : b_false->Ref(); }
inline const ValPtr& Bool(bool b) const inline const ValPtr& Bool(bool b) const
{ return b ? b_true : b_false; } { return b ? b_true : b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Int() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->Int() instead.")]]
inline Val* GetInt(int64_t i) const inline Val* GetInt(int64_t i) const
{ {
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ? return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
@ -460,7 +460,7 @@ public:
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST]; Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST];
} }
[[deprecated("Remove in v4.1. Use val_mgr->Count() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->Count() instead.")]]
inline Val* GetCount(uint64_t i) const inline Val* GetCount(uint64_t i) const
{ {
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref(); return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref();
@ -471,21 +471,21 @@ public:
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i]; return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i];
} }
[[deprecated("Remove in v4.1. Use val_mgr->EmptyString() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->EmptyString() instead.")]]
StringVal* GetEmptyString() const; StringVal* GetEmptyString() const;
inline const StringValPtr& EmptyString() const inline const StringValPtr& EmptyString() const
{ return empty_string; } { return empty_string; }
// Port number given in host order. // Port number given in host order.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num, TransportProto port_type) const; PortVal* GetPort(uint32_t port_num, TransportProto port_type) const;
// Port number given in host order. // Port number given in host order.
const PortValPtr& Port(uint32_t port_num, TransportProto port_type) const; const PortValPtr& Port(uint32_t port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask. // Host-order port number already masked with port space protocol mask.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]] [[deprecated("Remove in v4.1. Use zeek::val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num) const; PortVal* GetPort(uint32_t port_num) const;
// Host-order port number already masked with port space protocol mask. // Host-order port number already masked with port space protocol mask.
@ -1428,4 +1428,4 @@ using IntervalVal [[deprecated("Remove in v4.1. Use zeek::IntervalVal instead.")
using ValManager [[deprecated("Remove in v4.1. Use zeek::ValManager instead.")]] = zeek::ValManager; using ValManager [[deprecated("Remove in v4.1. Use zeek::ValManager instead.")]] = zeek::ValManager;
// Alias for zeek::val_mgr. // Alias for zeek::val_mgr.
extern zeek::ValManager*& val_mgr; extern zeek::ValManager*& val_mgr [[deprecated("Remove in v4.1. Use zeek::val_mgr instead.")]];

4
src/analyzer/Analyzer.cc
View file

@ -702,7 +702,7 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
return; return;
const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal(); const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id)); mgr.Enqueue(protocol_confirmation, ConnVal(), tval, zeek::val_mgr->Count(id));
} }
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -724,7 +724,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
r = zeek::make_intrusive<zeek::StringVal>(reason); r = zeek::make_intrusive<zeek::StringVal>(reason);
const auto& tval = tag.AsVal(); const auto& tval = tag.AsVal();
mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r)); mgr.Enqueue(protocol_violation, ConnVal(), tval, zeek::val_mgr->Count(id), std::move(r));
} }
void Analyzer::AddTimer(analyzer_timer_func timer, double t, void Analyzer::AddTimer(analyzer_timer_func timer, double t,

2
src/analyzer/Manager.cc
View file

@ -440,7 +440,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{ {
static auto tcp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_orig"); static auto tcp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_orig");
static auto tcp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_resp"); static auto tcp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_resp");
const auto& dport = val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP); const auto& dport = zeek::val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP);
if ( ! reass ) if ( ! reass )
reass = (bool)tcp_content_delivery_ports_orig->FindOrDefault(dport); reass = (bool)tcp_content_delivery_ports_orig->FindOrDefault(dport);

8
src/analyzer/analyzer.bif
View file

@ -11,13 +11,13 @@ module Analyzer;
function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
%{ %{
bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal()); bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
%} %}
function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
%{ %{
bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal()); bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
%} %}
function Analyzer::__disable_all_analyzers%(%) : any function Analyzer::__disable_all_analyzers%(%) : any
@ -29,14 +29,14 @@ function Analyzer::__disable_all_analyzers%(%) : any
function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
%{ %{
bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
return val_mgr->Bool(result); return zeek::val_mgr->Bool(result);
%} %}
function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port, function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval%) : bool analyzer: Analyzer::Tag, tout: interval%) : bool
%{ %{
analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout); analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function __name%(atype: Analyzer::Tag%) : string function __name%(atype: Analyzer::Tag%) : string

10
src/analyzer/protocol/asn1/asn1.pac
View file

@ -113,15 +113,15 @@ zeek::ValPtr asn1_integer_to_val(const ASN1Encoding* i, zeek::TypeTag t)
switch ( t ) { switch ( t ) {
case zeek::TYPE_BOOL: case zeek::TYPE_BOOL:
return val_mgr->Bool(v); return zeek::val_mgr->Bool(v);
case zeek::TYPE_INT: case zeek::TYPE_INT:
return val_mgr->Int(v); return zeek::val_mgr->Int(v);
case zeek::TYPE_COUNT: case zeek::TYPE_COUNT:
case zeek::TYPE_COUNTER: case zeek::TYPE_COUNTER:
return val_mgr->Count(v); return zeek::val_mgr->Count(v);
default: default:
reporter->Error("bad asn1_integer_to_val tag: %s", zeek::type_name(t)); reporter->Error("bad asn1_integer_to_val tag: %s", zeek::type_name(t));
return val_mgr->Count(v); return zeek::val_mgr->Count(v);
} }
} }
@ -152,7 +152,7 @@ zeek::StringValPtr asn1_oid_to_val(const ASN1Encoding* oid)
if ( ! subidentifier.empty() || subidentifiers.size() < 1 ) if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
// Underflow. // Underflow.
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
for ( size_t i = 0; i < subidentifiers.size(); ++i ) for ( size_t i = 0; i < subidentifiers.size(); ++i )
{ {

2
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -121,6 +121,6 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird, EnqueueConnEvent(bittorrent_peer_weird,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg)); zeek::make_intrusive<zeek::StringVal>(msg));
} }

10
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,7 +247,7 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
if ( bt_tracker_weird ) if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird, EnqueueConnEvent(bt_tracker_weird,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(msg) zeek::make_intrusive<zeek::StringVal>(msg)
); );
} }
@ -403,7 +403,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
EnqueueConnEvent( EnqueueConnEvent(
bt_tracker_response_not_ok, bt_tracker_response_not_ok,
ConnVal(), ConnVal(),
val_mgr->Count(res_status), zeek::val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers} zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers}
); );
res_val_headers = nullptr; res_val_headers = nullptr;
@ -480,7 +480,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
auto peer = zeek::make_intrusive<zeek::RecordVal>(bittorrent_peer); auto peer = zeek::make_intrusive<zeek::RecordVal>(bittorrent_peer);
peer->Assign(0, zeek::make_intrusive<zeek::AddrVal>(ad)); peer->Assign(0, zeek::make_intrusive<zeek::AddrVal>(ad));
peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP)); peer->Assign(1, zeek::val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(std::move(peer), nullptr); res_val_peers->Assign(std::move(peer), nullptr);
} }
} }
@ -499,7 +499,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value); auto benc_value = zeek::make_intrusive<zeek::RecordVal>(bittorrent_benc_value);
auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name); auto name_ = zeek::make_intrusive<zeek::StringVal>(name_len, name);
benc_value->Assign(type, val_mgr->Int(value)); benc_value->Assign(type, zeek::val_mgr->Int(value));
res_val_benc->Assign(std::move(name_), std::move(benc_value)); res_val_benc->Assign(std::move(name_), std::move(benc_value));
} }
@ -784,7 +784,7 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response ) if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response, EnqueueConnEvent(bt_tracker_response,
ConnVal(), ConnVal(),
val_mgr->Count(res_status), zeek::val_mgr->Count(res_status),
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers}, zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_headers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_peers}, zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_peers},
zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_benc} zeek::IntrusivePtr{zeek::AdoptRef{}, res_val_benc}

2
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -221,7 +221,7 @@ flow BitTorrent_Flow(is_orig: bool) {
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
val_mgr->Port(listen_port, TRANSPORT_TCP)); zeek::val_mgr->Port(listen_port, TRANSPORT_TCP));
} }
return true; return true;

14
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -52,8 +52,8 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
val_mgr->Count(threshold), zeek::val_mgr->Count(threshold),
val_mgr->Bool(is_orig) zeek::val_mgr->Bool(is_orig)
); );
} }
@ -95,7 +95,7 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
EnqueueConnEvent(conn_duration_threshold_crossed, EnqueueConnEvent(conn_duration_threshold_crossed,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::IntervalVal>(duration_thresh), zeek::make_intrusive<zeek::IntervalVal>(duration_thresh),
val_mgr->Bool(is_orig) zeek::val_mgr->Bool(is_orig)
); );
duration_thresh = 0; duration_thresh = 0;
} }
@ -183,10 +183,10 @@ void ConnSize_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
if ( bytesidx < 0 ) if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts)); orig_endp->Assign(pktidx, zeek::val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes)); orig_endp->Assign(bytesidx, zeek::val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts)); resp_endp->Assign(pktidx, zeek::val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes)); resp_endp->Assign(bytesidx, zeek::val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
} }

20
src/analyzer/protocol/conn-size/functions.bif
View file

@ -35,11 +35,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->False(); return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
## Sets a threshold for connection packets, overwtiting any potential old thresholds. ## Sets a threshold for connection packets, overwtiting any potential old thresholds.
@ -59,11 +59,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->False(); return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
## Sets the current duration threshold for connection, overwriting any potential old ## Sets the current duration threshold for connection, overwriting any potential old
@ -81,11 +81,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->False(); return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
# Gets the current byte threshold size for a connection. # Gets the current byte threshold size for a connection.
@ -103,9 +103,9 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig)); return zeek::val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%} %}
## Gets the current packet threshold size for a connection. ## Gets the current packet threshold size for a connection.
@ -122,9 +122,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig)); return zeek::val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%} %}
## Gets the current duration threshold size for a connection. ## Gets the current duration threshold size for a connection.

10
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -32,7 +32,7 @@ refine flow DHCP_Flow += {
init_options(); init_options();
if ( code != 255 ) if ( code != 255 )
all_options->Assign(all_options->Size(), val_mgr->Count(code)); all_options->Assign(all_options->Size(), zeek::val_mgr->Count(code));
return true; return true;
%} %}
@ -54,11 +54,11 @@ refine flow DHCP_Flow += {
double secs = static_cast<double>(${msg.secs}); double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::Msg); auto dhcp_msg_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op})); dhcp_msg_val->Assign(0, zeek::val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type})); dhcp_msg_val->Assign(1, zeek::val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid})); dhcp_msg_val->Assign(2, zeek::val_mgr->Count(${msg.xid}));
dhcp_msg_val->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(secs)); dhcp_msg_val->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(secs));
dhcp_msg_val->Assign(4, val_mgr->Count(${msg.flags})); dhcp_msg_val->Assign(4, zeek::val_mgr->Count(${msg.flags}));
dhcp_msg_val->Assign(5, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.ciaddr}))); dhcp_msg_val->Assign(5, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.yiaddr}))); dhcp_msg_val->Assign(6, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.siaddr}))); dhcp_msg_val->Assign(7, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.siaddr})));

20
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool function process_time_offset_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(25, val_mgr->Int(${v.time_offset})); ${context.flow}->options->Assign(25, zeek::val_mgr->Int(${v.time_offset}));
return true; return true;
%} %}
}; };
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool function process_forwarding_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(6, val_mgr->Bool(${v.forwarding} == 0 ? false : true)); ${context.flow}->options->Assign(6, zeek::val_mgr->Bool(${v.forwarding} == 0 ? false : true));
return true; return true;
%} %}
@ -469,7 +469,7 @@ refine flow DHCP_Flow += {
for ( int i = 0; i < num_parms; ++i ) for ( int i = 0; i < num_parms; ++i )
{ {
uint8 param = (*plist)[i]; uint8 param = (*plist)[i];
params->Assign(i, val_mgr->Count(param)); params->Assign(i, zeek::val_mgr->Count(param));
} }
${context.flow}->options->Assign(13, std::move(params)); ${context.flow}->options->Assign(13, std::move(params));
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool function process_max_message_size_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(15, val_mgr->Count(${v.max_msg_size})); ${context.flow}->options->Assign(15, zeek::val_mgr->Count(${v.max_msg_size}));
return true; return true;
%} %}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool function process_client_id_option(v: OptionValue): bool
%{ %{
auto client_id = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientID); auto client_id = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientID);
client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype})); client_id->Assign(0, zeek::val_mgr->Count(${v.client_id.hwtype}));
zeek::StringValPtr sv; zeek::StringValPtr sv;
if ( ${v.client_id.hwtype} == 0 ) if ( ${v.client_id.hwtype} == 0 )
@ -695,9 +695,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool function process_client_fqdn_option(v: OptionValue): bool
%{ %{
auto client_fqdn = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientFQDN); auto client_fqdn = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, val_mgr->Count(${v.client_fqdn.flags})); client_fqdn->Assign(0, zeek::val_mgr->Count(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->Count(${v.client_fqdn.rcode1})); client_fqdn->Assign(1, zeek::val_mgr->Count(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->Count(${v.client_fqdn.rcode2})); client_fqdn->Assign(2, zeek::val_mgr->Count(${v.client_fqdn.rcode2}));
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin()); const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, zeek::make_intrusive<zeek::StringVal>(${v.client_fqdn.domain_name}.length(), domain_name)); client_fqdn->Assign(3, zeek::make_intrusive<zeek::StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -760,7 +760,7 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt ) ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::SubOpt); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::SubOpt);
r->Assign(0, val_mgr->Count((*ptrsubopt)->code())); r->Assign(0, zeek::val_mgr->Count((*ptrsubopt)->code()));
r->Assign(1, to_stringval((*ptrsubopt)->value())); r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, std::move(r)); relay_agent_sub_opt->Assign(i, std::move(r));
@ -790,7 +790,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool function process_auto_config_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(23, val_mgr->Bool(${v.auto_config} == 0 ? false : true)); ${context.flow}->options->Assign(23, zeek::val_mgr->Bool(${v.auto_config} == 0 ? false : true));
return true; return true;
%} %}

122
src/analyzer/protocol/dns/DNS.cc
View file

@ -50,9 +50,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message ) if ( dns_message )
analyzer->EnqueueConnEvent(dns_message, analyzer->EnqueueConnEvent(dns_message,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_query), zeek::val_mgr->Bool(is_query),
msg.BuildHdrVal(), msg.BuildHdrVal(),
val_mgr->Count(len) zeek::val_mgr->Count(len)
); );
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
@ -606,7 +606,7 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_soa); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_soa);
r->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(mname, mname_end - mname, true))); r->Assign(0, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(mname, mname_end - mname, true)));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(rname, rname_end - rname, true))); r->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->Count(serial)); r->Assign(2, zeek::val_mgr->Count(serial));
r->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(refresh), Seconds)); r->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(refresh), Seconds));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(retry), Seconds)); r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(retry), Seconds));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(expire), Seconds)); r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(expire), Seconds));
@ -647,7 +647,7 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(name, name_end - name, true)), zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(name, name_end - name, true)),
val_mgr->Count(preference) zeek::val_mgr->Count(preference)
); );
return true; return true;
@ -688,9 +688,9 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(name, name_end - name, true)), zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(name, name_end - name, true)),
val_mgr->Count(priority), zeek::val_mgr->Count(priority),
val_mgr->Count(weight), zeek::val_mgr->Count(weight),
val_mgr->Count(port) zeek::val_mgr->Count(port)
); );
return true; return true;
@ -1379,7 +1379,7 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildAnswerVal(), msg->BuildAnswerVal(),
val_mgr->Count(flags), zeek::val_mgr->Count(flags),
zeek::make_intrusive<zeek::StringVal>(tag), zeek::make_intrusive<zeek::StringVal>(tag),
zeek::make_intrusive<zeek::StringVal>(value) zeek::make_intrusive<zeek::StringVal>(value)
); );
@ -1408,8 +1408,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
zeek::make_intrusive<zeek::StringVal>(question_name), zeek::make_intrusive<zeek::StringVal>(question_name),
val_mgr->Count(qtype), zeek::val_mgr->Count(qtype),
val_mgr->Count(qclass), zeek::val_mgr->Count(qclass),
zeek::make_intrusive<zeek::StringVal>(original_name) zeek::make_intrusive<zeek::StringVal>(original_name)
); );
} }
@ -1451,19 +1451,19 @@ zeek::RecordValPtr DNS_MsgInfo::BuildHdrVal()
static auto dns_msg = zeek::id::find_type<zeek::RecordType>("dns_msg"); static auto dns_msg = zeek::id::find_type<zeek::RecordType>("dns_msg");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_msg); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_msg);
r->Assign(0, val_mgr->Count(id)); r->Assign(0, zeek::val_mgr->Count(id));
r->Assign(1, val_mgr->Count(opcode)); r->Assign(1, zeek::val_mgr->Count(opcode));
r->Assign(2, val_mgr->Count(rcode)); r->Assign(2, zeek::val_mgr->Count(rcode));
r->Assign(3, val_mgr->Bool(QR)); r->Assign(3, zeek::val_mgr->Bool(QR));
r->Assign(4, val_mgr->Bool(AA)); r->Assign(4, zeek::val_mgr->Bool(AA));
r->Assign(5, val_mgr->Bool(TC)); r->Assign(5, zeek::val_mgr->Bool(TC));
r->Assign(6, val_mgr->Bool(RD)); r->Assign(6, zeek::val_mgr->Bool(RD));
r->Assign(7, val_mgr->Bool(RA)); r->Assign(7, zeek::val_mgr->Bool(RA));
r->Assign(8, val_mgr->Count(Z)); r->Assign(8, zeek::val_mgr->Count(Z));
r->Assign(9, val_mgr->Count(qdcount)); r->Assign(9, zeek::val_mgr->Count(qdcount));
r->Assign(10, val_mgr->Count(ancount)); r->Assign(10, zeek::val_mgr->Count(ancount));
r->Assign(11, val_mgr->Count(nscount)); r->Assign(11, zeek::val_mgr->Count(nscount));
r->Assign(12, val_mgr->Count(arcount)); r->Assign(12, zeek::val_mgr->Count(arcount));
return r; return r;
} }
@ -1473,10 +1473,10 @@ zeek::RecordValPtr DNS_MsgInfo::BuildAnswerVal()
static auto dns_answer = zeek::id::find_type<zeek::RecordType>("dns_answer"); static auto dns_answer = zeek::id::find_type<zeek::RecordType>("dns_answer");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_answer); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_answer);
r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
r->Assign(2, val_mgr->Count(atype)); r->Assign(2, zeek::val_mgr->Count(atype));
r->Assign(3, val_mgr->Count(aclass)); r->Assign(3, zeek::val_mgr->Count(aclass));
r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds)); r->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds));
return r; return r;
@ -1489,14 +1489,14 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
static auto dns_edns_additional = zeek::id::find_type<zeek::RecordType>("dns_edns_additional"); static auto dns_edns_additional = zeek::id::find_type<zeek::RecordType>("dns_edns_additional");
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_additional); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_edns_additional);
r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS // type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->Count(atype)); r->Assign(2, zeek::val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3 // sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->Count(aclass)); r->Assign(3, zeek::val_mgr->Count(aclass));
// Need to break the TTL field into three components: // Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------] // initial: [------------- ttl (32) ---------------------]
@ -1509,11 +1509,11 @@ zeek::RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode; unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->Count(return_error)); r->Assign(4, zeek::val_mgr->Count(return_error));
r->Assign(5, val_mgr->Count(version)); r->Assign(5, zeek::val_mgr->Count(version));
r->Assign(6, val_mgr->Count(z)); r->Assign(6, zeek::val_mgr->Count(z));
r->Assign(7, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds)); r->Assign(7, zeek::make_intrusive<zeek::IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->Count(is_query)); r->Assign(8, zeek::val_mgr->Count(is_query));
return r; return r;
} }
@ -1524,16 +1524,16 @@ zeek::RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_tsig_additional); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0; double rtime = tsig->time_s + tsig->time_ms / 1000.0;
// r->Assign(0, val_mgr->Count(int(answer_type))); // r->Assign(0, zeek::val_mgr->Count(int(answer_type)));
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, zeek::make_intrusive<zeek::StringVal>(tsig->alg_name)); r->Assign(2, zeek::make_intrusive<zeek::StringVal>(tsig->alg_name));
r->Assign(3, zeek::make_intrusive<zeek::StringVal>(tsig->sig)); r->Assign(3, zeek::make_intrusive<zeek::StringVal>(tsig->sig));
r->Assign(4, zeek::make_intrusive<zeek::TimeVal>(rtime)); r->Assign(4, zeek::make_intrusive<zeek::TimeVal>(rtime));
r->Assign(5, zeek::make_intrusive<zeek::TimeVal>(double(tsig->fudge))); r->Assign(5, zeek::make_intrusive<zeek::TimeVal>(double(tsig->fudge)));
r->Assign(6, val_mgr->Count(tsig->orig_id)); r->Assign(6, zeek::val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->Count(tsig->rr_error)); r->Assign(7, zeek::val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->Count(is_query)); r->Assign(8, zeek::val_mgr->Count(is_query));
return r; return r;
} }
@ -1544,17 +1544,17 @@ zeek::RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_rrsig_rr); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_rrsig_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(rrsig->type_covered)); r->Assign(2, zeek::val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->Count(rrsig->algorithm)); r->Assign(3, zeek::val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->Count(rrsig->labels)); r->Assign(4, zeek::val_mgr->Count(rrsig->labels));
r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(rrsig->orig_ttl), Seconds)); r->Assign(5, zeek::make_intrusive<zeek::IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_exp))); r->Assign(6, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_exp)));
r->Assign(7, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_incep))); r->Assign(7, zeek::make_intrusive<zeek::TimeVal>(double(rrsig->sig_incep)));
r->Assign(8, val_mgr->Count(rrsig->key_tag)); r->Assign(8, zeek::val_mgr->Count(rrsig->key_tag));
r->Assign(9, zeek::make_intrusive<zeek::StringVal>(rrsig->signer_name)); r->Assign(9, zeek::make_intrusive<zeek::StringVal>(rrsig->signer_name));
r->Assign(10, zeek::make_intrusive<zeek::StringVal>(rrsig->signature)); r->Assign(10, zeek::make_intrusive<zeek::StringVal>(rrsig->signature));
r->Assign(11, val_mgr->Count(is_query)); r->Assign(11, zeek::val_mgr->Count(is_query));
return r; return r;
} }
@ -1565,12 +1565,12 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_dnskey_rr); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_dnskey_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(dnskey->dflags)); r->Assign(2, zeek::val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->Count(dnskey->dprotocol)); r->Assign(3, zeek::val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->Count(dnskey->dalgorithm)); r->Assign(4, zeek::val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(dnskey->public_key)); r->Assign(5, zeek::make_intrusive<zeek::StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->Count(is_query)); r->Assign(6, zeek::val_mgr->Count(is_query));
return r; return r;
} }
@ -1581,16 +1581,16 @@ zeek::RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_nsec3_rr); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_nsec3_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags)); r->Assign(2, zeek::val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo)); r->Assign(3, zeek::val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3->nsec_iter)); r->Assign(4, zeek::val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len)); r->Assign(5, zeek::val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_salt)); r->Assign(6, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen)); r->Assign(7, zeek::val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_hash)); r->Assign(8, zeek::make_intrusive<zeek::StringVal>(nsec3->nsec_hash));
r->Assign(9, std::move(nsec3->bitmaps)); r->Assign(9, std::move(nsec3->bitmaps));
r->Assign(10, val_mgr->Count(is_query)); r->Assign(10, zeek::val_mgr->Count(is_query));
return r; return r;
} }
@ -1601,12 +1601,12 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
auto r = zeek::make_intrusive<zeek::RecordVal>(dns_ds_rr); auto r = zeek::make_intrusive<zeek::RecordVal>(dns_ds_rr);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type))); r->Assign(1, zeek::val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(ds->key_tag)); r->Assign(2, zeek::val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->Count(ds->algorithm)); r->Assign(3, zeek::val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->Count(ds->digest_type)); r->Assign(4, zeek::val_mgr->Count(ds->digest_type));
r->Assign(5, zeek::make_intrusive<zeek::StringVal>(ds->digest_val)); r->Assign(5, zeek::make_intrusive<zeek::StringVal>(ds->digest_val));
r->Assign(6, val_mgr->Count(is_query)); r->Assign(6, zeek::val_mgr->Count(is_query));
return r; return r;
} }

2
src/analyzer/protocol/finger/Finger.cc
View file

@ -69,7 +69,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request ) if ( finger_request )
EnqueueConnEvent(finger_request, EnqueueConnEvent(finger_request,
ConnVal(), ConnVal(),
val_mgr->Bool(long_cnt), zeek::val_mgr->Bool(long_cnt),
zeek::make_intrusive<zeek::StringVal>(at - line, line), zeek::make_intrusive<zeek::StringVal>(at - line, line),
zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host) zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host)
); );

4
src/analyzer/protocol/ftp/FTP.cc
View file

@ -177,9 +177,9 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
vl = { vl = {
ConnVal(), ConnVal(),
val_mgr->Count(reply_code), zeek::val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
val_mgr->Bool(cont_resp) zeek::val_mgr->Bool(cont_resp)
}; };
f = ftp_reply; f = ftp_reply;

14
src/analyzer/protocol/ftp/functions.bif
View file

@ -34,14 +34,14 @@ static zeek::ValPtr parse_port(const char* line)
} }
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(htonl(addr))); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(htonl(addr)));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good)); r->Assign(2, zeek::val_mgr->Bool(good));
} }
else else
{ {
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(uint32_t(0))); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(uint32_t(0)));
r->Assign(1, val_mgr->Port(0, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->False()); r->Assign(2, zeek::val_mgr->False());
} }
return r; return r;
@ -110,8 +110,8 @@ static zeek::ValPtr parse_eftp(const char* line)
} }
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(addr)); r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(addr));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP)); r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good)); r->Assign(2, zeek::val_mgr->Bool(good));
return r; return r;
} }
@ -215,6 +215,6 @@ function fmt_ftp_port%(a: addr, p: port%): string
{ {
zeek::emit_builtin_error("conversion of non-IPv4 address in fmt_ftp_port", zeek::emit_builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
@ARG@[0]); @ARG@[0]);
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
} }
%} %}

22
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -74,8 +74,8 @@ void Gnutella_Analyzer::Done()
EnqueueConnEvent(gnutella_partial_binary_msg, EnqueueConnEvent(gnutella_partial_binary_msg,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(p->msg), zeek::make_intrusive<zeek::StringVal>(p->msg),
val_mgr->Bool((i == 0)), zeek::val_mgr->Bool((i == 0)),
val_mgr->Count(p->msg_pos)); zeek::val_mgr->Count(p->msg_pos));
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
SendEvents(p, (i == 0)); SendEvents(p, (i == 0));
@ -177,7 +177,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
if ( gnutella_text_msg ) if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg, EnqueueConnEvent(gnutella_text_msg,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(ms->headers.data())); zeek::make_intrusive<zeek::StringVal>(ms->headers.data()));
ms->headers = ""; ms->headers = "";
@ -214,15 +214,15 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg, EnqueueConnEvent(gnutella_binary_msg,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
val_mgr->Count(p->msg_type), zeek::val_mgr->Count(p->msg_type),
val_mgr->Count(p->msg_ttl), zeek::val_mgr->Count(p->msg_ttl),
val_mgr->Count(p->msg_hops), zeek::val_mgr->Count(p->msg_hops),
val_mgr->Count(p->msg_len), zeek::val_mgr->Count(p->msg_len),
zeek::make_intrusive<zeek::StringVal>(p->payload), zeek::make_intrusive<zeek::StringVal>(p->payload),
val_mgr->Count(p->payload_len), zeek::val_mgr->Count(p->payload_len),
val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))), zeek::val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
val_mgr->Bool((p->payload_left == 0))); zeek::val_mgr->Bool((p->payload_left == 0)));
} }

66
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -8,21 +8,21 @@ zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
rv->Assign(0, val_mgr->Count(pdu->version())); rv->Assign(0, zeek::val_mgr->Count(pdu->version()));
rv->Assign(1, val_mgr->Bool(pdu->pt_flag())); rv->Assign(1, zeek::val_mgr->Bool(pdu->pt_flag()));
rv->Assign(2, val_mgr->Bool(pdu->rsv())); rv->Assign(2, zeek::val_mgr->Bool(pdu->rsv()));
rv->Assign(3, val_mgr->Bool(pdu->e_flag())); rv->Assign(3, zeek::val_mgr->Bool(pdu->e_flag()));
rv->Assign(4, val_mgr->Bool(pdu->s_flag())); rv->Assign(4, zeek::val_mgr->Bool(pdu->s_flag()));
rv->Assign(5, val_mgr->Bool(pdu->pn_flag())); rv->Assign(5, zeek::val_mgr->Bool(pdu->pn_flag()));
rv->Assign(6, val_mgr->Count(pdu->msg_type())); rv->Assign(6, zeek::val_mgr->Count(pdu->msg_type()));
rv->Assign(7, val_mgr->Count(pdu->length())); rv->Assign(7, zeek::val_mgr->Count(pdu->length()));
rv->Assign(8, val_mgr->Count(pdu->teid())); rv->Assign(8, zeek::val_mgr->Count(pdu->teid()));
if ( pdu->has_opt() ) if ( pdu->has_opt() )
{ {
rv->Assign(9, val_mgr->Count(pdu->opt_hdr()->seq())); rv->Assign(9, zeek::val_mgr->Count(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->Count(pdu->opt_hdr()->n_pdu())); rv->Assign(10, zeek::val_mgr->Count(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->Count(pdu->opt_hdr()->next_type())); rv->Assign(11, zeek::val_mgr->Count(pdu->opt_hdr()->next_type()));
} }
return rv; return rv;
@ -30,64 +30,64 @@ zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
static zeek::ValPtr BuildIMSI(const InformationElement* ie) static zeek::ValPtr BuildIMSI(const InformationElement* ie)
{ {
return val_mgr->Count(ie->imsi()->value()); return zeek::val_mgr->Count(ie->imsi()->value());
} }
static zeek::ValPtr BuildRAI(const InformationElement* ie) static zeek::ValPtr BuildRAI(const InformationElement* ie)
{ {
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai); auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->Count(ie->rai()->mcc())); ev->Assign(0, zeek::val_mgr->Count(ie->rai()->mcc()));
ev->Assign(1, val_mgr->Count(ie->rai()->mnc())); ev->Assign(1, zeek::val_mgr->Count(ie->rai()->mnc()));
ev->Assign(2, val_mgr->Count(ie->rai()->lac())); ev->Assign(2, zeek::val_mgr->Count(ie->rai()->lac()));
ev->Assign(3, val_mgr->Count(ie->rai()->rac())); ev->Assign(3, zeek::val_mgr->Count(ie->rai()->rac()));
return ev; return ev;
} }
static zeek::ValPtr BuildRecovery(const InformationElement* ie) static zeek::ValPtr BuildRecovery(const InformationElement* ie)
{ {
return val_mgr->Count(ie->recovery()->restart_counter()); return zeek::val_mgr->Count(ie->recovery()->restart_counter());
} }
static zeek::ValPtr BuildSelectionMode(const InformationElement* ie) static zeek::ValPtr BuildSelectionMode(const InformationElement* ie)
{ {
return val_mgr->Count(ie->selection_mode()->mode()); return zeek::val_mgr->Count(ie->selection_mode()->mode());
} }
static zeek::ValPtr BuildTEID1(const InformationElement* ie) static zeek::ValPtr BuildTEID1(const InformationElement* ie)
{ {
return val_mgr->Count(ie->teid1()->value()); return zeek::val_mgr->Count(ie->teid1()->value());
} }
static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie) static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie)
{ {
return val_mgr->Count(ie->teidcp()->value()); return zeek::val_mgr->Count(ie->teidcp()->value());
} }
static zeek::ValPtr BuildNSAPI(const InformationElement* ie) static zeek::ValPtr BuildNSAPI(const InformationElement* ie)
{ {
return val_mgr->Count(ie->nsapi()->nsapi()); return zeek::val_mgr->Count(ie->nsapi()->nsapi());
} }
static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie) static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie)
{ {
return val_mgr->Count(ie->charging_characteristics()->value()); return zeek::val_mgr->Count(ie->charging_characteristics()->value());
} }
static zeek::ValPtr BuildTraceReference(const InformationElement* ie) static zeek::ValPtr BuildTraceReference(const InformationElement* ie)
{ {
return val_mgr->Count(ie->trace_reference()->value()); return zeek::val_mgr->Count(ie->trace_reference()->value());
} }
static zeek::ValPtr BuildTraceType(const InformationElement* ie) static zeek::ValPtr BuildTraceType(const InformationElement* ie)
{ {
return val_mgr->Count(ie->trace_type()->value()); return zeek::val_mgr->Count(ie->trace_type()->value());
} }
zeek::ValPtr BuildEndUserAddr(const InformationElement* ie) zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
{ {
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr); auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
ev->Assign(0, val_mgr->Count(ie->end_user_addr()->pdp_type_org())); ev->Assign(0, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->Count(ie->end_user_addr()->pdp_type_num())); ev->Assign(1, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
int len = ie->end_user_addr()->pdp_addr().length(); int len = ie->end_user_addr()->pdp_addr().length();
@ -161,7 +161,7 @@ zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data(); const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length(); int len = ie->qos_profile()->data().length();
ev->Assign(0, val_mgr->Count(ie->qos_profile()->alloc_retention_priority())); ev->Assign(0, zeek::val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(d, len, false))); ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(d, len, false)));
return ev; return ev;
@ -195,7 +195,7 @@ zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data(); const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length(); int len = ie->private_ext()->value().length();
ev->Assign(0, val_mgr->Count(ie->private_ext()->id())); ev->Assign(0, zeek::val_mgr->Count(ie->private_ext()->id()));
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString((const u_char*) d, len, false))); ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::BroString((const u_char*) d, len, false)));
return ev; return ev;
@ -203,17 +203,17 @@ zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
static zeek::ValPtr BuildCause(const InformationElement* ie) static zeek::ValPtr BuildCause(const InformationElement* ie)
{ {
return val_mgr->Count(ie->cause()->value()); return zeek::val_mgr->Count(ie->cause()->value());
} }
static zeek::ValPtr BuildReorderReq(const InformationElement* ie) static zeek::ValPtr BuildReorderReq(const InformationElement* ie)
{ {
return val_mgr->Bool(ie->reorder_req()->req()); return zeek::val_mgr->Bool(ie->reorder_req()->req());
} }
static zeek::ValPtr BuildChargingID(const InformationElement* ie) static zeek::ValPtr BuildChargingID(const InformationElement* ie)
{ {
return val_mgr->Count(ie->charging_id()->value());; return zeek::val_mgr->Count(ie->charging_id()->value());;
} }
zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie) zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
@ -230,7 +230,7 @@ zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
static zeek::ValPtr BuildTeardownInd(const InformationElement* ie) static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
{ {
return val_mgr->Bool(ie->teardown_ind()->ind()); return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
} }
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)

30
src/analyzer/protocol/http/HTTP.cc
View file

@ -619,11 +619,11 @@ zeek::RecordValPtr HTTP_Message::BuildMessageStat(bool interrupted, const char*
auto stat = zeek::make_intrusive<zeek::RecordVal>(http_message_stat); auto stat = zeek::make_intrusive<zeek::RecordVal>(http_message_stat);
int field = 0; int field = 0;
stat->Assign(field++, zeek::make_intrusive<zeek::TimeVal>(start_time)); stat->Assign(field++, zeek::make_intrusive<zeek::TimeVal>(start_time));
stat->Assign(field++, val_mgr->Bool(interrupted)); stat->Assign(field++, zeek::val_mgr->Bool(interrupted));
stat->Assign(field++, zeek::make_intrusive<zeek::StringVal>(msg)); stat->Assign(field++, zeek::make_intrusive<zeek::StringVal>(msg));
stat->Assign(field++, val_mgr->Count(body_length)); stat->Assign(field++, zeek::val_mgr->Count(body_length));
stat->Assign(field++, val_mgr->Count(content_gap_length)); stat->Assign(field++, zeek::val_mgr->Count(content_gap_length));
stat->Assign(field++, val_mgr->Count(header_length)); stat->Assign(field++, zeek::val_mgr->Count(header_length));
return stat; return stat;
} }
@ -652,7 +652,7 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
if ( http_message_done ) if ( http_message_done )
GetAnalyzer()->EnqueueConnEvent(http_message_done, GetAnalyzer()->EnqueueConnEvent(http_message_done,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
BuildMessageStat(interrupted, detail) BuildMessageStat(interrupted, detail)
); );
@ -683,7 +683,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity ) if ( http_begin_entity )
analyzer->EnqueueConnEvent(http_begin_entity, analyzer->EnqueueConnEvent(http_begin_entity,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig) zeek::val_mgr->Bool(is_orig)
); );
} }
@ -698,7 +698,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity ) if ( http_end_entity )
analyzer->EnqueueConnEvent(http_end_entity, analyzer->EnqueueConnEvent(http_end_entity,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig) zeek::val_mgr->Bool(is_orig)
); );
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
@ -737,14 +737,14 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
if ( http_all_headers ) if ( http_all_headers )
analyzer->EnqueueConnEvent(http_all_headers, analyzer->EnqueueConnEvent(http_all_headers,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
ToHeaderTable(hlist) ToHeaderTable(hlist)
); );
if ( http_content_type ) if ( http_content_type )
analyzer->EnqueueConnEvent(http_content_type, analyzer->EnqueueConnEvent(http_content_type,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
current_entity->GetContentType(), current_entity->GetContentType(),
current_entity->GetContentSubType() current_entity->GetContentSubType()
); );
@ -1154,8 +1154,8 @@ void HTTP_Analyzer::GenStats()
{ {
static auto http_stats_rec = zeek::id::find_type<zeek::RecordType>("http_stats_rec"); static auto http_stats_rec = zeek::id::find_type<zeek::RecordType>("http_stats_rec");
auto r = zeek::make_intrusive<zeek::RecordVal>(http_stats_rec); auto r = zeek::make_intrusive<zeek::RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->Count(num_requests)); r->Assign(0, zeek::val_mgr->Count(num_requests));
r->Assign(1, val_mgr->Count(num_replies)); r->Assign(1, zeek::val_mgr->Count(num_replies));
r->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(request_version.ToDouble())); r->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(request_version.ToDouble()));
r->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(reply_version.ToDouble())); r->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(reply_version.ToDouble()));
@ -1408,7 +1408,7 @@ void HTTP_Analyzer::HTTP_Reply()
EnqueueConnEvent(http_reply, EnqueueConnEvent(http_reply,
ConnVal(), ConnVal(),
zeek::make_intrusive<zeek::StringVal>(fmt("%.1f", reply_version.ToDouble())), zeek::make_intrusive<zeek::StringVal>(fmt("%.1f", reply_version.ToDouble())),
val_mgr->Count(reply_code), zeek::val_mgr->Count(reply_code),
reply_reason_phrase ? reply_reason_phrase ?
reply_reason_phrase : reply_reason_phrase :
zeek::make_intrusive<zeek::StringVal>("<empty>") zeek::make_intrusive<zeek::StringVal>("<empty>")
@ -1640,7 +1640,7 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
EnqueueConnEvent(http_header, EnqueueConnEvent(http_header,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
mime::to_string_val(h->get_name()), mime::to_string_val(h->get_name()),
std::move(upper_hn), std::move(upper_hn),
mime::to_string_val(h->get_value()) mime::to_string_val(h->get_value())
@ -1653,8 +1653,8 @@ void HTTP_Analyzer::HTTP_EntityData(bool is_orig, zeek::BroString* entity_data)
if ( http_entity_data ) if ( http_entity_data )
EnqueueConnEvent(http_entity_data, EnqueueConnEvent(http_entity_data,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
val_mgr->Count(entity_data->Len()), zeek::val_mgr->Count(entity_data->Len()),
zeek::make_intrusive<zeek::StringVal>(entity_data) zeek::make_intrusive<zeek::StringVal>(entity_data)
); );
else else

94
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -229,11 +229,11 @@ zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len
icmp_conn_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(Conn()->OrigAddr())); icmp_conn_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, zeek::make_intrusive<zeek::AddrVal>(Conn()->RespAddr())); icmp_conn_val->Assign(1, zeek::make_intrusive<zeek::AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type)); icmp_conn_val->Assign(2, zeek::val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code)); icmp_conn_val->Assign(3, zeek::val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->Count(len)); icmp_conn_val->Assign(4, zeek::val_mgr->Count(len));
icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL())); icmp_conn_val->Assign(5, zeek::val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6)); icmp_conn_val->Assign(6, zeek::val_mgr->Bool(icmpv6));
} }
return icmp_conn_val; return icmp_conn_val;
@ -355,18 +355,18 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& da
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr)); id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr));
id_val->Assign(1, val_mgr->Port(src_port, proto)); id_val->Assign(1, zeek::val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr)); id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->Port(dst_port, proto)); id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len)); iprec->Assign(1, zeek::val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto)); iprec->Assign(2, zeek::val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset)); iprec->Assign(3, zeek::val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum)); iprec->Assign(5, zeek::val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF)); iprec->Assign(6, zeek::val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF)); iprec->Assign(7, zeek::val_mgr->Bool(DF));
return iprec; return iprec;
} }
@ -415,19 +415,19 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id); auto id_val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr)); id_val->Assign(0, zeek::make_intrusive<zeek::AddrVal>(src_addr));
id_val->Assign(1, val_mgr->Port(src_port, proto)); id_val->Assign(1, zeek::val_mgr->Port(src_port, proto));
id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr)); id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->Port(dst_port, proto)); id_val->Assign(3, zeek::val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val)); iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len)); iprec->Assign(1, zeek::val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto)); iprec->Assign(2, zeek::val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset)); iprec->Assign(3, zeek::val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len)); iprec->Assign(4, zeek::val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum. // bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->False()); iprec->Assign(5, zeek::val_mgr->False());
iprec->Assign(6, val_mgr->Bool(MF)); iprec->Assign(6, zeek::val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF)); iprec->Assign(7, zeek::val_mgr->Bool(DF));
return iprec; return iprec;
} }
@ -477,14 +477,14 @@ void ICMP_Analyzer::UpdateEndpointVal(const zeek::ValPtr& endp_arg, bool is_orig
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, val_mgr->Count(0)); endp->Assign(0, zeek::val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE))); endp->Assign(1, zeek::val_mgr->Count(int(ICMP_INACTIVE)));
} }
else else
{ {
endp->Assign(0, val_mgr->Count(size)); endp->Assign(0, zeek::val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE))); endp->Assign(1, zeek::val_mgr->Count(int(ICMP_ACTIVE)));
} }
} }
@ -520,8 +520,8 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
val_mgr->Count(iid), zeek::val_mgr->Count(iid),
val_mgr->Count(iseq), zeek::val_mgr->Count(iseq),
zeek::make_intrusive<zeek::StringVal>(payload) zeek::make_intrusive<zeek::StringVal>(payload)
); );
} }
@ -548,13 +548,13 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit zeek::val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref zeek::val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy zeek::val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved zeek::val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
zeek::make_intrusive<zeek::IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds), zeek::make_intrusive<zeek::IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(reachable), Milliseconds), zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(reachable), Milliseconds),
zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(retrans), Milliseconds), zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(retrans), Milliseconds),
@ -581,9 +581,9 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override zeek::val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
zeek::make_intrusive<zeek::AddrVal>(tgtaddr), zeek::make_intrusive<zeek::AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset) BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)
); );
@ -678,7 +678,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr), BuildICMPVal(icmpp, len, 0, ip_hdr),
val_mgr->Count(icmpp->icmp_code), zeek::val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data) ExtractICMP4Context(caplen, data)
); );
} }
@ -716,7 +716,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
EnqueueConnEvent(f, EnqueueConnEvent(f,
ConnVal(), ConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr), BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->Count(icmpp->icmp_code), zeek::val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data) ExtractICMP6Context(caplen, data)
); );
} }
@ -748,8 +748,8 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
} }
auto rv = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_option_type); auto rv = zeek::make_intrusive<zeek::RecordVal>(icmp6_nd_option_type);
rv->Assign(0, val_mgr->Count(type)); rv->Assign(0, zeek::val_mgr->Count(type));
rv->Assign(1, val_mgr->Count(length)); rv->Assign(1, zeek::val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields. // Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2; length = length * 8 - 2;
@ -788,9 +788,9 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
uint32_t valid_life = *((const uint32_t*)(data + 2)); uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6)); uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14)); in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->Count(prefix_len)); info->Assign(0, zeek::val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag)); info->Assign(1, zeek::val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag)); info->Assign(2, zeek::val_mgr->Bool(A_flag));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds)); info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds)); info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(IPAddr(prefix))); info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(IPAddr(prefix)));
@ -821,7 +821,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
// MTU option // MTU option
{ {
if ( caplen >= 6 ) if ( caplen >= 6 )
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2))))); rv->Assign(5, zeek::val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else else
set_payload_field = true; set_payload_field = true;

12
src/analyzer/protocol/ident/Ident.cc
View file

@ -86,8 +86,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
EnqueueConnEvent(ident_request, EnqueueConnEvent(ident_request,
ConnVal(), ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP), zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP) zeek::val_mgr->Port(remote_port, TRANSPORT_TCP)
); );
did_deliver = true; did_deliver = true;
@ -147,8 +147,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( ident_error ) if ( ident_error )
EnqueueConnEvent(ident_error, EnqueueConnEvent(ident_error,
ConnVal(), ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP), zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP), zeek::val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line) zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line)
); );
} }
@ -180,8 +180,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
EnqueueConnEvent(ident_reply, EnqueueConnEvent(ident_reply,
ConnVal(), ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP), zeek::val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP), zeek::val_mgr->Port(remote_port, TRANSPORT_TCP),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
zeek::make_intrusive<zeek::StringVal>(sys_type_s) zeek::make_intrusive<zeek::StringVal>(sys_type_s)
); );

104
src/analyzer/protocol/irc/IRC.cc
View file

@ -238,10 +238,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_network_info, EnqueueConnEvent(irc_network_info,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
val_mgr->Int(users), zeek::val_mgr->Int(users),
val_mgr->Int(services), zeek::val_mgr->Int(services),
val_mgr->Int(servers)); zeek::val_mgr->Int(servers));
} }
break; break;
@ -284,7 +284,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_names_info, EnqueueConnEvent(irc_names_info,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(type.c_str()), zeek::make_intrusive<zeek::StringVal>(type.c_str()),
zeek::make_intrusive<zeek::StringVal>(channel.c_str()), zeek::make_intrusive<zeek::StringVal>(channel.c_str()),
std::move(set)); std::move(set));
@ -317,10 +317,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_server_info, EnqueueConnEvent(irc_server_info,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
val_mgr->Int(users), zeek::val_mgr->Int(users),
val_mgr->Int(services), zeek::val_mgr->Int(services),
val_mgr->Int(servers)); zeek::val_mgr->Int(servers));
} }
break; break;
@ -338,8 +338,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_info, EnqueueConnEvent(irc_channel_info,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
val_mgr->Int(channels)); zeek::val_mgr->Int(channels));
} }
break; break;
@ -369,7 +369,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_global_users, EnqueueConnEvent(irc_global_users,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(eop - prefix, prefix), zeek::make_intrusive<zeek::StringVal>(eop - prefix, prefix),
zeek::make_intrusive<zeek::StringVal>(++msg)); zeek::make_intrusive<zeek::StringVal>(++msg));
break; break;
@ -394,7 +394,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig)); vl.emplace_back(zeek::val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()));
@ -433,7 +433,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_operator_line, EnqueueConnEvent(irc_whois_operator_line,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
} }
break; break;
@ -470,7 +470,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_channel_line, EnqueueConnEvent(irc_whois_channel_line,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()), zeek::make_intrusive<zeek::StringVal>(nick.c_str()),
std::move(set)); std::move(set));
} }
@ -500,7 +500,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_channel_topic, EnqueueConnEvent(irc_channel_topic,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(t)); zeek::make_intrusive<zeek::StringVal>(t));
} }
@ -533,7 +533,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_line, EnqueueConnEvent(irc_who_line,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()),
@ -541,7 +541,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::make_intrusive<zeek::StringVal>(parts[4].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[4].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[5].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[5].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[6].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[6].c_str()),
val_mgr->Int(atoi(parts[7].c_str())), zeek::val_mgr->Int(atoi(parts[7].c_str())),
zeek::make_intrusive<zeek::StringVal>(parts[8].c_str())); zeek::make_intrusive<zeek::StringVal>(parts[8].c_str()));
} }
break; break;
@ -554,7 +554,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_invalid_nick ) if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick, EnqueueConnEvent(irc_invalid_nick,
ConnVal(), ConnVal(),
val_mgr->Bool(orig)); zeek::val_mgr->Bool(orig));
break; break;
// Operator responses. // Operator responses.
@ -563,8 +563,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_oper_response ) if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response, EnqueueConnEvent(irc_oper_response,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
val_mgr->Bool(code == 381)); zeek::val_mgr->Bool(code == 381));
break; break;
case 670: case 670:
@ -577,9 +577,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_reply ) if ( irc_reply )
EnqueueConnEvent(irc_reply, EnqueueConnEvent(irc_reply,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
val_mgr->Count(code), zeek::val_mgr->Count(code),
zeek::make_intrusive<zeek::StringVal>(params.c_str())); zeek::make_intrusive<zeek::StringVal>(params.c_str()));
break; break;
} }
@ -647,14 +647,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message ) if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message, EnqueueConnEvent(irc_dcc_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()),
zeek::make_intrusive<zeek::AddrVal>(htonl(raw_ip)), zeek::make_intrusive<zeek::AddrVal>(htonl(raw_ip)),
val_mgr->Count(atoi(parts[4].c_str())), zeek::val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0) parts.size() >= 6 ? zeek::val_mgr->Count(atoi(parts[5].c_str())) : zeek::val_mgr->Count(0)
); );
} }
@ -663,7 +663,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_privmsg_message ) if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message, EnqueueConnEvent(irc_privmsg_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
@ -688,7 +688,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_notice_message, EnqueueConnEvent(irc_notice_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
@ -712,7 +712,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squery_message, EnqueueConnEvent(irc_squery_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(target.c_str()), zeek::make_intrusive<zeek::StringVal>(target.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
@ -726,19 +726,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig)); vl.emplace_back(zeek::val_mgr->Bool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
else vl.emplace_back(val_mgr->EmptyString()); else vl.emplace_back(zeek::val_mgr->EmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
else vl.emplace_back(val_mgr->EmptyString()); else vl.emplace_back(zeek::val_mgr->EmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[2].c_str()));
else vl.emplace_back(val_mgr->EmptyString()); else vl.emplace_back(zeek::val_mgr->EmptyString());
string realname; string realname;
for ( unsigned int i = 3; i < parts.size(); i++ ) for ( unsigned int i = 3; i < parts.size(); i++ )
@ -761,7 +761,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() == 2 ) if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message, EnqueueConnEvent(irc_oper_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()) zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())
); );
@ -783,7 +783,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig)); vl.emplace_back(zeek::val_mgr->Bool(orig));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(prefix.c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(prefix.c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()));
@ -800,7 +800,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(comment.c_str())); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(comment.c_str()));
} }
else else
vl.emplace_back(val_mgr->EmptyString()); vl.emplace_back(zeek::val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl)); EnqueueConnEvent(irc_kick_message, std::move(vl));
} }
@ -851,7 +851,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -911,7 +911,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -950,7 +950,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_part_message, EnqueueConnEvent(irc_part_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()), zeek::make_intrusive<zeek::StringVal>(nick.c_str()),
std::move(set), std::move(set),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
@ -973,7 +973,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_quit_message, EnqueueConnEvent(irc_quit_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(nickname.c_str()), zeek::make_intrusive<zeek::StringVal>(nickname.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
); );
@ -987,7 +987,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_nick_message, EnqueueConnEvent(irc_nick_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(nick.c_str()) zeek::make_intrusive<zeek::StringVal>(nick.c_str())
); );
@ -1012,11 +1012,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_who_message, EnqueueConnEvent(irc_who_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
parts.size() > 0 ? parts.size() > 0 ?
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()) : zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()) :
val_mgr->EmptyString(), zeek::val_mgr->EmptyString(),
val_mgr->Bool(oper) zeek::val_mgr->Bool(oper)
); );
} }
@ -1042,7 +1042,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_whois_message, EnqueueConnEvent(irc_whois_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(server.c_str()), zeek::make_intrusive<zeek::StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(users.c_str()) zeek::make_intrusive<zeek::StringVal>(users.c_str())
); );
@ -1055,7 +1055,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_error_message, EnqueueConnEvent(irc_error_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) zeek::make_intrusive<zeek::StringVal>(params.c_str())
); );
@ -1071,7 +1071,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_invite_message, EnqueueConnEvent(irc_invite_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()), zeek::make_intrusive<zeek::StringVal>(parts[0].c_str()),
zeek::make_intrusive<zeek::StringVal>(parts[1].c_str()) zeek::make_intrusive<zeek::StringVal>(parts[1].c_str())
@ -1086,7 +1086,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params.size() > 0 ) if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message, EnqueueConnEvent(irc_mode_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) zeek::make_intrusive<zeek::StringVal>(params.c_str())
); );
@ -1099,7 +1099,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_password_message, EnqueueConnEvent(irc_password_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) zeek::make_intrusive<zeek::StringVal>(params.c_str())
); );
} }
@ -1121,7 +1121,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
EnqueueConnEvent(irc_squit_message, EnqueueConnEvent(irc_squit_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(server.c_str()), zeek::make_intrusive<zeek::StringVal>(server.c_str()),
zeek::make_intrusive<zeek::StringVal>(message.c_str()) zeek::make_intrusive<zeek::StringVal>(message.c_str())
@ -1135,7 +1135,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_request, EnqueueConnEvent(irc_request,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()), zeek::make_intrusive<zeek::StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) zeek::make_intrusive<zeek::StringVal>(params.c_str())
@ -1149,7 +1149,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
EnqueueConnEvent(irc_message, EnqueueConnEvent(irc_message,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(prefix.c_str()), zeek::make_intrusive<zeek::StringVal>(prefix.c_str()),
zeek::make_intrusive<zeek::StringVal>(command.c_str()), zeek::make_intrusive<zeek::StringVal>(command.c_str()),
zeek::make_intrusive<zeek::StringVal>(params.c_str()) zeek::make_intrusive<zeek::StringVal>(params.c_str())

2
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -24,7 +24,7 @@ public:
zeek::StringValPtr GetAuthenticationInfo(const zeek::BroString* principal, zeek::StringValPtr GetAuthenticationInfo(const zeek::BroString* principal,
const zeek::BroString* ciphertext, const zeek::BroString* ciphertext,
const bro_uint_t enctype) const bro_uint_t enctype)
{ return val_mgr->EmptyString(); } { return zeek::val_mgr->EmptyString(); }
static analyzer::Analyzer* Instantiate(Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }

30
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Options); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Options);
rv->Assign(0, val_mgr->Bool(opts->forwardable())); rv->Assign(0, zeek::val_mgr->Bool(opts->forwardable()));
rv->Assign(1, val_mgr->Bool(opts->forwarded())); rv->Assign(1, zeek::val_mgr->Bool(opts->forwarded()));
rv->Assign(2, val_mgr->Bool(opts->proxiable())); rv->Assign(2, zeek::val_mgr->Bool(opts->proxiable()));
rv->Assign(3, val_mgr->Bool(opts->proxy())); rv->Assign(3, zeek::val_mgr->Bool(opts->proxy()));
rv->Assign(4, val_mgr->Bool(opts->allow_postdate())); rv->Assign(4, zeek::val_mgr->Bool(opts->allow_postdate()));
rv->Assign(5, val_mgr->Bool(opts->postdated())); rv->Assign(5, zeek::val_mgr->Bool(opts->postdated()));
rv->Assign(6, val_mgr->Bool(opts->renewable())); rv->Assign(6, zeek::val_mgr->Bool(opts->renewable()));
rv->Assign(7, val_mgr->Bool(opts->opt_hardware_auth())); rv->Assign(7, zeek::val_mgr->Bool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->Bool(opts->disable_transited_check())); rv->Assign(8, zeek::val_mgr->Bool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->Bool(opts->renewable_ok())); rv->Assign(9, zeek::val_mgr->Bool(opts->renewable_ok()));
rv->Assign(10, val_mgr->Bool(opts->enc_tkt_in_skey())); rv->Assign(10, zeek::val_mgr->Bool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->Bool(opts->renew())); rv->Assign(11, zeek::val_mgr->Bool(opts->renew()));
rv->Assign(12, val_mgr->Bool(opts->validate())); rv->Assign(12, zeek::val_mgr->Bool(opts->validate()));
return rv; return rv;
} }
@ -259,8 +259,8 @@ refine connection KRB_Conn += {
if ( krb_ap_request ) if ( krb_ap_request )
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key})); rv->Assign(0, zeek::val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required})); rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket}); auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount()); auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount());

8
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -37,7 +37,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
case PA_PW_SALT: case PA_PW_SALT:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->Count(element->data_type())); type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -45,7 +45,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
case PA_ENCTYPE_INFO: case PA_ENCTYPE_INFO:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->Count(element->data_type())); type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -53,7 +53,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
case PA_ENCTYPE_INFO2: case PA_ENCTYPE_INFO2:
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->Count(element->data_type())); type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
break; break;
@ -111,7 +111,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 ) if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{ {
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value); auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->Count(element->data_type())); type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), std::move(type_val)); vv->Assign(vv->Size(), std::move(type_val));
} }

4
src/analyzer/protocol/login/Login.cc
View file

@ -432,7 +432,7 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
ConnVal(), ConnVal(),
zeek::IntrusivePtr{zeek::NewRef{}, username}, zeek::IntrusivePtr{zeek::NewRef{}, username},
client_name ? zeek::IntrusivePtr{zeek::NewRef{}, client_name} client_name ? zeek::IntrusivePtr{zeek::NewRef{}, client_name}
: val_mgr->EmptyString(), : zeek::val_mgr->EmptyString(),
zeek::IntrusivePtr{zeek::AdoptRef{}, password}, zeek::IntrusivePtr{zeek::AdoptRef{}, password},
zeek::make_intrusive<zeek::StringVal>(line) zeek::make_intrusive<zeek::StringVal>(line)
); );
@ -602,7 +602,7 @@ zeek::Val* Login_Analyzer::PopUserTextVal()
if ( s ) if ( s )
return new zeek::StringVal(new zeek::BroString(true, zeek::byte_vec(s), strlen(s))); return new zeek::StringVal(new zeek::BroString(true, zeek::byte_vec(s), strlen(s)));
else else
return val_mgr->EmptyString()->Ref(); return zeek::val_mgr->EmptyString()->Ref();
} }
bool Login_Analyzer::MatchesTypeahead(const char* line) const bool Login_Analyzer::MatchesTypeahead(const char* line) const

4
src/analyzer/protocol/login/RSH.cc
View file

@ -190,9 +190,9 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl.emplace_back(val_mgr->True()); vl.emplace_back(zeek::val_mgr->True());
else else
vl.emplace_back(val_mgr->False()); vl.emplace_back(zeek::val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl)); EnqueueConnEvent(rsh_request, std::move(vl));
} }

12
src/analyzer/protocol/login/functions.bif
View file

@ -28,13 +28,13 @@ function get_login_state%(cid: conn_id%): count
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->False(); return zeek::val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login"); analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la ) if ( ! la )
return val_mgr->False(); return zeek::val_mgr->False();
return val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState())); return zeek::val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
%} %}
## Sets the login state of a connection with a login analyzer. ## Sets the login state of a connection with a login analyzer.
@ -52,12 +52,12 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->False(); return zeek::val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login"); analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la ) if ( ! la )
return val_mgr->False(); return zeek::val_mgr->False();
static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state)); static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}

10
src/analyzer/protocol/mime/MIME.cc
View file

@ -1323,7 +1323,7 @@ zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
for ( unsigned int i = 0; i < hlist.size(); ++i ) for ( unsigned int i = 0; i < hlist.size(); ++i )
{ {
auto index = val_mgr->Count(i + 1); // index starting from 1 auto index = zeek::val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i]; MIME_Header* h = hlist[i];
t->Assign(std::move(index), ToHeaderVal(h)); t->Assign(std::move(index), ToHeaderVal(h));
} }
@ -1382,7 +1382,7 @@ void MIME_Mail::Done()
analyzer->EnqueueConnEvent(mime_content_hash, analyzer->EnqueueConnEvent(mime_content_hash,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(content_hash_length), zeek::val_mgr->Count(content_hash_length),
zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(true, digest, 16)) zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(true, digest, 16))
); );
} }
@ -1422,7 +1422,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
analyzer->EnqueueConnEvent(mime_entity_data, analyzer->EnqueueConnEvent(mime_entity_data,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(s->Len()), zeek::val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s) zeek::make_intrusive<zeek::StringVal>(s)
); );
@ -1489,7 +1489,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
analyzer->EnqueueConnEvent(mime_segment_data, analyzer->EnqueueConnEvent(mime_segment_data,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(data_len), zeek::val_mgr->Count(data_len),
zeek::make_intrusive<zeek::StringVal>(data_len, data) zeek::make_intrusive<zeek::StringVal>(data_len, data)
); );
} }
@ -1536,7 +1536,7 @@ void MIME_Mail::SubmitAllData()
analyzer->EnqueueConnEvent(mime_all_data, analyzer->EnqueueConnEvent(mime_all_data,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(s->Len()), zeek::val_mgr->Count(s->Len()),
zeek::make_intrusive<zeek::StringVal>(s) zeek::make_intrusive<zeek::StringVal>(s)
); );
} }

46
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -21,7 +21,7 @@
for ( uint i = 0; i < quantity; i++ ) for ( uint i = 0; i < quantity; i++ )
{ {
char currentCoil = (coils[i/8] >> (i % 8)) % 2; char currentCoil = (coils[i/8] >> (i % 8)) % 2;
modbus_coils->Assign(i, val_mgr->Bool(currentCoil)); modbus_coils->Assign(i, zeek::val_mgr->Bool(currentCoil));
} }
return modbus_coils; return modbus_coils;
@ -30,10 +30,10 @@
zeek::RecordValPtr HeaderToVal(ModbusTCP_TransportHeader* header) zeek::RecordValPtr HeaderToVal(ModbusTCP_TransportHeader* header)
{ {
auto modbus_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusHeaders); auto modbus_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->Count(header->tid())); modbus_header->Assign(0, zeek::val_mgr->Count(header->tid()));
modbus_header->Assign(1, val_mgr->Count(header->pid())); modbus_header->Assign(1, zeek::val_mgr->Count(header->pid()));
modbus_header->Assign(2, val_mgr->Count(header->uid())); modbus_header->Assign(2, zeek::val_mgr->Count(header->uid()));
modbus_header->Assign(3, val_mgr->Count(header->fc())); modbus_header->Assign(3, zeek::val_mgr->Count(header->fc()));
return modbus_header; return modbus_header;
} }
@ -213,7 +213,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i=0; i < ${message.registers}->size(); ++i ) for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{ {
auto r = val_mgr->Count(${message.registers[i]}); auto r = zeek::val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
@ -257,7 +257,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i=0; i < (${message.registers})->size(); ++i ) for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{ {
auto r = val_mgr->Count(${message.registers[i]}); auto r = zeek::val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
@ -401,7 +401,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i ) for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{ {
auto r = val_mgr->Count(${message.registers[i]}); auto r = zeek::val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
@ -437,13 +437,13 @@ refine flow ModbusTCP_Flow += {
//auto t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { // {
// auto r = val_mgr->Count((${message.references[i].ref_type})); // auto r = zeek::val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// auto k = val_mgr->Count((${message.references[i].file_num})); // auto k = zeek::val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k); // t->Assign(i, k);
// //
// auto l = val_mgr->Count((${message.references[i].record_num})); // auto l = zeek::val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, l); // t->Assign(i, l);
// } // }
@ -464,7 +464,7 @@ refine flow ModbusTCP_Flow += {
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i ) //for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// { // {
// //TODO: work the reference type in here somewhere // //TODO: work the reference type in here somewhere
// auto r = val_mgr->Count(${message.references[i].record_data})); // auto r = zeek::val_mgr->Count(${message.references[i].record_data}));
// t->Assign(i, r); // t->Assign(i, r);
// } // }
@ -484,18 +484,18 @@ refine flow ModbusTCP_Flow += {
//auto t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { // {
// auto r = val_mgr->Count((${message.references[i].ref_type})); // auto r = zeek::val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// auto k = val_mgr->Count((${message.references[i].file_num})); // auto k = zeek::val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k); // t->Assign(i, k);
// //
// auto n = val_mgr->Count((${message.references[i].record_num})); // auto n = zeek::val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, n); // t->Assign(i, n);
// //
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j ) // for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
// { // {
// k = val_mgr->Count((${message.references[i].register_value[j]})); // k = zeek::val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k); // t->Assign(i, k);
// } // }
// } // }
@ -517,18 +517,18 @@ refine flow ModbusTCP_Flow += {
//auto t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// { // {
// auto r = val_mgr->Count((${message.references[i].ref_type})); // auto r = zeek::val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// auto f = val_mgr->Count((${message.references[i].file_num})); // auto f = zeek::val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, f); // t->Assign(i, f);
// //
// auto rn = val_mgr->Count((${message.references[i].record_num})); // auto rn = zeek::val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, rn); // t->Assign(i, rn);
// //
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j ) // for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
// { // {
// auto k = val_mgr->Count((${message.references[i].register_value[j]})); // auto k = zeek::val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k); // t->Assign(i, k);
// } // }
@ -586,7 +586,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i ) for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{ {
auto r = val_mgr->Count(${message.write_register_values[i]}); auto r = zeek::val_mgr->Count(${message.write_register_values[i]});
t->Assign(i, r); t->Assign(i, r);
} }
@ -618,7 +618,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i ) for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{ {
auto r = val_mgr->Count(${message.registers[i]}); auto r = zeek::val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
@ -662,7 +662,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i ) for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{ {
auto r = val_mgr->Count(${message.register_data[i]}); auto r = zeek::val_mgr->Count(${message.register_data[i]});
t->Assign(i, r); t->Assign(i, r);
} }

4
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -16,8 +16,8 @@ refine flow MQTT_Flow += {
if ( mqtt_connack ) if ( mqtt_connack )
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->Count(${msg.return_code})); m->Assign(0, zeek::val_mgr->Count(${msg.return_code}));
m->Assign(1, val_mgr->Bool(${msg.session_present})); m->Assign(1, zeek::val_mgr->Bool(${msg.session_present}));
zeek::BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
std::move(m)); std::move(m));

8
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -47,14 +47,14 @@ refine flow MQTT_Flow += {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectMsg);
m->Assign(0, zeek::make_intrusive<zeek::StringVal>(${msg.protocol_name.str}.length(), m->Assign(0, zeek::make_intrusive<zeek::StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin()))); reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, val_mgr->Count(${msg.protocol_version})); m->Assign(1, zeek::val_mgr->Count(${msg.protocol_version}));
m->Assign(2, zeek::make_intrusive<zeek::StringVal>(${msg.client_id.str}.length(), m->Assign(2, zeek::make_intrusive<zeek::StringVal>(${msg.client_id.str}.length(),
reinterpret_cast<const char*>(${msg.client_id.str}.begin()))); reinterpret_cast<const char*>(${msg.client_id.str}.begin())));
m->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(${msg.keep_alive}), Seconds)); m->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(${msg.keep_alive}), Seconds));
m->Assign(4, val_mgr->Bool(${msg.clean_session})); m->Assign(4, zeek::val_mgr->Bool(${msg.clean_session}));
m->Assign(5, val_mgr->Bool(${msg.will_retain})); m->Assign(5, zeek::val_mgr->Bool(${msg.will_retain}));
m->Assign(6, val_mgr->Count(${msg.will_qos})); m->Assign(6, zeek::val_mgr->Count(${msg.will_qos}));
if ( ${msg.will_flag} ) if ( ${msg.will_flag} )
{ {

8
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -24,9 +24,9 @@ refine flow MQTT_Flow += {
if ( mqtt_publish ) if ( mqtt_publish )
{ {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::PublishMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::PublishMsg);
m->Assign(0, val_mgr->Bool(${msg.dup})); m->Assign(0, zeek::val_mgr->Bool(${msg.dup}));
m->Assign(1, val_mgr->Count(${msg.qos})); m->Assign(1, zeek::val_mgr->Count(${msg.qos}));
m->Assign(2, val_mgr->Bool(${msg.retain})); m->Assign(2, zeek::val_mgr->Bool(${msg.retain}));
m->Assign<zeek::StringVal>(3, ${msg.topic.str}.length(), m->Assign<zeek::StringVal>(3, ${msg.topic.str}.length(),
reinterpret_cast<const char*>(${msg.topic.str}.begin())); reinterpret_cast<const char*>(${msg.topic.str}.begin()));
@ -40,7 +40,7 @@ refine flow MQTT_Flow += {
m->Assign<zeek::StringVal>(4, len, m->Assign<zeek::StringVal>(4, len,
reinterpret_cast<const char*>(${msg.payload}.begin())); reinterpret_cast<const char*>(${msg.payload}.begin()));
m->Assign(5, val_mgr->Count(${msg.payload}.length())); m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length()));
zeek::BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),

2
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -26,7 +26,7 @@ refine flow MQTT_Flow += {
{ {
auto subscribe_topic = zeek::make_intrusive<zeek::StringVal>(${topic.name.str}.length(), auto subscribe_topic = zeek::make_intrusive<zeek::StringVal>(${topic.name.str}.length(),
reinterpret_cast<const char*>(${topic.name.str}.begin())); reinterpret_cast<const char*>(${topic.name.str}.begin()));
auto qos = val_mgr->Count(${topic.requested_QoS}); auto qos = zeek::val_mgr->Count(${topic.requested_QoS});
topics->Assign(topics->Size(), std::move(subscribe_topic)); topics->Assign(topics->Size(), std::move(subscribe_topic));
qos_levels->Assign(qos_levels->Size(), std::move(qos)); qos_levels->Assign(qos_levels->Size(), std::move(qos));
} }

16
src/analyzer/protocol/ncp/NCP.cc
View file

@ -64,18 +64,18 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
if ( frame->is_orig() ) if ( frame->is_orig() )
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(frame->frame_type()), zeek::val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()), zeek::val_mgr->Count(frame->body_length()),
val_mgr->Count(req_func) zeek::val_mgr->Count(req_func)
); );
else else
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(frame->frame_type()), zeek::val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()), zeek::val_mgr->Count(frame->body_length()),
val_mgr->Count(req_frame_type), zeek::val_mgr->Count(req_frame_type),
val_mgr->Count(req_func), zeek::val_mgr->Count(req_func),
val_mgr->Count(frame->reply()->completion_code()) zeek::val_mgr->Count(frame->reply()->completion_code())
); );
} }
} }

8
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -61,9 +61,9 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
if ( netbios_session_message ) if ( netbios_session_message )
analyzer->EnqueueConnEvent(netbios_session_message, analyzer->EnqueueConnEvent(netbios_session_message,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_query), zeek::val_mgr->Bool(is_query),
val_mgr->Count(type), zeek::val_mgr->Count(type),
val_mgr->Count(len) zeek::val_mgr->Count(len)
); );
switch ( type ) { switch ( type ) {
@ -323,7 +323,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( is_orig >= 0 ) if ( is_orig >= 0 )
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data, len, false))); zeek::make_intrusive<zeek::StringVal>(new zeek::BroString(data, len, false)));
else else
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,

2
src/analyzer/protocol/netbios/functions.bif
View file

@ -49,5 +49,5 @@ function decode_netbios_name_type%(name: string%): count
%{ %{
const u_char* s = name->Bytes(); const u_char* s = name->Bytes();
char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
return val_mgr->Count(return_val); return zeek::val_mgr->Count(return_val);
%} %}

56
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -20,10 +20,10 @@
zeek::RecordValPtr build_version_record(NTLM_Version* val) zeek::RecordValPtr build_version_record(NTLM_Version* val)
{ {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Version); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Version);
result->Assign(0, val_mgr->Count(${val.major_version})); result->Assign(0, zeek::val_mgr->Count(${val.major_version}));
result->Assign(1, val_mgr->Count(${val.minor_version})); result->Assign(1, zeek::val_mgr->Count(${val.minor_version}));
result->Assign(2, val_mgr->Count(${val.build_number})); result->Assign(2, zeek::val_mgr->Count(${val.build_number}));
result->Assign(3, val_mgr->Count(${val.ntlm_revision})); result->Assign(3, zeek::val_mgr->Count(${val.ntlm_revision}));
return result; return result;
} }
@ -31,28 +31,28 @@
zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val) zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val)
{ {
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::NegotiateFlags); auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::NegotiateFlags);
flags->Assign(0, val_mgr->Bool(${val.negotiate_56})); flags->Assign(0, zeek::val_mgr->Bool(${val.negotiate_56}));
flags->Assign(1, val_mgr->Bool(${val.negotiate_key_exch})); flags->Assign(1, zeek::val_mgr->Bool(${val.negotiate_key_exch}));
flags->Assign(2, val_mgr->Bool(${val.negotiate_128})); flags->Assign(2, zeek::val_mgr->Bool(${val.negotiate_128}));
flags->Assign(3, val_mgr->Bool(${val.negotiate_version})); flags->Assign(3, zeek::val_mgr->Bool(${val.negotiate_version}));
flags->Assign(4, val_mgr->Bool(${val.negotiate_target_info})); flags->Assign(4, zeek::val_mgr->Bool(${val.negotiate_target_info}));
flags->Assign(5, val_mgr->Bool(${val.request_non_nt_session_key})); flags->Assign(5, zeek::val_mgr->Bool(${val.request_non_nt_session_key}));
flags->Assign(6, val_mgr->Bool(${val.negotiate_identify})); flags->Assign(6, zeek::val_mgr->Bool(${val.negotiate_identify}));
flags->Assign(7, val_mgr->Bool(${val.negotiate_extended_sessionsecurity})); flags->Assign(7, zeek::val_mgr->Bool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, val_mgr->Bool(${val.target_type_server})); flags->Assign(8, zeek::val_mgr->Bool(${val.target_type_server}));
flags->Assign(9, val_mgr->Bool(${val.target_type_domain})); flags->Assign(9, zeek::val_mgr->Bool(${val.target_type_domain}));
flags->Assign(10, val_mgr->Bool(${val.negotiate_always_sign})); flags->Assign(10, zeek::val_mgr->Bool(${val.negotiate_always_sign}));
flags->Assign(11, val_mgr->Bool(${val.negotiate_oem_workstation_supplied})); flags->Assign(11, zeek::val_mgr->Bool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, val_mgr->Bool(${val.negotiate_oem_domain_supplied})); flags->Assign(12, zeek::val_mgr->Bool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, val_mgr->Bool(${val.negotiate_anonymous_connection})); flags->Assign(13, zeek::val_mgr->Bool(${val.negotiate_anonymous_connection}));
flags->Assign(14, val_mgr->Bool(${val.negotiate_ntlm})); flags->Assign(14, zeek::val_mgr->Bool(${val.negotiate_ntlm}));
flags->Assign(15, val_mgr->Bool(${val.negotiate_lm_key})); flags->Assign(15, zeek::val_mgr->Bool(${val.negotiate_lm_key}));
flags->Assign(16, val_mgr->Bool(${val.negotiate_datagram})); flags->Assign(16, zeek::val_mgr->Bool(${val.negotiate_datagram}));
flags->Assign(17, val_mgr->Bool(${val.negotiate_seal})); flags->Assign(17, zeek::val_mgr->Bool(${val.negotiate_seal}));
flags->Assign(18, val_mgr->Bool(${val.negotiate_sign})); flags->Assign(18, zeek::val_mgr->Bool(${val.negotiate_sign}));
flags->Assign(19, val_mgr->Bool(${val.request_target})); flags->Assign(19, zeek::val_mgr->Bool(${val.request_target}));
flags->Assign(20, val_mgr->Bool(${val.negotiate_oem})); flags->Assign(20, zeek::val_mgr->Bool(${val.negotiate_oem}));
flags->Assign(21, val_mgr->Bool(${val.negotiate_unicode})); flags->Assign(21, zeek::val_mgr->Bool(${val.negotiate_unicode}));
return flags; return flags;
} }
@ -96,13 +96,13 @@ refine connection NTLM_Conn += {
result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break; break;
case 6: case 6:
result->Assign(5, val_mgr->Bool(${val.pairs[i].constrained_auth})); result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth}));
break; break;
case 7: case 7:
result->Assign(6, filetime2brotime(${val.pairs[i].timestamp})); result->Assign(6, filetime2brotime(${val.pairs[i].timestamp}));
break; break;
case 8: case 8:
result->Assign(7, val_mgr->Count(${val.pairs[i].single_host.machine_id})); result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break; break;
case 9: case 9:
result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));

38
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -36,7 +36,7 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::StandardMessage); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::StandardMessage);
rv->Assign(0, val_mgr->Count(${nsm.stratum})); rv->Assign(0, zeek::val_mgr->Count(${nsm.stratum}));
rv->Assign(1, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.poll}))); rv->Assign(1, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.poll})));
rv->Assign(2, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.precision}))); rv->Assign(2, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.precision})));
rv->Assign(3, proc_ntp_short(${nsm.root_delay})); rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
@ -66,19 +66,19 @@
if ( ${nsm.mac_len} == 20 ) if ( ${nsm.mac_len} == 20 )
{ {
rv->Assign(12, val_mgr->Count(${nsm.mac.key_id})); rv->Assign(12, zeek::val_mgr->Count(${nsm.mac.key_id}));
rv->Assign(13, to_stringval(${nsm.mac.digest})); rv->Assign(13, to_stringval(${nsm.mac.digest}));
} }
else if ( ${nsm.mac_len} == 24 ) else if ( ${nsm.mac_len} == 24 )
{ {
rv->Assign(12, val_mgr->Count(${nsm.mac_ext.key_id})); rv->Assign(12, zeek::val_mgr->Count(${nsm.mac_ext.key_id}));
rv->Assign(13, to_stringval(${nsm.mac_ext.digest})); rv->Assign(13, to_stringval(${nsm.mac_ext.digest}));
} }
if ( ${nsm.has_exts} ) if ( ${nsm.has_exts} )
{ {
// TODO: add extension fields // TODO: add extension fields
rv->Assign(14, val_mgr->Count((uint32) ${nsm.exts}->size())); rv->Assign(14, zeek::val_mgr->Count((uint32) ${nsm.exts}->size()));
} }
return rv; return rv;
@ -89,20 +89,20 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::ControlMessage); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::ControlMessage);
rv->Assign(0, val_mgr->Count(${ncm.OpCode})); rv->Assign(0, zeek::val_mgr->Count(${ncm.OpCode}));
rv->Assign(1, val_mgr->Bool(${ncm.R})); rv->Assign(1, zeek::val_mgr->Bool(${ncm.R}));
rv->Assign(2, val_mgr->Bool(${ncm.E})); rv->Assign(2, zeek::val_mgr->Bool(${ncm.E}));
rv->Assign(3, val_mgr->Bool(${ncm.M})); rv->Assign(3, zeek::val_mgr->Bool(${ncm.M}));
rv->Assign(4, val_mgr->Count(${ncm.sequence})); rv->Assign(4, zeek::val_mgr->Count(${ncm.sequence}));
rv->Assign(5, val_mgr->Count(${ncm.status})); rv->Assign(5, zeek::val_mgr->Count(${ncm.status}));
rv->Assign(6, val_mgr->Count(${ncm.association_id})); rv->Assign(6, zeek::val_mgr->Count(${ncm.association_id}));
if ( ${ncm.c} > 0 ) if ( ${ncm.c} > 0 )
rv->Assign(7, to_stringval(${ncm.data})); rv->Assign(7, to_stringval(${ncm.data}));
if ( ${ncm.has_control_mac} ) if ( ${ncm.has_control_mac} )
{ {
rv->Assign(8, val_mgr->Count(${ncm.mac.key_id})); rv->Assign(8, zeek::val_mgr->Count(${ncm.mac.key_id}));
rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum})); rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum}));
} }
@ -114,11 +114,11 @@
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Mode7Message); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Mode7Message);
rv->Assign(0, val_mgr->Count(${m7.request_code})); rv->Assign(0, zeek::val_mgr->Count(${m7.request_code}));
rv->Assign(1, val_mgr->Bool(${m7.auth_bit})); rv->Assign(1, zeek::val_mgr->Bool(${m7.auth_bit}));
rv->Assign(2, val_mgr->Count(${m7.sequence})); rv->Assign(2, zeek::val_mgr->Count(${m7.sequence}));
rv->Assign(3, val_mgr->Count(${m7.implementation})); rv->Assign(3, zeek::val_mgr->Count(${m7.implementation}));
rv->Assign(4, val_mgr->Count(${m7.error_code})); rv->Assign(4, zeek::val_mgr->Count(${m7.error_code}));
if ( ${m7.data_len} > 0 ) if ( ${m7.data_len} > 0 )
rv->Assign(5, to_stringval(${m7.data})); rv->Assign(5, to_stringval(${m7.data}));
@ -139,8 +139,8 @@ refine flow NTP_Flow += {
return false; return false;
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Message); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Message);
rv->Assign(0, val_mgr->Count(${msg.version})); rv->Assign(0, zeek::val_mgr->Count(${msg.version}));
rv->Assign(1, val_mgr->Count(${msg.mode})); rv->Assign(1, zeek::val_mgr->Count(${msg.mode}));
// The standard record // The standard record
if ( ${msg.mode} >=1 && ${msg.mode} <= 5 ) if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )

2
src/analyzer/protocol/pop3/POP3.cc
View file

@ -920,7 +920,7 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
vl.reserve(2 + (bool)arg1 + (bool)arg2); vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(ConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(is_orig)); vl.emplace_back(zeek::val_mgr->Bool(is_orig));
if ( arg1 ) if ( arg1 )
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg1)); vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(arg1));

6
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -8,8 +8,8 @@ refine flow RADIUS_Flow += {
return false; return false;
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RADIUS::Message); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RADIUS::Message);
result->Assign(0, val_mgr->Count(${msg.code})); result->Assign(0, zeek::val_mgr->Count(${msg.code}));
result->Assign(1, val_mgr->Count(${msg.trans_id})); result->Assign(1, zeek::val_mgr->Count(${msg.trans_id}));
result->Assign(2, to_stringval(${msg.authenticator})); result->Assign(2, to_stringval(${msg.authenticator}));
if ( ${msg.attributes}->size() ) if ( ${msg.attributes}->size() )
@ -18,7 +18,7 @@ refine flow RADIUS_Flow += {
for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) for ( uint i = 0; i < ${msg.attributes}->size(); ++i )
{ {
auto index = val_mgr->Count(${msg.attributes[i].code}); auto index = zeek::val_mgr->Count(${msg.attributes[i].code});
// Do we already have a vector of attributes for this type? // Do we already have a vector of attributes for this type?
auto current = attributes->FindOrDefault(index); auto current = attributes->FindOrDefault(index);

90
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -65,35 +65,35 @@ refine flow RDP_Flow += {
if ( rdp_client_core_data ) if ( rdp_client_core_data )
{ {
auto ec_flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::EarlyCapabilityFlags); auto ec_flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::EarlyCapabilityFlags);
ec_flags->Assign(0, val_mgr->Bool(${ccore.SUPPORT_ERRINFO_PDU})); ec_flags->Assign(0, zeek::val_mgr->Bool(${ccore.SUPPORT_ERRINFO_PDU}));
ec_flags->Assign(1, val_mgr->Bool(${ccore.WANT_32BPP_SESSION})); ec_flags->Assign(1, zeek::val_mgr->Bool(${ccore.WANT_32BPP_SESSION}));
ec_flags->Assign(2, val_mgr->Bool(${ccore.SUPPORT_STATUSINFO_PDU})); ec_flags->Assign(2, zeek::val_mgr->Bool(${ccore.SUPPORT_STATUSINFO_PDU}));
ec_flags->Assign(3, val_mgr->Bool(${ccore.STRONG_ASYMMETRIC_KEYS})); ec_flags->Assign(3, zeek::val_mgr->Bool(${ccore.STRONG_ASYMMETRIC_KEYS}));
ec_flags->Assign(4, val_mgr->Bool(${ccore.SUPPORT_MONITOR_LAYOUT_PDU})); ec_flags->Assign(4, zeek::val_mgr->Bool(${ccore.SUPPORT_MONITOR_LAYOUT_PDU}));
ec_flags->Assign(5, val_mgr->Bool(${ccore.SUPPORT_NETCHAR_AUTODETECT})); ec_flags->Assign(5, zeek::val_mgr->Bool(${ccore.SUPPORT_NETCHAR_AUTODETECT}));
ec_flags->Assign(6, val_mgr->Bool(${ccore.SUPPORT_DYNVC_GFX_PROTOCOL})); ec_flags->Assign(6, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNVC_GFX_PROTOCOL}));
ec_flags->Assign(7, val_mgr->Bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE})); ec_flags->Assign(7, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE}));
ec_flags->Assign(8, val_mgr->Bool(${ccore.SUPPORT_HEARTBEAT_PDU})); ec_flags->Assign(8, zeek::val_mgr->Bool(${ccore.SUPPORT_HEARTBEAT_PDU}));
auto ccd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientCoreData); auto ccd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientCoreData);
ccd->Assign(0, val_mgr->Count(${ccore.version_major})); ccd->Assign(0, zeek::val_mgr->Count(${ccore.version_major}));
ccd->Assign(1, val_mgr->Count(${ccore.version_minor})); ccd->Assign(1, zeek::val_mgr->Count(${ccore.version_minor}));
ccd->Assign(2, val_mgr->Count(${ccore.desktop_width})); ccd->Assign(2, zeek::val_mgr->Count(${ccore.desktop_width}));
ccd->Assign(3, val_mgr->Count(${ccore.desktop_height})); ccd->Assign(3, zeek::val_mgr->Count(${ccore.desktop_height}));
ccd->Assign(4, val_mgr->Count(${ccore.color_depth})); ccd->Assign(4, zeek::val_mgr->Count(${ccore.color_depth}));
ccd->Assign(5, val_mgr->Count(${ccore.sas_sequence})); ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence}));
ccd->Assign(6, val_mgr->Count(${ccore.keyboard_layout})); ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout}));
ccd->Assign(7, val_mgr->Count(${ccore.client_build})); ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build}));
ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name})); ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, val_mgr->Count(${ccore.keyboard_type})); ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type}));
ccd->Assign(10, val_mgr->Count(${ccore.keyboard_sub})); ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub}));
ccd->Assign(11, val_mgr->Count(${ccore.keyboard_function_key})); ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key}));
ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name})); ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, val_mgr->Count(${ccore.post_beta2_color_depth})); ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth}));
ccd->Assign(14, val_mgr->Count(${ccore.client_product_id})); ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id}));
ccd->Assign(15, val_mgr->Count(${ccore.serial_number})); ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, val_mgr->Count(${ccore.high_color_depth})); ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, val_mgr->Count(${ccore.supported_color_depths})); ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(18, std::move(ec_flags)); ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id})); ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
@ -111,8 +111,8 @@ refine flow RDP_Flow += {
return false; return false;
auto csd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientSecurityData); auto csd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientSecurityData);
csd->Assign(0, val_mgr->Count(${csec.encryption_methods})); csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods}));
csd->Assign(1, val_mgr->Count(${csec.ext_encryption_methods})); csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods}));
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
@ -134,19 +134,19 @@ refine flow RDP_Flow += {
auto channel_def = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientChannelDef); auto channel_def = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientChannelDef);
channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name})); channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(1, val_mgr->Count(${cnetwork.channel_def_array[i].options})); channel_def->Assign(1, zeek::val_mgr->Count(${cnetwork.channel_def_array[i].options}));
channel_def->Assign(2, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED})); channel_def->Assign(2, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
channel_def->Assign(3, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP})); channel_def->Assign(3, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
channel_def->Assign(4, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC})); channel_def->Assign(4, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
channel_def->Assign(5, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS})); channel_def->Assign(5, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
channel_def->Assign(6, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH})); channel_def->Assign(6, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
channel_def->Assign(7, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED})); channel_def->Assign(7, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
channel_def->Assign(8, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW})); channel_def->Assign(8, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
channel_def->Assign(9, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP})); channel_def->Assign(9, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
channel_def->Assign(10, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS})); channel_def->Assign(10, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
channel_def->Assign(11, val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL})); channel_def->Assign(11, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
channel_def->Assign(12, val_mgr->Bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT})); channel_def->Assign(12, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
channels->Assign(channels->Size(), std::move(channel_def)); channels->Assign(channels->Size(), std::move(channel_def));
} }
@ -165,12 +165,12 @@ refine flow RDP_Flow += {
return false; return false;
auto ccld = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientClusterData); auto ccld = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientClusterData);
ccld->Assign(0, val_mgr->Count(${ccluster.flags})); ccld->Assign(0, zeek::val_mgr->Count(${ccluster.flags}));
ccld->Assign(1, val_mgr->Count(${ccluster.redir_session_id})); ccld->Assign(1, zeek::val_mgr->Count(${ccluster.redir_session_id}));
ccld->Assign(2, val_mgr->Bool(${ccluster.REDIRECTION_SUPPORTED})); ccld->Assign(2, zeek::val_mgr->Bool(${ccluster.REDIRECTION_SUPPORTED}));
ccld->Assign(3, val_mgr->Count(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK})); ccld->Assign(3, zeek::val_mgr->Count(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
ccld->Assign(4, val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD})); ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD}));
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),

12
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -181,7 +181,7 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
for (size_t i = 0; i < c->AuxGIDs().size(); ++i) for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
{ {
auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i])); auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i]));
} }
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::info_t); auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MOUNT3::info_t);
@ -189,13 +189,13 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
info->Assign(1, zeek::BifType::Enum::MOUNT3::status_t->GetVal(mount_status)); info->Assign(1, zeek::BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime())); info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime() - c->StartTime())); info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime() - c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen())); info->Assign(4, zeek::val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time)); info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time - rep_start_time)); info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time - rep_start_time));
info->Assign(7, val_mgr->Count(reply_len)); info->Assign(7, zeek::val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid())); info->Assign(8, zeek::val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid())); info->Assign(9, zeek::val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp())); info->Assign(10, zeek::val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName())); info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));

28
src/analyzer/protocol/rpc/NFS.cc
View file

@ -315,20 +315,20 @@ zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_
auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto auxgids = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i])); auxgids->Assign(i, zeek::val_mgr->Count(c->AuxGIDs()[i]));
auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::info_t); auto info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::info_t);
info->Assign(0, zeek::BifType::Enum::rpc_status->GetVal(rpc_status)); info->Assign(0, zeek::BifType::Enum::rpc_status->GetVal(rpc_status));
info->Assign(1, zeek::BifType::Enum::NFS3::status_t->GetVal(nfs_status)); info->Assign(1, zeek::BifType::Enum::NFS3::status_t->GetVal(nfs_status));
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime())); info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(c->StartTime()));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime()-c->StartTime())); info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(c->LastTime()-c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen())); info->Assign(4, zeek::val_mgr->Count(c->RPCLen()));
info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time)); info->Assign(5, zeek::make_intrusive<zeek::TimeVal>(rep_start_time));
info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time-rep_start_time)); info->Assign(6, zeek::make_intrusive<zeek::IntervalVal>(rep_last_time-rep_start_time));
info->Assign(7, val_mgr->Count(reply_len)); info->Assign(7, zeek::val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid())); info->Assign(8, zeek::val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid())); info->Assign(9, zeek::val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp())); info->Assign(10, zeek::val_mgr->Count(c->Stamp()));
info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName())); info->Assign(11, zeek::make_intrusive<zeek::StringVal>(c->MachineName()));
info->Assign(12, std::move(auxgids)); info->Assign(12, std::move(auxgids));
@ -564,7 +564,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEn
rep->Assign(0, nfs3_post_op_attr(buf, n)); rep->Assign(0, nfs3_post_op_attr(buf, n));
bytes_read = extract_XDR_uint32(buf, n); bytes_read = extract_XDR_uint32(buf, n);
rep->Assign(1, val_mgr->Count(bytes_read)); rep->Assign(1, zeek::val_mgr->Count(bytes_read));
rep->Assign(2, ExtractBool(buf, n)); rep->Assign(2, ExtractBool(buf, n));
rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read)); rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
} }
@ -647,9 +647,9 @@ zeek::RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
writeargs->Assign(0, nfs3_fh(buf, n)); writeargs->Assign(0, nfs3_fh(buf, n));
offset = extract_XDR_uint64(buf, n); offset = extract_XDR_uint64(buf, n);
writeargs->Assign(1, val_mgr->Count(offset)); // offset writeargs->Assign(1, zeek::val_mgr->Count(offset)); // offset
bytes = extract_XDR_uint32(buf, n); bytes = extract_XDR_uint32(buf, n);
writeargs->Assign(2, val_mgr->Count(bytes)); // size writeargs->Assign(2, zeek::val_mgr->Count(bytes)); // size
writeargs->Assign(3, nfs3_stable_how(buf, n)); writeargs->Assign(3, nfs3_stable_how(buf, n));
writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes)); writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
@ -734,7 +734,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf,
{ {
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdirargs_t); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdirargs_t);
args->Assign(0, val_mgr->Bool(isplus)); args->Assign(0, zeek::val_mgr->Bool(isplus));
args->Assign(1, nfs3_fh(buf, n)); args->Assign(1, nfs3_fh(buf, n));
args->Assign(2, ExtractUint64(buf,n)); // cookie args->Assign(2, ExtractUint64(buf,n)); // cookie
args->Assign(3, ExtractUint64(buf,n)); // cookieverf args->Assign(3, ExtractUint64(buf,n)); // cookieverf
@ -751,7 +751,7 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
{ {
auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdir_reply_t); auto rep = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NFS3::readdir_reply_t);
rep->Assign(0, val_mgr->Bool(isplus)); rep->Assign(0, zeek::val_mgr->Bool(isplus));
if ( status == BifEnum::NFS3::NFS3ERR_OK ) if ( status == BifEnum::NFS3::NFS3ERR_OK )
{ {
@ -793,12 +793,12 @@ zeek::RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& bu
zeek::ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n) zeek::ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
{ {
return val_mgr->Count(extract_XDR_uint32(buf, n)); return zeek::val_mgr->Count(extract_XDR_uint32(buf, n));
} }
zeek::ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n) zeek::ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
{ {
return val_mgr->Count(extract_XDR_uint64(buf, n)); return zeek::val_mgr->Count(extract_XDR_uint64(buf, n));
} }
zeek::ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n) zeek::ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n)
@ -813,7 +813,7 @@ zeek::ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n) zeek::ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n)
{ {
return val_mgr->Bool(extract_XDR_uint32(buf, n)); return zeek::val_mgr->Bool(extract_XDR_uint32(buf, n));
} }

32
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -94,7 +94,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf ) if ( ! buf )
return false; return false;
reply = val_mgr->Bool(status); reply = zeek::val_mgr->Bool(status);
event = pm_request_set; event = pm_request_set;
} }
else else
@ -109,7 +109,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! buf ) if ( ! buf )
return false; return false;
reply = val_mgr->Bool(status); reply = zeek::val_mgr->Bool(status);
event = pm_request_unset; event = pm_request_unset;
} }
else else
@ -126,7 +126,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
zeek::RecordVal* rv = c->RequestVal()->AsRecordVal(); zeek::RecordVal* rv = c->RequestVal()->AsRecordVal();
const auto& is_tcp = rv->GetField(2); const auto& is_tcp = rv->GetField(2);
reply = val_mgr->Port(CheckPort(port), is_tcp->IsOne() ? reply = zeek::val_mgr->Port(CheckPort(port), is_tcp->IsOne() ?
TRANSPORT_TCP : TRANSPORT_UDP); TRANSPORT_TCP : TRANSPORT_UDP);
event = pm_request_getport; event = pm_request_getport;
} }
@ -150,7 +150,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! m ) if ( ! m )
break; break;
auto index = val_mgr->Count(++nmap); auto index = zeek::val_mgr->Count(++nmap);
mappings->Assign(std::move(index), std::move(m)); mappings->Assign(std::move(index), std::move(m));
} }
@ -174,7 +174,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
if ( ! opaque_reply ) if ( ! opaque_reply )
return false; return false;
reply = val_mgr->Port(CheckPort(port), TRANSPORT_UDP); reply = zeek::val_mgr->Port(CheckPort(port), TRANSPORT_UDP);
event = pm_request_callit; event = pm_request_callit;
} }
else else
@ -194,12 +194,12 @@ zeek::ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
static auto pm_mapping = zeek::id::find_type<zeek::RecordType>("pm_mapping"); static auto pm_mapping = zeek::id::find_type<zeek::RecordType>("pm_mapping");
auto mapping = zeek::make_intrusive<zeek::RecordVal>(pm_mapping); auto mapping = zeek::make_intrusive<zeek::RecordVal>(pm_mapping);
mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32_t port = extract_XDR_uint32(buf, len); uint32_t port = extract_XDR_uint32(buf, len);
mapping->Assign(2, val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP)); mapping->Assign(2, zeek::val_mgr->Port(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
if ( ! buf ) if ( ! buf )
return nullptr; return nullptr;
@ -212,11 +212,11 @@ zeek::ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
static auto pm_port_request = zeek::id::find_type<zeek::RecordType>("pm_port_request"); static auto pm_port_request = zeek::id::find_type<zeek::RecordType>("pm_port_request");
auto pr = zeek::make_intrusive<zeek::RecordVal>(pm_port_request); auto pr = zeek::make_intrusive<zeek::RecordVal>(pm_port_request);
pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
pr->Assign(2, val_mgr->Bool(is_tcp)); pr->Assign(2, zeek::val_mgr->Bool(is_tcp));
(void) extract_XDR_uint32(buf, len); // consume the bogus port (void) extract_XDR_uint32(buf, len); // consume the bogus port
if ( ! buf ) if ( ! buf )
@ -230,13 +230,13 @@ zeek::ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len
static auto pm_callit_request = zeek::id::find_type<zeek::RecordType>("pm_callit_request"); static auto pm_callit_request = zeek::id::find_type<zeek::RecordType>("pm_callit_request");
auto c = zeek::make_intrusive<zeek::RecordVal>(pm_callit_request); auto c = zeek::make_intrusive<zeek::RecordVal>(pm_callit_request);
c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(0, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(1, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(2, zeek::val_mgr->Count(extract_XDR_uint32(buf, len)));
int arg_n; int arg_n;
(void) extract_XDR_opaque(buf, len, arg_n); (void) extract_XDR_opaque(buf, len, arg_n);
c->Assign(3, val_mgr->Count(arg_n)); c->Assign(3, zeek::val_mgr->Count(arg_n));
if ( ! buf ) if ( ! buf )
return nullptr; return nullptr;
@ -252,7 +252,7 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
{ {
analyzer->EnqueueConnEvent(pm_bad_port, analyzer->EnqueueConnEvent(pm_bad_port,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(port) zeek::val_mgr->Count(port)
); );
} }

24
src/analyzer/protocol/rpc/RPC.cc
View file

@ -338,13 +338,13 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
if ( rpc_dialogue ) if ( rpc_dialogue )
analyzer->EnqueueConnEvent(rpc_dialogue, analyzer->EnqueueConnEvent(rpc_dialogue,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(c->Program()), zeek::val_mgr->Count(c->Program()),
val_mgr->Count(c->Version()), zeek::val_mgr->Count(c->Version()),
val_mgr->Count(c->Proc()), zeek::val_mgr->Count(c->Proc()),
zeek::BifType::Enum::rpc_status->GetVal(status), zeek::BifType::Enum::rpc_status->GetVal(status),
zeek::make_intrusive<zeek::TimeVal>(c->StartTime()), zeek::make_intrusive<zeek::TimeVal>(c->StartTime()),
val_mgr->Count(c->CallLen()), zeek::val_mgr->Count(c->CallLen()),
val_mgr->Count(reply_len) zeek::val_mgr->Count(reply_len)
); );
} }
@ -353,11 +353,11 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
if ( rpc_call ) if ( rpc_call )
analyzer->EnqueueConnEvent(rpc_call, analyzer->EnqueueConnEvent(rpc_call,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(c->XID()), zeek::val_mgr->Count(c->XID()),
val_mgr->Count(c->Program()), zeek::val_mgr->Count(c->Program()),
val_mgr->Count(c->Version()), zeek::val_mgr->Count(c->Version()),
val_mgr->Count(c->Proc()), zeek::val_mgr->Count(c->Proc()),
val_mgr->Count(c->CallLen()) zeek::val_mgr->Count(c->CallLen())
); );
} }
@ -366,9 +366,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
if ( rpc_reply ) if ( rpc_reply )
analyzer->EnqueueConnEvent(rpc_reply, analyzer->EnqueueConnEvent(rpc_reply,
analyzer->ConnVal(), analyzer->ConnVal(),
val_mgr->Count(xid), zeek::val_mgr->Count(xid),
zeek::BifType::Enum::rpc_status->GetVal(status), zeek::BifType::Enum::rpc_status->GetVal(status),
val_mgr->Count(reply_len) zeek::val_mgr->Count(reply_len)
); );
} }

4
src/analyzer/protocol/sip/sip-analyzer.pac
View file

@ -72,7 +72,7 @@ refine flow SIP_Flow += {
for ( unsigned int i = 0; i < headers.size(); ++i ) for ( unsigned int i = 0; i < headers.size(); ++i )
{ // index starting from 1 { // index starting from 1
auto index = val_mgr->Count(i + 1); auto index = zeek::val_mgr->Count(i + 1);
t->Assign(std::move(index), std::move(headers[i])); t->Assign(std::move(index), std::move(headers[i]));
} }
@ -114,7 +114,7 @@ refine flow SIP_Flow += {
} }
else else
{ {
name_val = val_mgr->EmptyString(); name_val = zeek::val_mgr->EmptyString();
} }
header_record->Assign(0, name_val); header_record->Assign(0, name_val);

80
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -42,7 +42,7 @@ refine connection SMB_Conn += {
case 0x01: case 0x01:
{ {
auto core = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseCore); auto core = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseCore);
core->Assign(0, val_mgr->Count(${val.dialect_index})); core->Assign(0, zeek::val_mgr->Count(${val.dialect_index}));
response->Assign(0, std::move(core)); response->Assign(0, std::move(core));
} }
@ -51,23 +51,23 @@ refine connection SMB_Conn += {
case 0x0d: case 0x0d:
{ {
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity); auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, val_mgr->Bool(${val.lanman.security_user_level})); security->Assign(0, zeek::val_mgr->Bool(${val.lanman.security_user_level}));
security->Assign(1, val_mgr->Bool(${val.lanman.security_challenge_response})); security->Assign(1, zeek::val_mgr->Bool(${val.lanman.security_challenge_response}));
auto raw = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateRawMode); auto raw = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateRawMode);
raw->Assign(0, val_mgr->Bool(${val.lanman.raw_read_supported})); raw->Assign(0, zeek::val_mgr->Bool(${val.lanman.raw_read_supported}));
raw->Assign(1, val_mgr->Bool(${val.lanman.raw_write_supported})); raw->Assign(1, zeek::val_mgr->Bool(${val.lanman.raw_write_supported}));
auto lanman = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseLANMAN); auto lanman = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseLANMAN);
lanman->Assign(0, val_mgr->Count(${val.word_count})); lanman->Assign(0, zeek::val_mgr->Count(${val.word_count}));
lanman->Assign(1, val_mgr->Count(${val.dialect_index})); lanman->Assign(1, zeek::val_mgr->Count(${val.dialect_index}));
lanman->Assign(2, std::move(security)); lanman->Assign(2, std::move(security));
lanman->Assign(3, val_mgr->Count(${val.lanman.max_buffer_size})); lanman->Assign(3, zeek::val_mgr->Count(${val.lanman.max_buffer_size}));
lanman->Assign(4, val_mgr->Count(${val.lanman.max_mpx_count})); lanman->Assign(4, zeek::val_mgr->Count(${val.lanman.max_mpx_count}));
lanman->Assign(5, val_mgr->Count(${val.lanman.max_number_vcs})); lanman->Assign(5, zeek::val_mgr->Count(${val.lanman.max_number_vcs}));
lanman->Assign(6, std::move(raw)); lanman->Assign(6, std::move(raw));
lanman->Assign(7, val_mgr->Count(${val.lanman.session_key})); lanman->Assign(7, zeek::val_mgr->Count(${val.lanman.session_key}));
lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz})); lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz}));
lanman->Assign(9, to_stringval(${val.lanman.encryption_key})); lanman->Assign(9, to_stringval(${val.lanman.encryption_key}));
@ -80,44 +80,44 @@ refine connection SMB_Conn += {
case 0x11: case 0x11:
{ {
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity); auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, val_mgr->Bool(${val.ntlm.security_user_level})); security->Assign(0, zeek::val_mgr->Bool(${val.ntlm.security_user_level}));
security->Assign(1, val_mgr->Bool(${val.ntlm.security_challenge_response})); security->Assign(1, zeek::val_mgr->Bool(${val.ntlm.security_challenge_response}));
security->Assign(2, val_mgr->Bool(${val.ntlm.security_signatures_enabled})); security->Assign(2, zeek::val_mgr->Bool(${val.ntlm.security_signatures_enabled}));
security->Assign(3, val_mgr->Bool(${val.ntlm.security_signatures_required})); security->Assign(3, zeek::val_mgr->Bool(${val.ntlm.security_signatures_required}));
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm.capabilities_raw_mode})); capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm.capabilities_raw_mode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm.capabilities_mpx_mode})); capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm.capabilities_mpx_mode}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm.capabilities_unicode})); capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm.capabilities_unicode}));
capabilities->Assign(3, val_mgr->Bool(${val.ntlm.capabilities_large_files})); capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_files}));
capabilities->Assign(4, val_mgr->Bool(${val.ntlm.capabilities_nt_smbs})); capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_smbs}));
capabilities->Assign(5, val_mgr->Bool(${val.ntlm.capabilities_rpc_remote_apis})); capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm.capabilities_rpc_remote_apis}));
capabilities->Assign(6, val_mgr->Bool(${val.ntlm.capabilities_status32})); capabilities->Assign(6, zeek::val_mgr->Bool(${val.ntlm.capabilities_status32}));
capabilities->Assign(7, val_mgr->Bool(${val.ntlm.capabilities_level_2_oplocks})); capabilities->Assign(7, zeek::val_mgr->Bool(${val.ntlm.capabilities_level_2_oplocks}));
capabilities->Assign(8, val_mgr->Bool(${val.ntlm.capabilities_lock_and_read})); capabilities->Assign(8, zeek::val_mgr->Bool(${val.ntlm.capabilities_lock_and_read}));
capabilities->Assign(9, val_mgr->Bool(${val.ntlm.capabilities_nt_find})); capabilities->Assign(9, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_find}));
capabilities->Assign(10, val_mgr->Bool(${val.ntlm.capabilities_dfs})); capabilities->Assign(10, zeek::val_mgr->Bool(${val.ntlm.capabilities_dfs}));
capabilities->Assign(11, val_mgr->Bool(${val.ntlm.capabilities_infolevel_passthru})); capabilities->Assign(11, zeek::val_mgr->Bool(${val.ntlm.capabilities_infolevel_passthru}));
capabilities->Assign(12, val_mgr->Bool(${val.ntlm.capabilities_large_readx})); capabilities->Assign(12, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_readx}));
capabilities->Assign(13, val_mgr->Bool(${val.ntlm.capabilities_large_writex})); capabilities->Assign(13, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_writex}));
capabilities->Assign(14, val_mgr->Bool(${val.ntlm.capabilities_unix})); capabilities->Assign(14, zeek::val_mgr->Bool(${val.ntlm.capabilities_unix}));
capabilities->Assign(15, val_mgr->Bool(${val.ntlm.capabilities_bulk_transfer})); capabilities->Assign(15, zeek::val_mgr->Bool(${val.ntlm.capabilities_bulk_transfer}));
capabilities->Assign(16, val_mgr->Bool(${val.ntlm.capabilities_compressed_data})); capabilities->Assign(16, zeek::val_mgr->Bool(${val.ntlm.capabilities_compressed_data}));
capabilities->Assign(17, val_mgr->Bool(${val.ntlm.capabilities_extended_security})); capabilities->Assign(17, zeek::val_mgr->Bool(${val.ntlm.capabilities_extended_security}));
auto ntlm = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseNTLM); auto ntlm = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseNTLM);
ntlm->Assign(0, val_mgr->Count(${val.word_count})); ntlm->Assign(0, zeek::val_mgr->Count(${val.word_count}));
ntlm->Assign(1, val_mgr->Count(${val.dialect_index})); ntlm->Assign(1, zeek::val_mgr->Count(${val.dialect_index}));
ntlm->Assign(2, std::move(security)); ntlm->Assign(2, std::move(security));
ntlm->Assign(3, val_mgr->Count(${val.ntlm.max_buffer_size})); ntlm->Assign(3, zeek::val_mgr->Count(${val.ntlm.max_buffer_size}));
ntlm->Assign(4, val_mgr->Count(${val.ntlm.max_mpx_count})); ntlm->Assign(4, zeek::val_mgr->Count(${val.ntlm.max_mpx_count}));
ntlm->Assign(5, val_mgr->Count(${val.ntlm.max_number_vcs})); ntlm->Assign(5, zeek::val_mgr->Count(${val.ntlm.max_number_vcs}));
ntlm->Assign(6, val_mgr->Count(${val.ntlm.max_raw_size})); ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size}));
ntlm->Assign(7, val_mgr->Count(${val.ntlm.session_key})); ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key}));
ntlm->Assign(8, std::move(capabilities)); ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time}));

62
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -14,13 +14,13 @@ refine connection SMB_Conn += {
{ {
auto request = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXRequest); auto request = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXRequest);
request->Assign(0, val_mgr->Count(${val.word_count})); request->Assign(0, zeek::val_mgr->Count(${val.word_count}));
switch ( ${val.word_count} ) { switch ( ${val.word_count} ) {
case 10: // pre NT LM 0.12 case 10: // pre NT LM 0.12
request->Assign(1, val_mgr->Count(${val.lanman.max_buffer_size})); request->Assign(1, zeek::val_mgr->Count(${val.lanman.max_buffer_size}));
request->Assign(2, val_mgr->Count(${val.lanman.max_mpx_count})); request->Assign(2, zeek::val_mgr->Count(${val.lanman.max_mpx_count}));
request->Assign(3, val_mgr->Count(${val.lanman.vc_number})); request->Assign(3, zeek::val_mgr->Count(${val.lanman.vc_number}));
request->Assign(4, val_mgr->Count(${val.lanman.session_key})); request->Assign(4, zeek::val_mgr->Count(${val.lanman.session_key}));
request->Assign(5, smb_string2stringval(${val.lanman.native_os})); request->Assign(5, smb_string2stringval(${val.lanman.native_os}));
request->Assign(6, smb_string2stringval(${val.lanman.native_lanman})); request->Assign(6, smb_string2stringval(${val.lanman.native_lanman}));
@ -32,17 +32,17 @@ refine connection SMB_Conn += {
case 12: // NT LM 0.12 with extended security case 12: // NT LM 0.12 with extended security
{ {
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode})); capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files})); capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs})); capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs}));
capabilities->Assign(3, val_mgr->Bool(${val.ntlm_extended_security.capabilities.status32})); capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.status32}));
capabilities->Assign(4, val_mgr->Bool(${val.ntlm_extended_security.capabilities.level_2_oplocks})); capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_find})); capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_find}));
request->Assign(1, val_mgr->Count(${val.ntlm_extended_security.max_buffer_size})); request->Assign(1, zeek::val_mgr->Count(${val.ntlm_extended_security.max_buffer_size}));
request->Assign(2, val_mgr->Count(${val.ntlm_extended_security.max_mpx_count})); request->Assign(2, zeek::val_mgr->Count(${val.ntlm_extended_security.max_mpx_count}));
request->Assign(3, val_mgr->Count(${val.ntlm_extended_security.vc_number})); request->Assign(3, zeek::val_mgr->Count(${val.ntlm_extended_security.vc_number}));
request->Assign(4, val_mgr->Count(${val.ntlm_extended_security.session_key})); request->Assign(4, zeek::val_mgr->Count(${val.ntlm_extended_security.session_key}));
request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os})); request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman})); request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman}));
@ -54,17 +54,17 @@ refine connection SMB_Conn += {
case 13: // NT LM 0.12 without extended security case 13: // NT LM 0.12 without extended security
{ {
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities); auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode})); capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files})); capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs})); capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs}));
capabilities->Assign(3, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.status32})); capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.status32}));
capabilities->Assign(4, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.level_2_oplocks})); capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_find})); capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_find}));
request->Assign(1, val_mgr->Count(${val.ntlm_nonextended_security.max_buffer_size})); request->Assign(1, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_buffer_size}));
request->Assign(2, val_mgr->Count(${val.ntlm_nonextended_security.max_mpx_count})); request->Assign(2, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_mpx_count}));
request->Assign(3, val_mgr->Count(${val.ntlm_nonextended_security.vc_number})); request->Assign(3, zeek::val_mgr->Count(${val.ntlm_nonextended_security.vc_number}));
request->Assign(4, val_mgr->Count(${val.ntlm_nonextended_security.session_key})); request->Assign(4, zeek::val_mgr->Count(${val.ntlm_nonextended_security.session_key}));
request->Assign(5, smb_string2stringval(${val.ntlm_nonextended_security.native_os})); request->Assign(5, smb_string2stringval(${val.ntlm_nonextended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_nonextended_security.native_lanman})); request->Assign(6, smb_string2stringval(${val.ntlm_nonextended_security.native_lanman}));
@ -91,18 +91,18 @@ refine connection SMB_Conn += {
if ( smb1_session_setup_andx_response ) if ( smb1_session_setup_andx_response )
{ {
auto response = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXResponse); auto response = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXResponse);
response->Assign(0, val_mgr->Count(${val.word_count})); response->Assign(0, zeek::val_mgr->Count(${val.word_count}));
switch ( ${val.word_count} ) switch ( ${val.word_count} )
{ {
case 3: // pre NT LM 0.12 case 3: // pre NT LM 0.12
response->Assign(1, val_mgr->Bool(${val.lanman.is_guest})); response->Assign(1, zeek::val_mgr->Bool(${val.lanman.is_guest}));
response->Assign(2, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]})); response->Assign(2, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]}));
response->Assign(3, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]})); response->Assign(3, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]}));
response->Assign(4, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]})); response->Assign(4, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]}));
break; break;
case 4: // NT LM 0.12 case 4: // NT LM 0.12
response->Assign(1, val_mgr->Bool(${val.ntlm.is_guest})); response->Assign(1, zeek::val_mgr->Bool(${val.ntlm.is_guest}));
response->Assign(2, smb_string2stringval(${val.ntlm.native_os})); response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman})); response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain})); //response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));

18
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -6,14 +6,14 @@ refine connection SMB_Conn += {
return false; return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans_Sec_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans_Sec_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count})); args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count})); args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.param_count})); args->Assign(2, zeek::val_mgr->Count(${val.param_count}));
args->Assign(3, val_mgr->Count(${val.param_offset})); args->Assign(3, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(4, val_mgr->Count(${val.param_displacement})); args->Assign(4, zeek::val_mgr->Count(${val.param_displacement}));
args->Assign(5, val_mgr->Count(${val.data_count})); args->Assign(5, zeek::val_mgr->Count(${val.data_count}));
args->Assign(6, val_mgr->Count(${val.data_offset})); args->Assign(6, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(7, val_mgr->Count(${val.data_displacement})); args->Assign(7, zeek::val_mgr->Count(${val.data_displacement}));
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data()); (const char*)${val.parameters}.data());
@ -42,7 +42,7 @@ refine connection SMB_Conn += {
if ( ! payload_str ) if ( ! payload_str )
{ {
payload_str = val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
} }
zeek::BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(),

6
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -17,7 +17,7 @@ enum Trans_subcommands {
} }
assert(false); assert(false);
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
} }
%} %}
@ -60,7 +60,7 @@ refine connection SMB_Conn += {
if ( ${val.data_count} > 0 ) if ( ${val.data_count} > 0 )
payload_str = transaction_data_to_val(${val.data}); payload_str = transaction_data_to_val(${val.data});
else else
payload_str = val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
@ -85,7 +85,7 @@ refine connection SMB_Conn += {
if ( ${val.data_count} > 0 ) if ( ${val.data_count} > 0 )
payload_str = transaction_data_to_val(${val.data[0]}); payload_str = transaction_data_to_val(${val.data[0]});
else else
payload_str = val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),

18
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -6,15 +6,15 @@ refine connection SMB_Conn += {
return false; return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Sec_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Sec_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count})); args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count})); args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.param_count})); args->Assign(2, zeek::val_mgr->Count(${val.param_count}));
args->Assign(3, val_mgr->Count(${val.param_offset})); args->Assign(3, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(4, val_mgr->Count(${val.param_displacement})); args->Assign(4, zeek::val_mgr->Count(${val.param_displacement}));
args->Assign(5, val_mgr->Count(${val.data_count})); args->Assign(5, zeek::val_mgr->Count(${val.data_count}));
args->Assign(6, val_mgr->Count(${val.data_offset})); args->Assign(6, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(7, val_mgr->Count(${val.data_displacement})); args->Assign(7, zeek::val_mgr->Count(${val.data_displacement}));
args->Assign(8, val_mgr->Count(${val.FID})); args->Assign(8, zeek::val_mgr->Count(${val.FID}));
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data()); auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data()); auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data());

34
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -25,18 +25,18 @@ refine connection SMB_Conn += {
if ( smb1_transaction2_request ) if ( smb1_transaction2_request )
{ {
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Args); auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Args);
args->Assign(0, val_mgr->Count(${val.total_param_count})); args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, val_mgr->Count(${val.total_data_count})); args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, val_mgr->Count(${val.max_param_count})); args->Assign(2, zeek::val_mgr->Count(${val.max_param_count}));
args->Assign(3, val_mgr->Count(${val.max_data_count})); args->Assign(3, zeek::val_mgr->Count(${val.max_data_count}));
args->Assign(4, val_mgr->Count(${val.max_setup_count})); args->Assign(4, zeek::val_mgr->Count(${val.max_setup_count}));
args->Assign(5, val_mgr->Count(${val.flags})); args->Assign(5, zeek::val_mgr->Count(${val.flags}));
args->Assign(6, val_mgr->Count(${val.timeout})); args->Assign(6, zeek::val_mgr->Count(${val.timeout}));
args->Assign(7, val_mgr->Count(${val.param_count})); args->Assign(7, zeek::val_mgr->Count(${val.param_count}));
args->Assign(8, val_mgr->Count(${val.param_offset})); args->Assign(8, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(9, val_mgr->Count(${val.data_count})); args->Assign(9, zeek::val_mgr->Count(${val.data_count}));
args->Assign(10, val_mgr->Count(${val.data_offset})); args->Assign(10, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(11, val_mgr->Count(${val.setup_count})); args->Assign(11, zeek::val_mgr->Count(${val.setup_count}));
zeek::BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
@ -132,11 +132,11 @@ refine connection SMB_Conn += {
if ( smb1_trans2_find_first2_request ) if ( smb1_trans2_find_first2_request )
{ {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Find_First2_Request_Args); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Find_First2_Request_Args);
result->Assign(0, val_mgr->Count(${val.search_attrs})); result->Assign(0, zeek::val_mgr->Count(${val.search_attrs}));
result->Assign(1, val_mgr->Count(${val.search_count})); result->Assign(1, zeek::val_mgr->Count(${val.search_count}));
result->Assign(2, val_mgr->Count(${val.flags})); result->Assign(2, zeek::val_mgr->Count(${val.flags}));
result->Assign(3, val_mgr->Count(${val.info_level})); result->Assign(3, zeek::val_mgr->Count(${val.info_level}));
result->Assign(4, val_mgr->Count(${val.search_storage_type})); result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type}));
result->Assign(5, smb_string2stringval(${val.file_name})); result->Assign(5, smb_string2stringval(${val.file_name}));
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),

2
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -26,7 +26,7 @@ refine connection SMB_Conn += {
std::move(service_string), std::move(service_string),
${val.byte_count} > ${val.service.a}->size() ? ${val.byte_count} > ${val.service.a}->size() ?
smb_string2stringval(${val.native_file_system[0]}) : smb_string2stringval(${val.native_file_system[0]}) :
val_mgr->EmptyString()); zeek::val_mgr->EmptyString());
return true; return true;
%} %}

16
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -25,14 +25,14 @@
// { // do nothing // { // do nothing
// } // }
r->Assign(0, val_mgr->Count(${hdr.command})); r->Assign(0, zeek::val_mgr->Count(${hdr.command}));
r->Assign(1, val_mgr->Count(${hdr.status})); r->Assign(1, zeek::val_mgr->Count(${hdr.status}));
r->Assign(2, val_mgr->Count(${hdr.flags})); r->Assign(2, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(3, val_mgr->Count(${hdr.flags2})); r->Assign(3, zeek::val_mgr->Count(${hdr.flags2}));
r->Assign(4, val_mgr->Count(${hdr.tid})); r->Assign(4, zeek::val_mgr->Count(${hdr.tid}));
r->Assign(5, val_mgr->Count(${hdr.pid})); r->Assign(5, zeek::val_mgr->Count(${hdr.pid}));
r->Assign(6, val_mgr->Count(${hdr.uid})); r->Assign(6, zeek::val_mgr->Count(${hdr.uid}));
r->Assign(7, val_mgr->Count(${hdr.mid})); r->Assign(7, zeek::val_mgr->Count(${hdr.mid}));
return r; return r;
} }

4
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -22,8 +22,8 @@ refine connection SMB_Conn += {
{ {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CloseResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CloseResponse);
resp->Assign(0, val_mgr->Count(${val.alloc_size})); resp->Assign(0, zeek::val_mgr->Count(${val.alloc_size}));
resp->Assign(1, val_mgr->Count(${val.eof})); resp->Assign(1, zeek::val_mgr->Count(${val.eof}));
resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},

8
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -18,8 +18,8 @@ refine connection SMB_Conn += {
{ {
auto requestinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateRequest); auto requestinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateRequest);
requestinfo->Assign(0, std::move(filename)); requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, val_mgr->Count(${val.disposition})); requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, val_mgr->Count(${val.create_options})); requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options}));
zeek::BifEvent::enqueue_smb2_create_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
@ -35,13 +35,13 @@ refine connection SMB_Conn += {
{ {
auto responseinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateResponse); auto responseinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateResponse);
responseinfo->Assign(0, BuildSMB2GUID(${val.file_id})); responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
responseinfo->Assign(1, val_mgr->Count(${val.eof})); responseinfo->Assign(1, zeek::val_mgr->Count(${val.eof}));
responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time})); ${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
responseinfo->Assign(4, val_mgr->Count(${val.create_action})); responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action}));
zeek::BifEvent::enqueue_smb2_create_response(bro_analyzer(), zeek::BifEvent::enqueue_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),

8
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -25,7 +25,7 @@ refine connection SMB_Conn += {
auto dialects = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto dialects = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
dialects->Assign(i, val_mgr->Count((*${val.dialects})[i])); dialects->Assign(i, zeek::val_mgr->Count((*${val.dialects})[i]));
zeek::BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
@ -41,12 +41,12 @@ refine connection SMB_Conn += {
{ {
auto nr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateResponse); auto nr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateResponse);
nr->Assign(0, val_mgr->Count(${val.dialect_revision})); nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision}));
nr->Assign(1, val_mgr->Count(${val.security_mode})); nr->Assign(1, zeek::val_mgr->Count(${val.security_mode}));
nr->Assign(2, BuildSMB2GUID(${val.server_guid})); nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
nr->Assign(3, filetime2brotime(${val.system_time})); nr->Assign(3, filetime2brotime(${val.system_time}));
nr->Assign(4, filetime2brotime(${val.server_start_time})); nr->Assign(4, filetime2brotime(${val.server_start_time}));
nr->Assign(5, val_mgr->Count(${val.negotiate_context_count})); nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count}));
auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues); auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues);

8
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_request ) if ( smb2_session_setup_request )
{ {
auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest); auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, val_mgr->Count(${val.security_mode})); req->Assign(0, zeek::val_mgr->Count(${val.security_mode}));
zeek::BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
@ -21,9 +21,9 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_response ) if ( smb2_session_setup_response )
{ {
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupFlags); auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupFlags);
flags->Assign(0, val_mgr->Bool(${val.flag_guest})); flags->Assign(0, zeek::val_mgr->Bool(${val.flag_guest}));
flags->Assign(1, val_mgr->Bool(${val.flag_anonymous})); flags->Assign(1, zeek::val_mgr->Bool(${val.flag_anonymous}));
flags->Assign(2, val_mgr->Bool(${val.flag_encrypt})); flags->Assign(2, zeek::val_mgr->Bool(${val.flag_encrypt}));
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags)); resp->Assign(0, std::move(flags));

12
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -193,12 +193,12 @@ refine connection SMB_Conn += {
if ( smb2_file_fscontrol ) if ( smb2_file_fscontrol )
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Fscontrol); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Fscontrol);
r->Assign(0, val_mgr->Int(${val.free_space_start_filtering})); r->Assign(0, zeek::val_mgr->Int(${val.free_space_start_filtering}));
r->Assign(1, val_mgr->Int(${val.free_space_start_threshold})); r->Assign(1, zeek::val_mgr->Int(${val.free_space_start_threshold}));
r->Assign(2, val_mgr->Int(${val.free_space_stop_filtering})); r->Assign(2, zeek::val_mgr->Int(${val.free_space_stop_filtering}));
r->Assign(3, val_mgr->Count(${val.default_quota_threshold})); r->Assign(3, zeek::val_mgr->Count(${val.default_quota_threshold}));
r->Assign(4, val_mgr->Count(${val.default_quota_limit})); r->Assign(4, zeek::val_mgr->Count(${val.default_quota_limit}));
r->Assign(5, val_mgr->Count(${val.file_system_control_flags})); r->Assign(5, zeek::val_mgr->Count(${val.file_system_control_flags}));
zeek::BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(), zeek::BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),

6
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -7,9 +7,9 @@ refine connection SMB_Conn += {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Transform_header); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Transform_header);
r->Assign(0, to_stringval(${hdr.signature})); r->Assign(0, to_stringval(${hdr.signature}));
r->Assign(1, to_stringval(${hdr.nonce})); r->Assign(1, to_stringval(${hdr.nonce}));
r->Assign(2, val_mgr->Count(${hdr.orig_msg_size})); r->Assign(2, zeek::val_mgr->Count(${hdr.orig_msg_size}));
r->Assign(3, val_mgr->Count(${hdr.flags})); r->Assign(3, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(4, val_mgr->Count(${hdr.session_id})); r->Assign(4, zeek::val_mgr->Count(${hdr.session_id}));
zeek::BifEvent::enqueue_smb2_transform_header(bro_analyzer(), zeek::BifEvent::enqueue_smb2_transform_header(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),

2
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -19,7 +19,7 @@ refine connection SMB_Conn += {
if ( smb2_tree_connect_response ) if ( smb2_tree_connect_response )
{ {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse);
resp->Assign(0, val_mgr->Count(${val.share_type})); resp->Assign(0, zeek::val_mgr->Count(${val.share_type}));
zeek::BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(), zeek::BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),

70
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -12,15 +12,15 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv);
zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr) zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Header); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Header);
r->Assign(0, val_mgr->Count(${hdr.credit_charge})); r->Assign(0, zeek::val_mgr->Count(${hdr.credit_charge}));
r->Assign(1, val_mgr->Count(${hdr.status})); r->Assign(1, zeek::val_mgr->Count(${hdr.status}));
r->Assign(2, val_mgr->Count(${hdr.command})); r->Assign(2, zeek::val_mgr->Count(${hdr.command}));
r->Assign(3, val_mgr->Count(${hdr.credits})); r->Assign(3, zeek::val_mgr->Count(${hdr.credits}));
r->Assign(4, val_mgr->Count(${hdr.flags})); r->Assign(4, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(5, val_mgr->Count(${hdr.message_id})); r->Assign(5, zeek::val_mgr->Count(${hdr.message_id}));
r->Assign(6, val_mgr->Count(${hdr.process_id})); r->Assign(6, zeek::val_mgr->Count(${hdr.process_id}));
r->Assign(7, val_mgr->Count(${hdr.tree_id})); r->Assign(7, zeek::val_mgr->Count(${hdr.tree_id}));
r->Assign(8, val_mgr->Count(${hdr.session_id})); r->Assign(8, zeek::val_mgr->Count(${hdr.session_id}));
r->Assign(9, to_stringval(${hdr.signature})); r->Assign(9, to_stringval(${hdr.signature}));
return r; return r;
} }
@ -28,29 +28,29 @@ zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id) zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::GUID); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::GUID);
r->Assign(0, val_mgr->Count(${file_id.persistent})); r->Assign(0, zeek::val_mgr->Count(${file_id.persistent}));
r->Assign(1, val_mgr->Count(${file_id._volatile})); r->Assign(1, zeek::val_mgr->Count(${file_id._volatile}));
return r; return r;
} }
zeek::RecordValPtr smb2_file_attrs_to_bro(SMB2_file_attributes* val) zeek::RecordValPtr smb2_file_attrs_to_bro(SMB2_file_attributes* val)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::FileAttrs); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::FileAttrs);
r->Assign(0, val_mgr->Bool(${val.read_only})); r->Assign(0, zeek::val_mgr->Bool(${val.read_only}));
r->Assign(1, val_mgr->Bool(${val.hidden})); r->Assign(1, zeek::val_mgr->Bool(${val.hidden}));
r->Assign(2, val_mgr->Bool(${val.system})); r->Assign(2, zeek::val_mgr->Bool(${val.system}));
r->Assign(3, val_mgr->Bool(${val.directory})); r->Assign(3, zeek::val_mgr->Bool(${val.directory}));
r->Assign(4, val_mgr->Bool(${val.archive})); r->Assign(4, zeek::val_mgr->Bool(${val.archive}));
r->Assign(5, val_mgr->Bool(${val.normal})); r->Assign(5, zeek::val_mgr->Bool(${val.normal}));
r->Assign(6, val_mgr->Bool(${val.temporary})); r->Assign(6, zeek::val_mgr->Bool(${val.temporary}));
r->Assign(7, val_mgr->Bool(${val.sparse_file})); r->Assign(7, zeek::val_mgr->Bool(${val.sparse_file}));
r->Assign(8, val_mgr->Bool(${val.reparse_point})); r->Assign(8, zeek::val_mgr->Bool(${val.reparse_point}));
r->Assign(9, val_mgr->Bool(${val.compressed})); r->Assign(9, zeek::val_mgr->Bool(${val.compressed}));
r->Assign(10, val_mgr->Bool(${val.offline})); r->Assign(10, zeek::val_mgr->Bool(${val.offline}));
r->Assign(11, val_mgr->Bool(${val.not_content_indexed})); r->Assign(11, zeek::val_mgr->Bool(${val.not_content_indexed}));
r->Assign(12, val_mgr->Bool(${val.encrypted})); r->Assign(12, zeek::val_mgr->Bool(${val.encrypted}));
r->Assign(13, val_mgr->Bool(${val.integrity_stream})); r->Assign(13, zeek::val_mgr->Bool(${val.integrity_stream}));
r->Assign(14, val_mgr->Bool(${val.no_scrub_data})); r->Assign(14, zeek::val_mgr->Bool(${val.no_scrub_data}));
return r; return r;
} }
@ -58,22 +58,22 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateContextValue); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateContextValue);
r->Assign(0, val_mgr->Count(${ncv.context_type})); r->Assign(0, zeek::val_mgr->Count(${ncv.context_type}));
r->Assign(1, val_mgr->Count(${ncv.data_length})); r->Assign(1, zeek::val_mgr->Count(${ncv.data_length}));
switch ( ${ncv.context_type} ) { switch ( ${ncv.context_type} ) {
case SMB2_PREAUTH_INTEGRITY_CAPABILITIES: case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
{ {
auto rpreauth = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::PreAuthIntegrityCapabilities); auto rpreauth = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::PreAuthIntegrityCapabilities);
rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count})); rpreauth->Assign(0, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count}));
rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length})); rpreauth->Assign(1, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length}));
auto ha = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto ha = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( int i = 0; i < ${ncv.preauth_integrity_capabilities.hash_alg_count}; ++i ) for ( int i = 0; i < ${ncv.preauth_integrity_capabilities.hash_alg_count}; ++i )
{ {
const auto& vec = *${ncv.preauth_integrity_capabilities.hash_alg}; const auto& vec = *${ncv.preauth_integrity_capabilities.hash_alg};
ha->Assign(i, val_mgr->Count(vec[i])); ha->Assign(i, zeek::val_mgr->Count(vec[i]));
} }
rpreauth->Assign(2, std::move(ha)); rpreauth->Assign(2, std::move(ha));
@ -85,14 +85,14 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_ENCRYPTION_CAPABILITIES: case SMB2_ENCRYPTION_CAPABILITIES:
{ {
auto rencr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::EncryptionCapabilities); auto rencr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::EncryptionCapabilities);
rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count})); rencr->Assign(0, zeek::val_mgr->Count(${ncv.encryption_capabilities.cipher_count}));
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( int i = 0; i < ${ncv.encryption_capabilities.cipher_count}; ++i ) for ( int i = 0; i < ${ncv.encryption_capabilities.cipher_count}; ++i )
{ {
const auto& vec = *${ncv.encryption_capabilities.ciphers}; const auto& vec = *${ncv.encryption_capabilities.ciphers};
c->Assign(i, val_mgr->Count(vec[i])); c->Assign(i, zeek::val_mgr->Count(vec[i]));
} }
rencr->Assign(1, std::move(c)); rencr->Assign(1, std::move(c));
@ -103,14 +103,14 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_COMPRESSION_CAPABILITIES: case SMB2_COMPRESSION_CAPABILITIES:
{ {
auto rcomp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CompressionCapabilities); auto rcomp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CompressionCapabilities);
rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count})); rcomp->Assign(0, zeek::val_mgr->Count(${ncv.compression_capabilities.alg_count}));
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( int i = 0; i < ${ncv.compression_capabilities.alg_count}; ++i ) for ( int i = 0; i < ${ncv.compression_capabilities.alg_count}; ++i )
{ {
const auto& vec = *${ncv.compression_capabilities.algs}; const auto& vec = *${ncv.compression_capabilities.algs};
c->Assign(i, val_mgr->Count(vec[i])); c->Assign(i, zeek::val_mgr->Count(vec[i]));
} }
rcomp->Assign(1, std::move(c)); rcomp->Assign(1, std::move(c));

12
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -221,7 +221,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
{ {
EnqueueConnEvent(smtp_data, EnqueueConnEvent(smtp_data,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
zeek::make_intrusive<zeek::StringVal>(data_len, line) zeek::make_intrusive<zeek::StringVal>(data_len, line)
); );
} }
@ -351,11 +351,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
EnqueueConnEvent(smtp_reply, EnqueueConnEvent(smtp_reply,
ConnVal(), ConnVal(),
val_mgr->Bool(orig), zeek::val_mgr->Bool(orig),
val_mgr->Count(reply_code), zeek::val_mgr->Count(reply_code),
zeek::make_intrusive<zeek::StringVal>(cmd), zeek::make_intrusive<zeek::StringVal>(cmd),
zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line), zeek::make_intrusive<zeek::StringVal>(end_of_line - line, line),
val_mgr->Bool((pending_reply > 0)) zeek::val_mgr->Bool((pending_reply > 0))
); );
} }
} }
@ -860,7 +860,7 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
EnqueueConnEvent(smtp_request, EnqueueConnEvent(smtp_request,
ConnVal(), ConnVal(),
val_mgr->Bool(orig_is_sender), zeek::val_mgr->Bool(orig_is_sender),
std::move(cmd_arg), std::move(cmd_arg),
zeek::make_intrusive<zeek::StringVal>(arg_len, arg) zeek::make_intrusive<zeek::StringVal>(arg_len, arg)
); );
@ -881,7 +881,7 @@ void SMTP_Analyzer::Unexpected(bool is_sender, const char* msg,
EnqueueConnEvent(smtp_unexpected, EnqueueConnEvent(smtp_unexpected,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(msg), zeek::make_intrusive<zeek::StringVal>(msg),
zeek::make_intrusive<zeek::StringVal>(detail_len, detail) zeek::make_intrusive<zeek::StringVal>(detail_len, detail)
); );

12
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -47,7 +47,7 @@ zeek::ValPtr asn1_obj_to_val(const ASN1Encoding* obj)
zeek::RecordValPtr rval = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::ObjectValue); zeek::RecordValPtr rval = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::ObjectValue);
uint8 tag = obj->meta()->tag(); uint8 tag = obj->meta()->tag();
rval->Assign(0, val_mgr->Count(tag)); rval->Assign(0, zeek::val_mgr->Count(tag));
switch ( tag ) { switch ( tag ) {
case VARBIND_UNSPECIFIED_TAG: case VARBIND_UNSPECIFIED_TAG:
@ -93,7 +93,7 @@ zeek::ValPtr time_ticks_to_val(const TimeTicks* tt)
zeek::RecordValPtr build_hdr(const Header* header) zeek::RecordValPtr build_hdr(const Header* header)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::Header); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::Header);
rv->Assign(0, val_mgr->Count(header->version())); rv->Assign(0, zeek::val_mgr->Count(header->version()));
switch ( header->version() ) { switch ( header->version() ) {
case SNMPV1_TAG: case SNMPV1_TAG:
@ -132,10 +132,10 @@ zeek::RecordValPtr build_hdrV3(const Header* header)
v3->Assign(0, asn1_integer_to_val(global_data->id(), zeek::TYPE_COUNT)); v3->Assign(0, asn1_integer_to_val(global_data->id(), zeek::TYPE_COUNT));
v3->Assign(1, asn1_integer_to_val(global_data->max_size(), zeek::TYPE_COUNT)); v3->Assign(1, asn1_integer_to_val(global_data->max_size(), zeek::TYPE_COUNT));
v3->Assign(2, val_mgr->Count(flags_byte)); v3->Assign(2, zeek::val_mgr->Count(flags_byte));
v3->Assign(3, val_mgr->Bool(flags_byte & 0x01)); v3->Assign(3, zeek::val_mgr->Bool(flags_byte & 0x01));
v3->Assign(4, val_mgr->Bool(flags_byte & 0x02)); v3->Assign(4, zeek::val_mgr->Bool(flags_byte & 0x02));
v3->Assign(5, val_mgr->Bool(flags_byte & 0x04)); v3->Assign(5, zeek::val_mgr->Bool(flags_byte & 0x04));
v3->Assign(6, asn1_integer_to_val(global_data->security_model(), zeek::TYPE_COUNT)); v3->Assign(6, asn1_integer_to_val(global_data->security_model(), zeek::TYPE_COUNT));
v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters())); v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters()));

10
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -36,7 +36,7 @@ refine connection SOCKS_Conn += {
4, 4,
${request.command}, ${request.command},
std::move(sa), std::move(sa),
val_mgr->Port(${request.port}, TRANSPORT_TCP), zeek::val_mgr->Port(${request.port}, TRANSPORT_TCP),
array_to_string(${request.user})); array_to_string(${request.user}));
} }
@ -58,7 +58,7 @@ refine connection SOCKS_Conn += {
4, 4,
${reply.status}, ${reply.status},
std::move(sa), std::move(sa),
val_mgr->Port(${reply.port}, TRANSPORT_TCP)); zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
} }
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
@ -112,8 +112,8 @@ refine connection SOCKS_Conn += {
5, 5,
${request.command}, ${request.command},
std::move(sa), std::move(sa),
val_mgr->Port(${request.port}, TRANSPORT_TCP), zeek::val_mgr->Port(${request.port}, TRANSPORT_TCP),
val_mgr->EmptyString()); zeek::val_mgr->EmptyString());
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -152,7 +152,7 @@ refine connection SOCKS_Conn += {
5, 5,
${reply.reply}, ${reply.reply},
std::move(sa), std::move(sa),
val_mgr->Port(${reply.port}, TRANSPORT_TCP)); zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false); static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);

2
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -101,7 +101,7 @@ refine flow SSH_Flow += {
} }
result->Assign(6, val_mgr->Bool(!${msg.is_orig})); result->Assign(6, zeek::val_mgr->Bool(!${msg.is_orig}));
zeek::BifEvent::enqueue_ssh_capabilities(connection()->bro_analyzer(), zeek::BifEvent::enqueue_ssh_capabilities(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), to_stringval(${msg.cookie}), connection()->bro_analyzer()->Conn(), to_stringval(${msg.cookie}),

4
src/analyzer/protocol/ssl/proc-client-hello.pac
View file

@ -27,7 +27,7 @@
for ( unsigned int i = 0; i < cipher_suites.size(); ++i ) for ( unsigned int i = 0; i < cipher_suites.size(); ++i )
{ {
auto ciph = val_mgr->Count(cipher_suites[i]); auto ciph = zeek::val_mgr->Count(cipher_suites[i]);
cipher_vec->Assign(i, ciph); cipher_vec->Assign(i, ciph);
} }
@ -37,7 +37,7 @@
{ {
for ( unsigned int i = 0; i < compression_methods->size(); ++i ) for ( unsigned int i = 0; i < compression_methods->size(); ++i )
{ {
auto comp = val_mgr->Count((*compression_methods)[i]); auto comp = zeek::val_mgr->Count((*compression_methods)[i]);
comp_vec->Assign(i, comp); comp_vec->Assign(i, comp);
} }
} }

42
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -80,7 +80,7 @@ refine connection Handshake_Conn += {
if ( point_format_list ) if ( point_format_list )
{ {
for ( unsigned int i = 0; i < point_format_list->size(); ++i ) for ( unsigned int i = 0; i < point_format_list->size(); ++i )
points->Assign(i, val_mgr->Count((*point_format_list)[i])); points->Assign(i, zeek::val_mgr->Count((*point_format_list)[i]));
} }
zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
@ -99,7 +99,7 @@ refine connection Handshake_Conn += {
if ( list ) if ( list )
{ {
for ( unsigned int i = 0; i < list->size(); ++i ) for ( unsigned int i = 0; i < list->size(); ++i )
curves->Assign(i, val_mgr->Count((*list)[i])); curves->Assign(i, zeek::val_mgr->Count((*list)[i]));
} }
zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
@ -118,7 +118,7 @@ refine connection Handshake_Conn += {
if ( keyshare ) if ( keyshare )
{ {
for ( unsigned int i = 0; i < keyshare->size(); ++i ) for ( unsigned int i = 0; i < keyshare->size(); ++i )
nglist->Assign(i, val_mgr->Count((*keyshare)[i]->namedgroup())); nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup()));
} }
zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
@ -133,7 +133,7 @@ refine connection Handshake_Conn += {
auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
nglist->Assign(0u, val_mgr->Count(keyshare->namedgroup())); nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup()));
zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
return true; return true;
%} %}
@ -145,7 +145,7 @@ refine connection Handshake_Conn += {
auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
nglist->Assign(0u, val_mgr->Count(namedgroup)); nglist->Assign(0u, zeek::val_mgr->Count(namedgroup));
zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
return true; return true;
%} %}
@ -162,8 +162,8 @@ refine connection Handshake_Conn += {
for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i ) for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i )
{ {
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm); auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
el->Assign(0, val_mgr->Count((*supported_signature_algorithms)[i]->HashAlgorithm())); el->Assign(0, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->HashAlgorithm()));
el->Assign(1, val_mgr->Count((*supported_signature_algorithms)[i]->SignatureAlgorithm())); el->Assign(1, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->SignatureAlgorithm()));
slist->Assign(i, std::move(el)); slist->Assign(i, std::move(el));
} }
} }
@ -231,7 +231,7 @@ refine connection Handshake_Conn += {
if ( versions_list ) if ( versions_list )
{ {
for ( unsigned int i = 0; i < versions_list->size(); ++i ) for ( unsigned int i = 0; i < versions_list->size(); ++i )
versions->Assign(i, val_mgr->Count((*versions_list)[i])); versions->Assign(i, zeek::val_mgr->Count((*versions_list)[i]));
} }
zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
@ -246,7 +246,7 @@ refine connection Handshake_Conn += {
return true; return true;
auto versions = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto versions = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
versions->Assign(0u, val_mgr->Count(version)); versions->Assign(0u, zeek::val_mgr->Count(version));
zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, std::move(versions)); ${rec.is_orig}, std::move(versions));
@ -264,7 +264,7 @@ refine connection Handshake_Conn += {
if ( mode_list ) if ( mode_list )
{ {
for ( unsigned int i = 0; i < mode_list->size(); ++i ) for ( unsigned int i = 0; i < mode_list->size(); ++i )
modes->Assign(i, val_mgr->Count((*mode_list)[i])); modes->Assign(i, zeek::val_mgr->Count((*mode_list)[i]));
} }
zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
@ -346,14 +346,14 @@ refine connection Handshake_Conn += {
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
{ {
ha->Assign(0, val_mgr->Count(${kex.signed_params.algorithm.HashAlgorithm})); ha->Assign(0, zeek::val_mgr->Count(${kex.signed_params.algorithm.HashAlgorithm}));
ha->Assign(1, val_mgr->Count(${kex.signed_params.algorithm.SignatureAlgorithm})); ha->Assign(1, zeek::val_mgr->Count(${kex.signed_params.algorithm.SignatureAlgorithm}));
} }
else else
{ {
// set to impossible value // set to impossible value
ha->Assign(0, val_mgr->Count(256)); ha->Assign(0, zeek::val_mgr->Count(256));
ha->Assign(1, val_mgr->Count(256)); ha->Assign(1, zeek::val_mgr->Count(256));
} }
zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(), zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(),
@ -415,8 +415,8 @@ refine connection Handshake_Conn += {
return true; return true;
auto ha = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm); auto ha = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, val_mgr->Count(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(0, zeek::val_mgr->Count(digitally_signed_algorithms->HashAlgorithm()));
ha->Assign(1, val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm())); ha->Assign(1, zeek::val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm()));
zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(bro_analyzer(), zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, bro_analyzer()->Conn(), ${rec.is_orig},
@ -446,14 +446,14 @@ refine connection Handshake_Conn += {
if ( ${signed_params.uses_signature_and_hashalgorithm} ) if ( ${signed_params.uses_signature_and_hashalgorithm} )
{ {
ha->Assign(0, val_mgr->Count(${signed_params.algorithm.HashAlgorithm})); ha->Assign(0, zeek::val_mgr->Count(${signed_params.algorithm.HashAlgorithm}));
ha->Assign(1, val_mgr->Count(${signed_params.algorithm.SignatureAlgorithm})); ha->Assign(1, zeek::val_mgr->Count(${signed_params.algorithm.SignatureAlgorithm}));
} }
else else
{ {
// set to impossible value // set to impossible value
ha->Assign(0, val_mgr->Count(256)); ha->Assign(0, zeek::val_mgr->Count(256));
ha->Assign(1, val_mgr->Count(256)); ha->Assign(1, zeek::val_mgr->Count(256));
} }
zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(), zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(),
@ -500,7 +500,7 @@ refine connection Handshake_Conn += {
{ {
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::PSKIdentity); auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::PSKIdentity);
el->Assign(0, zeek::make_intrusive<zeek::StringVal>(identity->identity().length(), (const char*) identity->identity().data())); el->Assign(0, zeek::make_intrusive<zeek::StringVal>(identity->identity().length(), (const char*) identity->identity().data()));
el->Assign(1, val_mgr->Count(identity->obfuscated_ticket_age())); el->Assign(1, zeek::val_mgr->Count(identity->obfuscated_ticket_age()));
slist->Assign(slist->Size(), std::move(el)); slist->Assign(slist->Size(), std::move(el));
} }
} }

8
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -135,9 +135,9 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
return; return;
if ( id2 >= 0 ) if ( id2 >= 0 )
endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1), val_mgr->Int(id2)); endp->TCP()->EnqueueConnEvent(f, zeek::val_mgr->Int(id1), zeek::val_mgr->Int(id2));
else else
endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1)); endp->TCP()->EnqueueConnEvent(f, zeek::val_mgr->Int(id1));
} }
void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
@ -147,8 +147,8 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
endp->TCP()->EnqueueConnEvent(stp_create_endp, endp->TCP()->EnqueueConnEvent(stp_create_endp,
endp->TCP()->ConnVal(), endp->TCP()->ConnVal(),
val_mgr->Int(stp_id), zeek::val_mgr->Int(stp_id),
val_mgr->Bool(is_orig) zeek::val_mgr->Bool(is_orig)
); );
} }

80
src/analyzer/protocol/tcp/TCP.cc
View file

@ -110,14 +110,14 @@ static zeek::RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip,
static auto SYN_packet = zeek::id::find_type<zeek::RecordType>("SYN_packet"); static auto SYN_packet = zeek::id::find_type<zeek::RecordType>("SYN_packet");
auto* v = new zeek::RecordVal(SYN_packet); auto* v = new zeek::RecordVal(SYN_packet);
v->Assign(0, val_mgr->Bool(is_orig)); v->Assign(0, zeek::val_mgr->Bool(is_orig));
v->Assign(1, val_mgr->Bool(int(ip->DF()))); v->Assign(1, zeek::val_mgr->Bool(int(ip->DF())));
v->Assign(2, val_mgr->Count((ip->TTL()))); v->Assign(2, zeek::val_mgr->Count((ip->TTL())));
v->Assign(3, val_mgr->Count((ip->TotalLen()))); v->Assign(3, zeek::val_mgr->Count((ip->TotalLen())));
v->Assign(4, val_mgr->Count(ntohs(tcp->th_win))); v->Assign(4, zeek::val_mgr->Count(ntohs(tcp->th_win)));
v->Assign(5, val_mgr->Int(winscale)); v->Assign(5, zeek::val_mgr->Int(winscale));
v->Assign(6, val_mgr->Count(MSS)); v->Assign(6, zeek::val_mgr->Count(MSS));
v->Assign(7, val_mgr->Bool(SACK)); v->Assign(7, zeek::val_mgr->Bool(SACK));
return v; return v;
} }
@ -788,11 +788,11 @@ void TCP_Analyzer::GeneratePacketEvent(
{ {
EnqueueConnEvent(tcp_packet, EnqueueConnEvent(tcp_packet,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(flags.AsString()), zeek::make_intrusive<zeek::StringVal>(flags.AsString()),
val_mgr->Count(rel_seq), zeek::val_mgr->Count(rel_seq),
val_mgr->Count(flags.ACK() ? rel_ack : 0), zeek::val_mgr->Count(flags.ACK() ? rel_ack : 0),
val_mgr->Count(len), zeek::val_mgr->Count(len),
// We need the min() here because Ethernet padding can lead to // We need the min() here because Ethernet padding can lead to
// caplen > len. // caplen > len.
zeek::make_intrusive<zeek::StringVal>(std::min(caplen, len), (const char*) data) zeek::make_intrusive<zeek::StringVal>(std::min(caplen, len), (const char*) data)
@ -1290,10 +1290,10 @@ void TCP_Analyzer::UpdateConnVal(zeek::RecordVal *conn_val)
zeek::RecordVal* orig_endp_val = conn_val->GetField("orig")->AsRecordVal(); zeek::RecordVal* orig_endp_val = conn_val->GetField("orig")->AsRecordVal();
zeek::RecordVal* resp_endp_val = conn_val->GetField("resp")->AsRecordVal(); zeek::RecordVal* resp_endp_val = conn_val->GetField("resp")->AsRecordVal();
orig_endp_val->Assign(0, val_mgr->Count(orig->Size())); orig_endp_val->Assign(0, zeek::val_mgr->Count(orig->Size()));
orig_endp_val->Assign(1, val_mgr->Count(int(orig->state))); orig_endp_val->Assign(1, zeek::val_mgr->Count(int(orig->state)));
resp_endp_val->Assign(0, val_mgr->Count(resp->Size())); resp_endp_val->Assign(0, zeek::val_mgr->Count(resp->Size()));
resp_endp_val->Assign(1, val_mgr->Count(int(resp->state))); resp_endp_val->Assign(1, zeek::val_mgr->Count(int(resp->state)));
// Call children's UpdateConnVal // Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
@ -1348,9 +1348,9 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
auto length = kind < 2 ? 1 : o[1]; auto length = kind < 2 ? 1 : o[1];
EnqueueConnEvent(tcp_option, EnqueueConnEvent(tcp_option,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
val_mgr->Count(kind), zeek::val_mgr->Count(kind),
val_mgr->Count(length) zeek::val_mgr->Count(length)
); );
} }
@ -1374,8 +1374,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
auto length = kind < 2 ? 1 : o[1]; auto length = kind < 2 ? 1 : o[1];
auto option_record = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::TCP::Option); auto option_record = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::TCP::Option);
option_list->Assign(option_list->Size(), option_record); option_list->Assign(option_list->Size(), option_record);
option_record->Assign(0, val_mgr->Count(kind)); option_record->Assign(0, zeek::val_mgr->Count(kind));
option_record->Assign(1, val_mgr->Count(length)); option_record->Assign(1, zeek::val_mgr->Count(length));
switch ( kind ) { switch ( kind ) {
case 2: case 2:
@ -1383,7 +1383,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 4 ) if ( length == 4 )
{ {
auto mss = ntohs(*reinterpret_cast<const uint16_t*>(o + 2)); auto mss = ntohs(*reinterpret_cast<const uint16_t*>(o + 2));
option_record->Assign(3, val_mgr->Count(mss)); option_record->Assign(3, zeek::val_mgr->Count(mss));
} }
else else
{ {
@ -1397,7 +1397,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 3 ) if ( length == 3 )
{ {
auto scale = o[2]; auto scale = o[2];
option_record->Assign(4, val_mgr->Count(scale)); option_record->Assign(4, zeek::val_mgr->Count(scale));
} }
else else
{ {
@ -1426,7 +1426,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
auto sack = zeek::make_intrusive<zeek::VectorVal>(std::move(vt)); auto sack = zeek::make_intrusive<zeek::VectorVal>(std::move(vt));
for ( auto i = 0; i < num_pointers; ++i ) for ( auto i = 0; i < num_pointers; ++i )
sack->Assign(sack->Size(), val_mgr->Count(ntohl(p[i]))); sack->Assign(sack->Size(), zeek::val_mgr->Count(ntohl(p[i])));
option_record->Assign(5, sack); option_record->Assign(5, sack);
} }
@ -1443,8 +1443,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
{ {
auto send = ntohl(*reinterpret_cast<const uint32_t*>(o + 2)); auto send = ntohl(*reinterpret_cast<const uint32_t*>(o + 2));
auto echo = ntohl(*reinterpret_cast<const uint32_t*>(o + 6)); auto echo = ntohl(*reinterpret_cast<const uint32_t*>(o + 6));
option_record->Assign(6, val_mgr->Count(send)); option_record->Assign(6, zeek::val_mgr->Count(send));
option_record->Assign(7, val_mgr->Count(echo)); option_record->Assign(7, zeek::val_mgr->Count(echo));
} }
else else
{ {
@ -1461,7 +1461,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
EnqueueConnEvent(tcp_options, EnqueueConnEvent(tcp_options,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
std::move(option_list) std::move(option_list)
); );
} }
@ -1783,7 +1783,7 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
if ( connection_EOF ) if ( connection_EOF )
EnqueueConnEvent(connection_EOF, EnqueueConnEvent(connection_EOF,
ConnVal(), ConnVal(),
val_mgr->Bool(endp->IsOrig()) zeek::val_mgr->Bool(endp->IsOrig())
); );
const analyzer_list& children(GetChildren()); const analyzer_list& children(GetChildren());
@ -2063,11 +2063,11 @@ bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int capl
if ( tcp_rexmit ) if ( tcp_rexmit )
endp->TCP()->EnqueueConnEvent(tcp_rexmit, endp->TCP()->EnqueueConnEvent(tcp_rexmit,
endp->TCP()->ConnVal(), endp->TCP()->ConnVal(),
val_mgr->Bool(endp->IsOrig()), zeek::val_mgr->Bool(endp->IsOrig()),
val_mgr->Count(seq), zeek::val_mgr->Count(seq),
val_mgr->Count(len), zeek::val_mgr->Count(len),
val_mgr->Count(data_in_flight), zeek::val_mgr->Count(data_in_flight),
val_mgr->Count(endp->peer->window) zeek::val_mgr->Count(endp->peer->window)
); );
} }
else else
@ -2081,13 +2081,13 @@ zeek::RecordVal* TCPStats_Endpoint::BuildStats()
static auto endpoint_stats = zeek::id::find_type<zeek::RecordType>("endpoint_stats"); static auto endpoint_stats = zeek::id::find_type<zeek::RecordType>("endpoint_stats");
auto* stats = new zeek::RecordVal(endpoint_stats); auto* stats = new zeek::RecordVal(endpoint_stats);
stats->Assign(0, val_mgr->Count(num_pkts)); stats->Assign(0, zeek::val_mgr->Count(num_pkts));
stats->Assign(1, val_mgr->Count(num_rxmit)); stats->Assign(1, zeek::val_mgr->Count(num_rxmit));
stats->Assign(2, val_mgr->Count(num_rxmit_bytes)); stats->Assign(2, zeek::val_mgr->Count(num_rxmit_bytes));
stats->Assign(3, val_mgr->Count(num_in_order)); stats->Assign(3, zeek::val_mgr->Count(num_in_order));
stats->Assign(4, val_mgr->Count(num_OO)); stats->Assign(4, zeek::val_mgr->Count(num_OO));
stats->Assign(5, val_mgr->Count(num_repl)); stats->Assign(5, zeek::val_mgr->Count(num_repl));
stats->Assign(6, val_mgr->Count(endian_type)); stats->Assign(6, zeek::val_mgr->Count(endian_type));
return stats; return stats;
} }

2
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -239,7 +239,7 @@ bool TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
if ( contents_file_write_failure ) if ( contents_file_write_failure )
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
Conn()->ConnVal(), Conn()->ConnVal(),
val_mgr->Bool(IsOrig()), zeek::val_mgr->Bool(IsOrig()),
zeek::make_intrusive<zeek::StringVal>(buf) zeek::make_intrusive<zeek::StringVal>(buf)
); );
} }

16
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -43,7 +43,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
{ {
static auto tcp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_orig"); static auto tcp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_orig");
static auto tcp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_resp"); static auto tcp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("tcp_content_delivery_ports_resp");
const auto& dst_port_val = val_mgr->Port(ntohs(tcp_analyzer->Conn()->RespPort()), const auto& dst_port_val = zeek::val_mgr->Port(ntohs(tcp_analyzer->Conn()->RespPort()),
TRANSPORT_TCP); TRANSPORT_TCP);
const auto& ports = IsOrig() ? const auto& ports = IsOrig() ?
tcp_content_delivery_ports_orig : tcp_content_delivery_ports_orig :
@ -148,9 +148,9 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
if ( report_gap(endp, endp->peer) ) if ( report_gap(endp, endp->peer) )
dst_analyzer->EnqueueConnEvent(content_gap, dst_analyzer->EnqueueConnEvent(content_gap,
dst_analyzer->ConnVal(), dst_analyzer->ConnVal(),
val_mgr->Bool(IsOrig()), zeek::val_mgr->Bool(IsOrig()),
val_mgr->Count(seq), zeek::val_mgr->Count(seq),
val_mgr->Count(len) zeek::val_mgr->Count(len)
); );
if ( type == Direct ) if ( type == Direct )
@ -358,7 +358,7 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, const BroFilePtr& f)
if ( contents_file_write_failure ) if ( contents_file_write_failure )
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
Endpoint()->Conn()->ConnVal(), Endpoint()->Conn()->ConnVal(),
val_mgr->Bool(IsOrig()), zeek::val_mgr->Bool(IsOrig()),
zeek::make_intrusive<zeek::StringVal>("TCP reassembler content write failure") zeek::make_intrusive<zeek::StringVal>("TCP reassembler content write failure")
); );
} }
@ -373,7 +373,7 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, const Br
if ( contents_file_write_failure ) if ( contents_file_write_failure )
tcp_analyzer->EnqueueConnEvent(contents_file_write_failure, tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
Endpoint()->Conn()->ConnVal(), Endpoint()->Conn()->ConnVal(),
val_mgr->Bool(IsOrig()), zeek::val_mgr->Bool(IsOrig()),
zeek::make_intrusive<zeek::StringVal>("TCP reassembler gap write failure") zeek::make_intrusive<zeek::StringVal>("TCP reassembler gap write failure")
); );
} }
@ -609,8 +609,8 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
if ( deliver_tcp_contents ) if ( deliver_tcp_contents )
tcp_analyzer->EnqueueConnEvent(tcp_contents, tcp_analyzer->EnqueueConnEvent(tcp_contents,
tcp_analyzer->ConnVal(), tcp_analyzer->ConnVal(),
val_mgr->Bool(IsOrig()), zeek::val_mgr->Bool(IsOrig()),
val_mgr->Count(seq), zeek::val_mgr->Count(seq),
zeek::make_intrusive<zeek::StringVal>(len, (const char*) data) zeek::make_intrusive<zeek::StringVal>(len, (const char*) data)
); );

20
src/analyzer/protocol/tcp/functions.bif
View file

@ -20,18 +20,18 @@ function get_orig_seq%(cid: conn_id%): count
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
if ( c->ConnTransport() != TRANSPORT_TCP ) if ( c->ConnTransport() != TRANSPORT_TCP )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); analyzer::Analyzer* tc = c->FindAnalyzer("TCP");
if ( tc ) if ( tc )
return val_mgr->Count(static_cast<analyzer::tcp::TCP_Analyzer*>(tc)->OrigSeq()); return zeek::val_mgr->Count(static_cast<analyzer::tcp::TCP_Analyzer*>(tc)->OrigSeq());
else else
{ {
reporter->Error("connection does not have TCP analyzer"); reporter->Error("connection does not have TCP analyzer");
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
} }
%} %}
@ -49,18 +49,18 @@ function get_resp_seq%(cid: conn_id%): count
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
if ( c->ConnTransport() != TRANSPORT_TCP ) if ( c->ConnTransport() != TRANSPORT_TCP )
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); analyzer::Analyzer* tc = c->FindAnalyzer("TCP");
if ( tc ) if ( tc )
return val_mgr->Count(static_cast<analyzer::tcp::TCP_Analyzer*>(tc)->RespSeq()); return zeek::val_mgr->Count(static_cast<analyzer::tcp::TCP_Analyzer*>(tc)->RespSeq());
else else
{ {
reporter->Error("connection does not have TCP analyzer"); reporter->Error("connection does not have TCP analyzer");
return val_mgr->Count(0); return zeek::val_mgr->Count(0);
} }
%} %}
@ -99,10 +99,10 @@ function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->False(); return zeek::val_mgr->False();
c->GetRootAnalyzer()->SetContentsFile(direction, {zeek::NewRef{}, f}); c->GetRootAnalyzer()->SetContentsFile(direction, {zeek::NewRef{}, f});
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
## Returns the file handle of the contents file of a connection. ## Returns the file handle of the contents file of a connection.

6
src/analyzer/protocol/teredo/Teredo.cc
View file

@ -115,8 +115,8 @@ zeek::RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
new zeek::BroString(auth + 4, id_len, true))); new zeek::BroString(auth + 4, id_len, true)));
teredo_auth->Assign(1, zeek::make_intrusive<zeek::StringVal>( teredo_auth->Assign(1, zeek::make_intrusive<zeek::StringVal>(
new zeek::BroString(auth + 4 + id_len, au_len, true))); new zeek::BroString(auth + 4 + id_len, au_len, true)));
teredo_auth->Assign(2, val_mgr->Count(nonce)); teredo_auth->Assign(2, zeek::val_mgr->Count(nonce));
teredo_auth->Assign(3, val_mgr->Count(conf)); teredo_auth->Assign(3, zeek::val_mgr->Count(conf));
teredo_hdr->Assign(0, std::move(teredo_auth)); teredo_hdr->Assign(0, std::move(teredo_auth));
} }
@ -125,7 +125,7 @@ zeek::RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
auto teredo_origin = zeek::make_intrusive<zeek::RecordVal>(teredo_origin_type); auto teredo_origin = zeek::make_intrusive<zeek::RecordVal>(teredo_origin_type);
uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF; uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF;
uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF; uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF;
teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP)); teredo_origin->Assign(0, zeek::val_mgr->Port(port, TRANSPORT_UDP));
teredo_origin->Assign(1, zeek::make_intrusive<zeek::AddrVal>(htonl(addr))); teredo_origin->Assign(1, zeek::make_intrusive<zeek::AddrVal>(htonl(addr)));
teredo_hdr->Assign(1, std::move(teredo_origin)); teredo_hdr->Assign(1, std::move(teredo_origin));
} }

16
src/analyzer/protocol/udp/UDP.cc
View file

@ -138,8 +138,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
static auto udp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("udp_content_delivery_ports_orig"); static auto udp_content_delivery_ports_orig = zeek::id::find_val<zeek::TableVal>("udp_content_delivery_ports_orig");
static auto udp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("udp_content_delivery_ports_resp"); static auto udp_content_delivery_ports_resp = zeek::id::find_val<zeek::TableVal>("udp_content_delivery_ports_resp");
bool do_udp_contents = false; bool do_udp_contents = false;
const auto& sport_val = val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP); const auto& sport_val = zeek::val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP);
const auto& dport_val = val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP); const auto& dport_val = zeek::val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP);
if ( udp_content_ports->FindOrDefault(dport_val) || if ( udp_content_ports->FindOrDefault(dport_val) ||
udp_content_ports->FindOrDefault(sport_val) ) udp_content_ports->FindOrDefault(sport_val) )
@ -148,7 +148,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
{ {
uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort() uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort()
: up->uh_dport; : up->uh_dport;
const auto& port_val = val_mgr->Port(ntohs(p), TRANSPORT_UDP); const auto& port_val = zeek::val_mgr->Port(ntohs(p), TRANSPORT_UDP);
if ( is_orig ) if ( is_orig )
{ {
@ -169,7 +169,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( do_udp_contents ) if ( do_udp_contents )
EnqueueConnEvent(udp_contents, EnqueueConnEvent(udp_contents,
ConnVal(), ConnVal(),
val_mgr->Bool(is_orig), zeek::val_mgr->Bool(is_orig),
zeek::make_intrusive<zeek::StringVal>(len, (const char*) data)); zeek::make_intrusive<zeek::StringVal>(len, (const char*) data));
} }
@ -230,14 +230,14 @@ void UDP_Analyzer::UpdateEndpointVal(zeek::RecordVal* endp, bool is_orig)
bro_int_t size = is_orig ? request_len : reply_len; bro_int_t size = is_orig ? request_len : reply_len;
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, val_mgr->Count(0)); endp->Assign(0, zeek::val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(UDP_INACTIVE))); endp->Assign(1, zeek::val_mgr->Count(int(UDP_INACTIVE)));
} }
else else
{ {
endp->Assign(0, val_mgr->Count(size)); endp->Assign(0, zeek::val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(UDP_ACTIVE))); endp->Assign(1, zeek::val_mgr->Count(int(UDP_ACTIVE)));
} }
} }

2
src/analyzer/protocol/vxlan/VXLAN.cc
View file

@ -102,7 +102,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
if ( vxlan_packet ) if ( vxlan_packet )
Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(), Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(),
inner->ToPktHdrVal(), val_mgr->Count(vni)); inner->ToPktHdrVal(), zeek::val_mgr->Count(vni));
EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN);
sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec);

10
src/broker/Data.cc
View file

@ -85,23 +85,23 @@ struct val_converter {
result_type operator()(bool a) result_type operator()(bool a)
{ {
if ( type->Tag() == zeek::TYPE_BOOL ) if ( type->Tag() == zeek::TYPE_BOOL )
return val_mgr->Bool(a); return zeek::val_mgr->Bool(a);
return nullptr; return nullptr;
} }
result_type operator()(uint64_t a) result_type operator()(uint64_t a)
{ {
if ( type->Tag() == zeek::TYPE_COUNT ) if ( type->Tag() == zeek::TYPE_COUNT )
return val_mgr->Count(a); return zeek::val_mgr->Count(a);
if ( type->Tag() == zeek::TYPE_COUNTER ) if ( type->Tag() == zeek::TYPE_COUNTER )
return val_mgr->Count(a); return zeek::val_mgr->Count(a);
return nullptr; return nullptr;
} }
result_type operator()(int64_t a) result_type operator()(int64_t a)
{ {
if ( type->Tag() == zeek::TYPE_INT ) if ( type->Tag() == zeek::TYPE_INT )
return val_mgr->Int(a); return zeek::val_mgr->Int(a);
return nullptr; return nullptr;
} }
@ -156,7 +156,7 @@ struct val_converter {
result_type operator()(broker::port& a) result_type operator()(broker::port& a)
{ {
if ( type->Tag() == zeek::TYPE_PORT ) if ( type->Tag() == zeek::TYPE_PORT )
return val_mgr->Port(a.number(), bro_broker::to_bro_port_proto(a.type())); return zeek::val_mgr->Port(a.number(), bro_broker::to_bro_port_proto(a.type()));
return nullptr; return nullptr;
} }

4
src/broker/Manager.cc
View file

@ -1259,14 +1259,14 @@ void Manager::ProcessStatus(broker::status stat)
if ( ctx->network ) if ( ctx->network )
{ {
network_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(ctx->network->address.data())); network_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(ctx->network->address.data()));
network_info->Assign(1, val_mgr->Port(ctx->network->port, TRANSPORT_TCP)); network_info->Assign(1, zeek::val_mgr->Port(ctx->network->port, TRANSPORT_TCP));
} }
else else
{ {
// TODO: are there any status messages where the ctx->network // TODO: are there any status messages where the ctx->network
// is not set and actually could be? // is not set and actually could be?
network_info->Assign(0, zeek::make_intrusive<zeek::StringVal>("<unknown>")); network_info->Assign(0, zeek::make_intrusive<zeek::StringVal>("<unknown>"));
network_info->Assign(1, val_mgr->Port(0, TRANSPORT_TCP)); network_info->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
} }
endpoint_info->Assign(1, std::move(network_info)); endpoint_info->Assign(1, std::move(network_info));

16
src/broker/comm.bif
View file

@ -56,11 +56,11 @@ function Broker::__listen%(a: string, p: port%): port
if ( ! p->IsTCP() ) if ( ! p->IsTCP() )
{ {
zeek::emit_builtin_error("listen port must use tcp"); zeek::emit_builtin_error("listen port must use tcp");
return val_mgr->Port(0, TRANSPORT_UNKNOWN); return zeek::val_mgr->Port(0, TRANSPORT_UNKNOWN);
} }
auto rval = broker_mgr->Listen(a->Len() ? a->CheckString() : "", p->Port()); auto rval = broker_mgr->Listen(a->Len() ? a->CheckString() : "", p->Port());
return val_mgr->Port(rval, TRANSPORT_TCP); return zeek::val_mgr->Port(rval, TRANSPORT_TCP);
%} %}
function Broker::__peer%(a: string, p: port, retry: interval%): bool function Broker::__peer%(a: string, p: port, retry: interval%): bool
@ -70,11 +70,11 @@ function Broker::__peer%(a: string, p: port, retry: interval%): bool
if ( ! p->IsTCP() ) if ( ! p->IsTCP() )
{ {
zeek::emit_builtin_error("remote connection port must use tcp"); zeek::emit_builtin_error("remote connection port must use tcp");
return val_mgr->False(); return zeek::val_mgr->False();
} }
broker_mgr->Peer(a->CheckString(), p->Port(), retry); broker_mgr->Peer(a->CheckString(), p->Port(), retry);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__unpeer%(a: string, p: port%): bool function Broker::__unpeer%(a: string, p: port%): bool
@ -84,11 +84,11 @@ function Broker::__unpeer%(a: string, p: port%): bool
if ( ! p->IsTCP() ) if ( ! p->IsTCP() )
{ {
zeek::emit_builtin_error("remote connection port must use tcp"); zeek::emit_builtin_error("remote connection port must use tcp");
return val_mgr->False(); return zeek::val_mgr->False();
} }
broker_mgr->Unpeer(a->CheckString(), p->Port()); broker_mgr->Unpeer(a->CheckString(), p->Port());
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__peers%(%): PeerInfos function Broker::__peers%(%): PeerInfos
@ -110,12 +110,12 @@ function Broker::__peers%(%): PeerInfos
if ( n ) if ( n )
{ {
network_info->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(n->address))); network_info->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(n->address)));
network_info->Assign(1, val_mgr->Port(n->port, TRANSPORT_TCP)); network_info->Assign(1, zeek::val_mgr->Port(n->port, TRANSPORT_TCP));
} }
else else
{ {
network_info->Assign(0, zeek::make_intrusive<zeek::AddrVal>("0.0.0.0")); network_info->Assign(0, zeek::make_intrusive<zeek::AddrVal>("0.0.0.0"));
network_info->Assign(1, val_mgr->Port(0, TRANSPORT_TCP)); network_info->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
} }
endpoint_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(to_string(p.peer.node))); endpoint_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(to_string(p.peer.node)));

68
src/broker/data.bif
View file

@ -49,7 +49,7 @@ function Broker::__opaque_clone_through_serialization%(d: any%): any
if ( ! x ) if ( ! x )
{ {
zeek::emit_builtin_error("cannot serialize object to clone"); zeek::emit_builtin_error("cannot serialize object to clone");
return val_mgr->False(); return zeek::val_mgr->False();
} }
return OpaqueVal::Unserialize(std::move(*x)); return OpaqueVal::Unserialize(std::move(*x));
@ -65,14 +65,14 @@ function Broker::__set_clear%(s: Broker::Data%): bool
auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
zeek::TYPE_TABLE, frame); zeek::TYPE_TABLE, frame);
v.clear(); v.clear();
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__set_size%(s: Broker::Data%): count function Broker::__set_size%(s: Broker::Data%): count
%{ %{
auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
zeek::TYPE_TABLE, frame); zeek::TYPE_TABLE, frame);
return val_mgr->Count(static_cast<uint64_t>(v.size())); return zeek::val_mgr->Count(static_cast<uint64_t>(v.size()));
%} %}
function Broker::__set_contains%(s: Broker::Data, key: any%): bool function Broker::__set_contains%(s: Broker::Data, key: any%): bool
@ -84,10 +84,10 @@ function Broker::__set_contains%(s: Broker::Data, key: any%): bool
if ( ! k ) if ( ! k )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
return val_mgr->Bool(v.find(*k) != v.end()); return zeek::val_mgr->Bool(v.find(*k) != v.end());
%} %}
function Broker::__set_insert%(s: Broker::Data, key: any%): bool function Broker::__set_insert%(s: Broker::Data, key: any%): bool
@ -100,10 +100,10 @@ function Broker::__set_insert%(s: Broker::Data, key: any%): bool
if ( ! k ) if ( ! k )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
return val_mgr->Bool(v.insert(std::move(*k)).second); return zeek::val_mgr->Bool(v.insert(std::move(*k)).second);
%} %}
function Broker::__set_remove%(s: Broker::Data, key: any%): bool function Broker::__set_remove%(s: Broker::Data, key: any%): bool
@ -115,10 +115,10 @@ function Broker::__set_remove%(s: Broker::Data, key: any%): bool
if ( ! k ) if ( ! k )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
return val_mgr->Bool(v.erase(*k) > 0); return zeek::val_mgr->Bool(v.erase(*k) > 0);
%} %}
function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
@ -129,7 +129,7 @@ function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterato
function Broker::__set_iterator_last%(it: opaque of Broker::SetIterator%): bool function Broker::__set_iterator_last%(it: opaque of Broker::SetIterator%): bool
%{ %{
auto set_it = static_cast<bro_broker::SetIterator*>(it); auto set_it = static_cast<bro_broker::SetIterator*>(it);
return val_mgr->Bool(set_it->it == set_it->dat.end()); return zeek::val_mgr->Bool(set_it->it == set_it->dat.end());
%} %}
function Broker::__set_iterator_next%(it: opaque of Broker::SetIterator%): bool function Broker::__set_iterator_next%(it: opaque of Broker::SetIterator%): bool
@ -137,10 +137,10 @@ function Broker::__set_iterator_next%(it: opaque of Broker::SetIterator%): bool
auto set_it = static_cast<bro_broker::SetIterator*>(it); auto set_it = static_cast<bro_broker::SetIterator*>(it);
if ( set_it->it == set_it->dat.end() ) if ( set_it->it == set_it->dat.end() )
return val_mgr->False(); return zeek::val_mgr->False();
++set_it->it; ++set_it->it;
return val_mgr->Bool(set_it->it != set_it->dat.end()); return zeek::val_mgr->Bool(set_it->it != set_it->dat.end());
%} %}
function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Broker::Data function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Broker::Data
@ -168,14 +168,14 @@ function Broker::__table_clear%(t: Broker::Data%): bool
auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
zeek::TYPE_TABLE, frame); zeek::TYPE_TABLE, frame);
v.clear(); v.clear();
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__table_size%(t: Broker::Data%): count function Broker::__table_size%(t: Broker::Data%): count
%{ %{
auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
zeek::TYPE_TABLE, frame); zeek::TYPE_TABLE, frame);
return val_mgr->Count(static_cast<uint64_t>(v.size())); return zeek::val_mgr->Count(static_cast<uint64_t>(v.size()));
%} %}
function Broker::__table_contains%(t: Broker::Data, key: any%): bool function Broker::__table_contains%(t: Broker::Data, key: any%): bool
@ -188,10 +188,10 @@ function Broker::__table_contains%(t: Broker::Data, key: any%): bool
if ( ! k ) if ( ! k )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
return val_mgr->Bool(v.find(*k) != v.end()); return zeek::val_mgr->Bool(v.find(*k) != v.end());
%} %}
function Broker::__table_insert%(t: Broker::Data, key: any, val: any%): Broker::Data function Broker::__table_insert%(t: Broker::Data, key: any, val: any%): Broker::Data
@ -283,7 +283,7 @@ function Broker::__table_iterator%(t: Broker::Data%): opaque of Broker::TableIte
function Broker::__table_iterator_last%(it: opaque of Broker::TableIterator%): bool function Broker::__table_iterator_last%(it: opaque of Broker::TableIterator%): bool
%{ %{
auto ti = static_cast<bro_broker::TableIterator*>(it); auto ti = static_cast<bro_broker::TableIterator*>(it);
return val_mgr->Bool(ti->it == ti->dat.end()); return zeek::val_mgr->Bool(ti->it == ti->dat.end());
%} %}
function Broker::__table_iterator_next%(it: opaque of Broker::TableIterator%): bool function Broker::__table_iterator_next%(it: opaque of Broker::TableIterator%): bool
@ -291,10 +291,10 @@ function Broker::__table_iterator_next%(it: opaque of Broker::TableIterator%): b
auto ti = static_cast<bro_broker::TableIterator*>(it); auto ti = static_cast<bro_broker::TableIterator*>(it);
if ( ti->it == ti->dat.end() ) if ( ti->it == ti->dat.end() )
return val_mgr->False(); return zeek::val_mgr->False();
++ti->it; ++ti->it;
return val_mgr->Bool(ti->it != ti->dat.end()); return zeek::val_mgr->Bool(ti->it != ti->dat.end());
%} %}
function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%): Broker::TableItem function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%): Broker::TableItem
@ -327,14 +327,14 @@ function Broker::__vector_clear%(v: Broker::Data%): bool
auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(), auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
zeek::TYPE_VECTOR, frame); zeek::TYPE_VECTOR, frame);
vec.clear(); vec.clear();
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__vector_size%(v: Broker::Data%): count function Broker::__vector_size%(v: Broker::Data%): count
%{ %{
auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(), auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
zeek::TYPE_VECTOR, frame); zeek::TYPE_VECTOR, frame);
return val_mgr->Count(static_cast<uint64_t>(vec.size())); return zeek::val_mgr->Count(static_cast<uint64_t>(vec.size()));
%} %}
function Broker::__vector_insert%(v: Broker::Data, idx:count, d: any%): bool function Broker::__vector_insert%(v: Broker::Data, idx:count, d: any%): bool
@ -346,12 +346,12 @@ function Broker::__vector_insert%(v: Broker::Data, idx:count, d: any%): bool
if ( ! item ) if ( ! item )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for item argument"); zeek::emit_builtin_error("invalid Broker data conversion for item argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
idx = min(idx, static_cast<uint64_t>(vec.size())); idx = min(idx, static_cast<uint64_t>(vec.size()));
vec.insert(vec.begin() + idx, std::move(*item)); vec.insert(vec.begin() + idx, std::move(*item));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__vector_replace%(v: Broker::Data, idx: count, d: any%): Broker::Data function Broker::__vector_replace%(v: Broker::Data, idx: count, d: any%): Broker::Data
@ -363,7 +363,7 @@ function Broker::__vector_replace%(v: Broker::Data, idx: count, d: any%): Broker
if ( ! item ) if ( ! item )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for item argument"); zeek::emit_builtin_error("invalid Broker data conversion for item argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( idx >= vec.size() ) if ( idx >= vec.size() )
@ -406,7 +406,7 @@ function Broker::__vector_iterator%(v: Broker::Data%): opaque of Broker::VectorI
function Broker::__vector_iterator_last%(it: opaque of Broker::VectorIterator%): bool function Broker::__vector_iterator_last%(it: opaque of Broker::VectorIterator%): bool
%{ %{
auto vi = static_cast<bro_broker::VectorIterator*>(it); auto vi = static_cast<bro_broker::VectorIterator*>(it);
return val_mgr->Bool(vi->it == vi->dat.end()); return zeek::val_mgr->Bool(vi->it == vi->dat.end());
%} %}
function Broker::__vector_iterator_next%(it: opaque of Broker::VectorIterator%): bool function Broker::__vector_iterator_next%(it: opaque of Broker::VectorIterator%): bool
@ -414,10 +414,10 @@ function Broker::__vector_iterator_next%(it: opaque of Broker::VectorIterator%):
auto vi = static_cast<bro_broker::VectorIterator*>(it); auto vi = static_cast<bro_broker::VectorIterator*>(it);
if ( vi->it == vi->dat.end() ) if ( vi->it == vi->dat.end() )
return val_mgr->False(); return zeek::val_mgr->False();
++vi->it; ++vi->it;
return val_mgr->Bool(vi->it != vi->dat.end()); return zeek::val_mgr->Bool(vi->it != vi->dat.end());
%} %}
function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%): Broker::Data function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%): Broker::Data
@ -444,7 +444,7 @@ function Broker::__record_size%(r: Broker::Data%): count
%{ %{
auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
zeek::TYPE_RECORD, frame); zeek::TYPE_RECORD, frame);
return val_mgr->Count(static_cast<uint64_t>(v.size())); return zeek::val_mgr->Count(static_cast<uint64_t>(v.size()));
%} %}
function Broker::__record_assign%(r: Broker::Data, idx: count, d: any%): bool function Broker::__record_assign%(r: Broker::Data, idx: count, d: any%): bool
@ -452,18 +452,18 @@ function Broker::__record_assign%(r: Broker::Data, idx: count, d: any%): bool
auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(), auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
zeek::TYPE_RECORD, frame); zeek::TYPE_RECORD, frame);
if ( idx >= v.size() ) if ( idx >= v.size() )
return val_mgr->False(); return zeek::val_mgr->False();
auto item = bro_broker::val_to_data(d); auto item = bro_broker::val_to_data(d);
if ( ! item ) if ( ! item )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for item argument"); zeek::emit_builtin_error("invalid Broker data conversion for item argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
v[idx] = std::move(*item); v[idx] = std::move(*item);
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
@ -485,7 +485,7 @@ function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordI
function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
%{ %{
auto ri = static_cast<bro_broker::RecordIterator*>(it); auto ri = static_cast<bro_broker::RecordIterator*>(it);
return val_mgr->Bool(ri->it == ri->dat.end()); return zeek::val_mgr->Bool(ri->it == ri->dat.end());
%} %}
function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
@ -493,10 +493,10 @@ function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%):
auto ri = static_cast<bro_broker::RecordIterator*>(it); auto ri = static_cast<bro_broker::RecordIterator*>(it);
if ( ri->it == ri->dat.end() ) if ( ri->it == ri->dat.end() )
return val_mgr->False(); return zeek::val_mgr->False();
++ri->it; ++ri->it;
return val_mgr->Bool(ri->it != ri->dat.end()); return zeek::val_mgr->Bool(ri->it != ri->dat.end());
%} %}
function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data

24
src/broker/messaging.bif
View file

@ -110,13 +110,13 @@ function Broker::publish%(topic: string, ...%): bool
args.push_back((*bif_args)[i].get()); args.push_back((*bif_args)[i].get());
auto rval = publish_event_args(args, topic->AsString(), frame); auto rval = publish_event_args(args, topic->AsString(), frame);
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__flush_logs%(%): count function Broker::__flush_logs%(%): count
%{ %{
auto rval = broker_mgr->FlushLogBuffers(); auto rval = broker_mgr->FlushLogBuffers();
return val_mgr->Count(static_cast<uint64_t>(rval)); return zeek::val_mgr->Count(static_cast<uint64_t>(rval));
%} %}
function Broker::__publish_id%(topic: string, id: string%): bool function Broker::__publish_id%(topic: string, id: string%): bool
@ -124,42 +124,42 @@ function Broker::__publish_id%(topic: string, id: string%): bool
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->PublishIdentifier(topic->CheckString(), auto rval = broker_mgr->PublishIdentifier(topic->CheckString(),
id->CheckString()); id->CheckString());
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__auto_publish%(topic: string, ev: any%): bool function Broker::__auto_publish%(topic: string, ev: any%): bool
%{ %{
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->AutoPublishEvent(topic->CheckString(), ev); auto rval = broker_mgr->AutoPublishEvent(topic->CheckString(), ev);
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__auto_unpublish%(topic: string, ev: any%): bool function Broker::__auto_unpublish%(topic: string, ev: any%): bool
%{ %{
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->AutoUnpublishEvent(topic->CheckString(), ev); auto rval = broker_mgr->AutoUnpublishEvent(topic->CheckString(), ev);
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__subscribe%(topic_prefix: string%): bool function Broker::__subscribe%(topic_prefix: string%): bool
%{ %{
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->Subscribe(topic_prefix->CheckString()); auto rval = broker_mgr->Subscribe(topic_prefix->CheckString());
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__forward%(topic_prefix: string%): bool function Broker::__forward%(topic_prefix: string%): bool
%{ %{
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->Forward(topic_prefix->CheckString()); auto rval = broker_mgr->Forward(topic_prefix->CheckString());
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
function Broker::__unsubscribe%(topic_prefix: string%): bool function Broker::__unsubscribe%(topic_prefix: string%): bool
%{ %{
bro_broker::Manager::ScriptScopeGuard ssg; bro_broker::Manager::ScriptScopeGuard ssg;
auto rval = broker_mgr->Unsubscribe(topic_prefix->CheckString()); auto rval = broker_mgr->Unsubscribe(topic_prefix->CheckString());
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
module Cluster; module Cluster;
@ -191,7 +191,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
auto topic = topic_func->Invoke(&vl); auto topic = topic_func->Invoke(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )
return val_mgr->False(); return zeek::val_mgr->False();
const auto& bif_args = @ARGS@; const auto& bif_args = @ARGS@;
val_list args(bif_args->size() - 2); val_list args(bif_args->size() - 2);
@ -200,7 +200,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
args.push_back((*bif_args)[i].get()); args.push_back((*bif_args)[i].get());
auto rval = publish_event_args(args, topic->AsString(), frame); auto rval = publish_event_args(args, topic->AsString(), frame);
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
@ -228,7 +228,7 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
auto topic = topic_func->Invoke(&vl); auto topic = topic_func->Invoke(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )
return val_mgr->False(); return zeek::val_mgr->False();
const auto& bif_args = @ARGS@; const auto& bif_args = @ARGS@;
val_list args(bif_args->size() - 2); val_list args(bif_args->size() - 2);
@ -237,5 +237,5 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
args.push_back((*bif_args)[i].get()); args.push_back((*bif_args)[i].get());
auto rval = publish_event_args(args, topic->AsString(), frame); auto rval = publish_event_args(args, topic->AsString(), frame);
return val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}

102
src/broker/store.bif
View file

@ -91,11 +91,11 @@ function Broker::__is_closed%(h: opaque of Broker::Store%): bool
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
return val_mgr->Bool(broker_mgr->LookupStore(handle->store.name())); return zeek::val_mgr->Bool(broker_mgr->LookupStore(handle->store.name()));
%} %}
function Broker::__close%(h: opaque of Broker::Store%): bool function Broker::__close%(h: opaque of Broker::Store%): bool
@ -105,11 +105,11 @@ function Broker::__close%(h: opaque of Broker::Store%): bool
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
return val_mgr->Bool(broker_mgr->CloseStore(handle->store.name())); return zeek::val_mgr->Bool(broker_mgr->CloseStore(handle->store.name()));
%} %}
function Broker::__store_name%(h: opaque of Broker::Store%): string function Broker::__store_name%(h: opaque of Broker::Store%): string
@ -117,7 +117,7 @@ function Broker::__store_name%(h: opaque of Broker::Store%): string
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->EmptyString(); return zeek::val_mgr->EmptyString();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -130,7 +130,7 @@ function Broker::__exists%(h: opaque of Broker::Store,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -175,7 +175,7 @@ function Broker::__get%(h: opaque of Broker::Store,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -220,7 +220,7 @@ function Broker::__put_unique%(h: opaque of Broker::Store,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -274,7 +274,7 @@ function Broker::__get_index_from_value%(h: opaque of Broker::Store,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -327,7 +327,7 @@ function Broker::__keys%(h: opaque of Broker::Store%): Broker::QueryResult
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -365,7 +365,7 @@ function Broker::__put%(h: opaque of Broker::Store,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -375,17 +375,17 @@ function Broker::__put%(h: opaque of Broker::Store,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! val ) if ( ! val )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for value argument"); zeek::emit_builtin_error("invalid Broker data conversion for value argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.put(std::move(*key), std::move(*val), prepare_expiry(e)); handle->store.put(std::move(*key), std::move(*val), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
@ -393,7 +393,7 @@ function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -402,11 +402,11 @@ function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.erase(std::move(*key)); handle->store.erase(std::move(*key));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any, function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
@ -415,7 +415,7 @@ function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -425,18 +425,18 @@ function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! amount ) if ( ! amount )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for amount argument"); zeek::emit_builtin_error("invalid Broker data conversion for amount argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.increment(std::move(*key), std::move(*amount), handle->store.increment(std::move(*key), std::move(*amount),
prepare_expiry(e)); prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any, function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
@ -445,7 +445,7 @@ function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -455,17 +455,17 @@ function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! amount ) if ( ! amount )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for amount argument"); zeek::emit_builtin_error("invalid Broker data conversion for amount argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.decrement(std::move(*key), std::move(*amount), prepare_expiry(e)); handle->store.decrement(std::move(*key), std::move(*amount), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__append%(h: opaque of Broker::Store, k: any, s: any, function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
@ -474,7 +474,7 @@ function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -484,17 +484,17 @@ function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! str ) if ( ! str )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for str argument"); zeek::emit_builtin_error("invalid Broker data conversion for str argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.append(std::move(*key), std::move(*str), prepare_expiry(e)); handle->store.append(std::move(*key), std::move(*str), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any, function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
@ -503,7 +503,7 @@ function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -513,18 +513,18 @@ function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! idx ) if ( ! idx )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for index argument"); zeek::emit_builtin_error("invalid Broker data conversion for index argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.insert_into(std::move(*key), std::move(*idx), handle->store.insert_into(std::move(*key), std::move(*idx),
prepare_expiry(e)); prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any, function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
@ -533,7 +533,7 @@ function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -544,24 +544,24 @@ function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! idx ) if ( ! idx )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for index argument"); zeek::emit_builtin_error("invalid Broker data conversion for index argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! val ) if ( ! val )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for value argument"); zeek::emit_builtin_error("invalid Broker data conversion for value argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.insert_into(std::move(*key), std::move(*idx), handle->store.insert_into(std::move(*key), std::move(*idx),
std::move(*val), prepare_expiry(e)); std::move(*val), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any, function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
@ -570,7 +570,7 @@ function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -580,18 +580,18 @@ function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! idx ) if ( ! idx )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for index argument"); zeek::emit_builtin_error("invalid Broker data conversion for index argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.remove_from(std::move(*key), std::move(*idx), handle->store.remove_from(std::move(*key), std::move(*idx),
prepare_expiry(e)); prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__push%(h: opaque of Broker::Store, k: any, v: any, function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
@ -600,7 +600,7 @@ function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -610,17 +610,17 @@ function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
if ( ! val ) if ( ! val )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for value argument"); zeek::emit_builtin_error("invalid Broker data conversion for value argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.push(std::move(*key), std::move(*val), prepare_expiry(e)); handle->store.push(std::move(*key), std::move(*val), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
@ -628,7 +628,7 @@ function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@ -637,11 +637,11 @@ function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
if ( ! key ) if ( ! key )
{ {
zeek::emit_builtin_error("invalid Broker data conversion for key argument"); zeek::emit_builtin_error("invalid Broker data conversion for key argument");
return val_mgr->False(); return zeek::val_mgr->False();
} }
handle->store.pop(std::move(*key), prepare_expiry(e)); handle->store.pop(std::move(*key), prepare_expiry(e));
return val_mgr->True(); return zeek::val_mgr->True();
%} %}
function Broker::__clear%(h: opaque of Broker::Store%): bool function Broker::__clear%(h: opaque of Broker::Store%): bool
@ -649,11 +649,11 @@ function Broker::__clear%(h: opaque of Broker::Store%): bool
if ( ! h ) if ( ! h )
{ {
zeek::emit_builtin_error("invalid Broker store handle"); zeek::emit_builtin_error("invalid Broker store handle");
return val_mgr->False(); return zeek::val_mgr->False();
} }
auto handle = static_cast<bro_broker::StoreHandleVal*>(h); auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
handle->store.clear(); handle->store.clear();
return val_mgr->True(); return zeek::val_mgr->True();
%} %}

Some files were not shown because too many files have changed in this diff Show more