Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

change base scripts to use run-time if's or @if ... &analyze

Browse source
This commit is contained in:
Vern Paxson 2023-05-19 13:26:27 -07:00
parent e749638380
commit 890010915a
30 changed files with 263 additions and 253 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/dhcp/main.zeek
View file

@ -134,7 +134,7 @@ event zeek_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}
@if ( Cluster::is_enabled() )
@if ( Cluster::is_enabled() ) &analyze
event zeek_init()
{
Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs);
@ -180,7 +180,7 @@ global join_data: table[count] of Info = table()
@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER ) &analyze
# We are handling this event at priority 1000 because we really want
# the DHCP::log_info global to be set correctly before a user might try
# to access it.

43
scripts/base/protocols/ftp/main.zeek
View file

@ -216,27 +216,30 @@ function ftp_message(c: connection)
delete s$data_channel;
}
const have_cluster = Cluster::is_enabled();
const should_publish =
Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER;
event sync_add_expected_data(s: Info, chan: ExpectedDataChannel) &is_used
{
@if ( Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER )
Broker::publish(Cluster::worker_topic, sync_add_expected_data, minimize_info(s), chan);
@else
ftp_data_expected[chan$resp_h, chan$resp_p] = s;
Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p,
Analyzer::ANALYZER_FTP_DATA,
5mins);
@endif
if ( should_publish )
Broker::publish(Cluster::worker_topic, sync_add_expected_data, minimize_info(s), chan);
else
{
ftp_data_expected[chan$resp_h, chan$resp_p] = s;
Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p,
Analyzer::ANALYZER_FTP_DATA,
5mins);
}
}
event sync_remove_expected_data(resp_h: addr, resp_p: port) &is_used
{
@if ( Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER )
Broker::publish(Cluster::worker_topic, sync_remove_expected_data, resp_h, resp_p);
@else
delete ftp_data_expected[resp_h, resp_p];
@endif
if ( should_publish )
Broker::publish(Cluster::worker_topic, sync_remove_expected_data, resp_h, resp_p);
else
delete ftp_data_expected[resp_h, resp_p];
}
function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
@ -247,9 +250,8 @@ function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p,
Analyzer::ANALYZER_FTP_DATA,
5mins);
@if ( Cluster::is_enabled() )
Broker::publish(ftp_relay_topic(), sync_add_expected_data, minimize_info(s), chan);
@endif
if ( have_cluster )
Broker::publish(ftp_relay_topic(), sync_add_expected_data, minimize_info(s), chan);
}
event ftp_request(c: connection, command: string, arg: string) &priority=5
@ -464,9 +466,8 @@ hook finalize_ftp_data(c: connection)
if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
{
delete ftp_data_expected[c$id$resp_h, c$id$resp_p];
@if ( Cluster::is_enabled() )
Broker::publish(ftp_relay_topic(), sync_remove_expected_data, c$id$resp_h, c$id$resp_p);
@endif
if ( have_cluster )
Broker::publish(ftp_relay_topic(), sync_remove_expected_data, c$id$resp_h, c$id$resp_p);
}
}

50
scripts/base/protocols/irc/dcc-send.zeek
View file

@ -44,26 +44,29 @@ function dcc_relay_topic(): string &is_used
return rval;
}
const have_cluster = Cluster::is_enabled();
const should_publish =
Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER;
event dcc_transfer_add(host: addr, p: port, info: Info) &is_used
{
@if ( Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER )
Broker::publish(Cluster::worker_topic, dcc_transfer_add, host, p, info);
@else
dcc_expected_transfers[host, p] = info;
Analyzer::schedule_analyzer(0.0.0.0, host, p,
Analyzer::ANALYZER_IRC_DATA, 5 min);
@endif
if ( should_publish )
Broker::publish(Cluster::worker_topic, dcc_transfer_add, host, p, info);
else
{
dcc_expected_transfers[host, p] = info;
Analyzer::schedule_analyzer(0.0.0.0, host, p,
Analyzer::ANALYZER_IRC_DATA, 5 min);
}
}
event dcc_transfer_remove(host: addr, p: port) &is_used
{
@if ( Cluster::local_node_type() == Cluster::PROXY ||
Cluster::local_node_type() == Cluster::MANAGER )
Broker::publish(Cluster::worker_topic, dcc_transfer_remove, host, p);
@else
delete dcc_expected_transfers[host, p];
@endif
if ( should_publish )
Broker::publish(Cluster::worker_topic, dcc_transfer_remove, host, p);
else
delete dcc_expected_transfers[host, p];
}
function log_dcc(f: fa_file)
@ -89,10 +92,9 @@ function log_dcc(f: fa_file)
delete dcc_expected_transfers[cid$resp_h, cid$resp_p];
@if ( Cluster::is_enabled() )
Broker::publish(dcc_relay_topic(), dcc_transfer_remove,
cid$resp_h, cid$resp_p);
@endif
if ( have_cluster )
Broker::publish(dcc_relay_topic(), dcc_transfer_remove,
cid$resp_h, cid$resp_p);
return;
}
}
@ -117,9 +119,8 @@ event irc_dcc_message(c: connection, is_orig: bool,
Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min);
dcc_expected_transfers[address, p] = c$irc;
@if ( Cluster::is_enabled() )
Broker::publish(dcc_relay_topic(), dcc_transfer_add, address, p, c$irc);
@endif
if ( have_cluster )
Broker::publish(dcc_relay_topic(), dcc_transfer_add, address, p, c$irc);
}
event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
@ -138,9 +139,8 @@ hook finalize_irc_data(c: connection)
{
delete dcc_expected_transfers[c$id$resp_h, c$id$resp_p];
@if ( Cluster::is_enabled() )
Broker::publish(dcc_relay_topic(), dcc_transfer_remove,
c$id$resp_h, c$id$resp_p);
@endif
if ( have_cluster )
Broker::publish(dcc_relay_topic(), dcc_transfer_remove,
c$id$resp_h, c$id$resp_p);
}
}