Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Cleanup/improve PList usage and Event API

Browse source 
Majority of PLists are now created as automatic/stack objects,
rather than on heap and initialized either with the known-capacity
reserved upfront or directly from an initializer_list (so there's no
wasted slack in the memory that gets allocated for lists containing
a fixed/known number of elements).

Added versions of the ConnectionEvent/QueueEvent methods that take
a val_list by value.

Added a move ctor/assign-operator to Plists to allow passing them
around without having to copy the underlying array of pointers.
This commit is contained in:
Jon Siwek 2019-04-11 19:02:13 -07:00
parent 78dcbcc71a
commit 8bc65f09ec
92 changed files with 1585 additions and 1679 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Anon.cc
View file

@ -415,10 +415,10 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
{ {
if ( anonymization_mapping ) if ( anonymization_mapping )
{ {
val_list* vl = new val_list; mgr.QueueEvent(anonymization_mapping, {
vl->append(new AddrVal(input)); new AddrVal(input),
vl->append(new AddrVal(output)); new AddrVal(output)
mgr.QueueEvent(anonymization_mapping, vl); });
} }
} }

2
src/Attr.cc
View file

@ -141,7 +141,7 @@ Attributes::~Attributes()
void Attributes::AddAttr(Attr* attr) void Attributes::AddAttr(Attr* attr)
{ {
if ( ! attrs ) if ( ! attrs )
attrs = new attr_list; attrs = new attr_list(1);
if ( ! attr->RedundantAttrOkay() ) if ( ! attr->RedundantAttrOkay() )
// We overwrite old attributes by deleting them first. // We overwrite old attributes by deleting them first.

20
src/BroList.h
View file

@ -13,10 +13,6 @@ class ID;
declare(PList,ID); declare(PList,ID);
typedef PList(ID) id_list; typedef PList(ID) id_list;
class HashKey;
declare(PList,HashKey);
typedef PList(HashKey) hash_key_list;
class Val; class Val;
declare(PList,Val); declare(PList,Val);
typedef PList(Val) val_list; typedef PList(Val) val_list;
@ -29,28 +25,12 @@ class BroType;
declare(PList,BroType); declare(PList,BroType);
typedef PList(BroType) type_list; typedef PList(BroType) type_list;
class TypeDecl;
declare(PList,TypeDecl);
typedef PList(TypeDecl) type_decl_list;
class Case;
declare(PList,Case);
typedef PList(Case) case_list;
class Attr; class Attr;
declare(PList,Attr); declare(PList,Attr);
typedef PList(Attr) attr_list; typedef PList(Attr) attr_list;
class Scope;
declare(PList,Scope);
typedef PList(Scope) scope_list;
class Timer; class Timer;
declare(PList,Timer); declare(PList,Timer);
typedef PList(Timer) timer_list; typedef PList(Timer) timer_list;
class DNS_Mgr_Request;
declare(PList,DNS_Mgr_Request);
typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
#endif #endif

92
src/Conn.cc
View file

@ -325,12 +325,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
// and at this stage it's not a *multiple* instance. // and at this stage it's not a *multiple* instance.
return; return;
val_list* vl = new val_list; ConnectionEvent(e, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(threshold)); val_mgr->GetCount(threshold)
});
ConnectionEvent(e, 0, vl);
} }
void Connection::DeleteTimer(double /* t */) void Connection::DeleteTimer(double /* t */)
@ -390,9 +389,7 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t) void Connection::StatusUpdateTimer(double t)
{ {
val_list* vl = new val_list(1); ConnectionEvent(connection_status_update, 0, { BuildConnVal() });
vl->append(BuildConnVal());
ConnectionEvent(connection_status_update, 0, vl);
ADD_TIMER(&Connection::StatusUpdateTimer, ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0, network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE); TIMER_CONN_STATUS_UPDATE);
@ -630,23 +627,23 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
{ {
if ( software_parse_error ) if ( software_parse_error )
{ {
val_list* vl = new val_list; ConnectionEvent(software_parse_error, analyzer, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(new StringVal(len, s)); new StringVal(len, s),
ConnectionEvent(software_parse_error, analyzer, vl); });
} }
return 0; return 0;
} }
if ( software_version_found ) if ( software_version_found )
{ {
val_list* vl = new val_list; ConnectionEvent(software_version_found, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(val); val,
vl->append(new StringVal(len, s)); new StringVal(len, s),
ConnectionEvent(software_version_found, 0, vl); });
} }
else else
Unref(val); Unref(val);
@ -669,11 +666,11 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
if ( software_unparsed_version_found ) if ( software_unparsed_version_found )
{ {
val_list* vl = new val_list; ConnectionEvent(software_unparsed_version_found, analyzer, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new AddrVal(addr)); new AddrVal(addr),
vl->append(new StringVal(len, full)); new StringVal(len, full),
ConnectionEvent(software_unparsed_version_found, analyzer, vl); });
} }
return 1; return 1;
@ -684,12 +681,11 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list(2);
if ( name ) if ( name )
vl->append(new StringVal(name)); ConnectionEvent(f, analyzer, {new StringVal(name), BuildConnVal()});
vl->append(BuildConnVal()); else
ConnectionEvent(f, analyzer, {BuildConnVal()});
ConnectionEvent(f, analyzer, vl);
} }
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -701,33 +697,35 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
return; return;
} }
val_list* vl = new val_list(3);
vl->append(BuildConnVal());
vl->append(v1);
if ( v2 ) if ( v2 )
vl->append(v2); ConnectionEvent(f, analyzer, {BuildConnVal(), v1, v2});
else
ConnectionEvent(f, analyzer, vl); ConnectionEvent(f, analyzer, {BuildConnVal(), v1});
} }
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
{ {
if ( ! f ) if ( ! f )
{ {
// This may actually happen if there is no local handler // This may actually happen if there is no local handler
// and a previously existing remote handler went away. // and a previously existing remote handler went away.
loop_over_list(*vl, i) loop_over_list(vl, i)
Unref((*vl)[i]); Unref(vl[i]);
delete vl;
return; return;
} }
// "this" is passed as a cookie for the event // "this" is passed as a cookie for the event
mgr.QueueEvent(f, vl, SOURCE_LOCAL, mgr.QueueEvent(f, std::move(vl), SOURCE_LOCAL,
a ? a->GetID() : 0, GetTimerMgr(), this); a ? a->GetID() : 0, GetTimerMgr(), this);
} }
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
{
ConnectionEvent(f, a, std::move(*vl));
delete vl;
}
void Connection::Weird(const char* name, const char* addl) void Connection::Weird(const char* name, const char* addl)
{ {
weird = 1; weird = 1;
@ -1055,12 +1053,12 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
if ( connection_flow_label_changed && if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) ) (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{ {
val_list* vl = new val_list(4); ConnectionEvent(connection_flow_label_changed, 0, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(my_flow_label)); val_mgr->GetCount(my_flow_label),
vl->append(val_mgr->GetCount(flow_label)); val_mgr->GetCount(flow_label),
ConnectionEvent(connection_flow_label_changed, 0, vl); });
} }
my_flow_label = flow_label; my_flow_label = flow_label;

3
src/Conn.h
View file

@ -176,8 +176,11 @@ public:
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0); void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0);
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0); void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0);
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list* vl); val_list* vl);
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list vl);
void Weird(const char* name, const char* addl = ""); void Weird(const char* name, const char* addl = "");
bool DidWeird() const { return weird != 0; } bool DidWeird() const { return weird != 0; }

3
src/DFA.h
View file

@ -111,9 +111,6 @@ private:
PDict(CacheEntry) states; PDict(CacheEntry) states;
}; };
declare(PList,DFA_State);
typedef PList(DFA_State) DFA_state_list;
class DFA_Machine : public BroObj { class DFA_Machine : public BroObj {
public: public:
DFA_Machine(NFA_Machine* n, EquivClass* ec); DFA_Machine(NFA_Machine* n, EquivClass* ec);

36
src/DNS_Mgr.cc
View file

@ -699,25 +699,27 @@ int DNS_Mgr::Save()
return 1; return 1;
} }
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
{
if ( ! e )
return;
mgr.QueueEvent(e, {BuildMappingVal(dm)});
}
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2) void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2)
{ {
if ( ! e ) if ( ! e )
return; return;
val_list* vl = new val_list; Unref(l1);
vl->append(BuildMappingVal(dm)); Unref(l2);
if ( l1 ) mgr.QueueEvent(e, {
{ BuildMappingVal(dm),
vl->append(l1->ConvertToSet()); l1->ConvertToSet(),
if ( l2 ) l2->ConvertToSet(),
vl->append(l2->ConvertToSet()); });
Unref(l1);
Unref(l2);
}
mgr.QueueEvent(e, vl);
} }
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm) void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@ -725,10 +727,10 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
if ( ! e ) if ( ! e )
return; return;
val_list* vl = new val_list; mgr.QueueEvent(e, {
vl->append(BuildMappingVal(old_dm)); BuildMappingVal(old_dm),
vl->append(BuildMappingVal(new_dm)); BuildMappingVal(new_dm),
mgr.QueueEvent(e, vl); });
} }
Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm) Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)

9
src/DNS_Mgr.h
View file

@ -9,7 +9,7 @@
#include <utility> #include <utility>
#include "util.h" #include "util.h"
#include "BroList.h" #include "List.h"
#include "Dict.h" #include "Dict.h"
#include "EventHandler.h" #include "EventHandler.h"
#include "iosource/IOSource.h" #include "iosource/IOSource.h"
@ -23,6 +23,9 @@ class EventHandler;
class RecordType; class RecordType;
class DNS_Mgr_Request; class DNS_Mgr_Request;
declare(PList,DNS_Mgr_Request);
typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
struct nb_dns_info; struct nb_dns_info;
struct nb_dns_result; struct nb_dns_result;
@ -96,8 +99,8 @@ protected:
friend class LookupCallback; friend class LookupCallback;
friend class DNS_Mgr_Request; friend class DNS_Mgr_Request;
void Event(EventHandlerPtr e, DNS_Mapping* dm, void Event(EventHandlerPtr e, DNS_Mapping* dm);
ListVal* l1 = 0, ListVal* l2 = 0); void Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2);
void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm); void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
Val* BuildMappingVal(DNS_Mapping* dm); Val* BuildMappingVal(DNS_Mapping* dm);

36
src/Discard.cc
View file

@ -33,12 +33,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
if ( check_ip ) if ( check_ip )
{ {
val_list* args = new val_list; val_list args{ip->BuildPktHdrVal()};
args->append(ip->BuildPktHdrVal());
try try
{ {
discard_packet = check_ip->Call(args)->AsBool(); discard_packet = check_ip->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
@ -46,8 +45,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
discard_packet = false; discard_packet = false;
} }
delete args;
if ( discard_packet ) if ( discard_packet )
return discard_packet; return discard_packet;
} }
@ -88,21 +85,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct tcphdr* tp = (const struct tcphdr*) data; const struct tcphdr* tp = (const struct tcphdr*) data;
int th_len = tp->th_off * 4; int th_len = tp->th_off * 4;
val_list* args = new val_list; val_list args{
args->append(ip->BuildPktHdrVal()); ip->BuildPktHdrVal(),
args->append(BuildData(data, th_len, len, caplen)); BuildData(data, th_len, len, caplen),
};
try try
{ {
discard_packet = check_tcp->Call(args)->AsBool(); discard_packet = check_tcp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }
@ -113,21 +109,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
const struct udphdr* up = (const struct udphdr*) data; const struct udphdr* up = (const struct udphdr*) data;
int uh_len = sizeof (struct udphdr); int uh_len = sizeof (struct udphdr);
val_list* args = new val_list; val_list args{
args->append(ip->BuildPktHdrVal()); ip->BuildPktHdrVal(),
args->append(BuildData(data, uh_len, len, caplen)); BuildData(data, uh_len, len, caplen),
};
try try
{ {
discard_packet = check_udp->Call(args)->AsBool(); discard_packet = check_udp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }
@ -137,20 +132,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
{ {
const struct icmp* ih = (const struct icmp*) data; const struct icmp* ih = (const struct icmp*) data;
val_list* args = new val_list; val_list args{ip->BuildPktHdrVal()};
args->append(ip->BuildPktHdrVal());
try try
{ {
discard_packet = check_icmp->Call(args)->AsBool(); discard_packet = check_icmp->Call(&args)->AsBool();
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ {
discard_packet = false; discard_packet = false;
} }
delete args;
} }
} }

43
src/Event.cc
View file

@ -13,28 +13,27 @@ EventMgr mgr;
uint64 num_events_queued = 0; uint64 num_events_queued = 0;
uint64 num_events_dispatched = 0; uint64 num_events_dispatched = 0;
Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
BroObj* arg_obj)
: handler(arg_handler),
args(std::move(arg_args)),
src(arg_src),
aid(arg_aid),
mgr(arg_mgr ? arg_mgr : timer_mgr),
obj(arg_obj),
next_event(nullptr)
{
if ( obj )
Ref(obj);
}
Event::Event(EventHandlerPtr arg_handler, val_list* arg_args, Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr, SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
BroObj* arg_obj) BroObj* arg_obj)
: Event(arg_handler, std::move(*arg_args), arg_src, arg_aid, arg_mgr, arg_obj)
{ {
handler = arg_handler; delete arg_args;
args = arg_args;
src = arg_src;
mgr = arg_mgr ? arg_mgr : timer_mgr; // default is global
aid = arg_aid;
obj = arg_obj;
if ( obj )
Ref(obj);
next_event = 0;
}
Event::~Event()
{
// We don't Unref() the individual arguments by using delete_vals()
// here, because Func::Call already did that.
delete args;
} }
void Event::Describe(ODesc* d) const void Event::Describe(ODesc* d) const
@ -49,7 +48,7 @@ void Event::Describe(ODesc* d) const
if ( ! d->IsBinary() ) if ( ! d->IsBinary() )
d->Add("("); d->Add("(");
describe_vals(args, d); describe_vals(&args, d);
if ( ! d->IsBinary() ) if ( ! d->IsBinary() )
d->Add("("); d->Add("(");
} }
@ -62,7 +61,7 @@ void Event::Dispatch(bool no_remote)
if ( event_serializer ) if ( event_serializer )
{ {
SerialInfo info(event_serializer); SerialInfo info(event_serializer);
event_serializer->Serialize(&info, handler->Name(), args); event_serializer->Serialize(&info, handler->Name(), &args);
} }
if ( handler->ErrorHandler() ) if ( handler->ErrorHandler() )
@ -70,7 +69,7 @@ void Event::Dispatch(bool no_remote)
try try
{ {
handler->Call(args, no_remote); handler->Call(&args, no_remote);
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
@ -129,7 +128,7 @@ void EventMgr::QueueEvent(Event* event)
void EventMgr::Drain() void EventMgr::Drain()
{ {
if ( event_queue_flush_point ) if ( event_queue_flush_point )
QueueEvent(event_queue_flush_point, new val_list()); QueueEvent(event_queue_flush_point, val_list{});
SegmentProfiler(segment_logger, "draining-events"); SegmentProfiler(segment_logger, "draining-events");

28
src/Event.h
View file

@ -11,12 +11,17 @@
class EventMgr; class EventMgr;
// We don't Unref() the individual arguments by using delete_vals()
// in a dtor because Func::Call already does that.
class Event : public BroObj { class Event : public BroObj {
public: public:
Event(EventHandlerPtr handler, val_list args,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0);
Event(EventHandlerPtr handler, val_list* args, Event(EventHandlerPtr handler, val_list* args,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0); TimerMgr* mgr = 0, BroObj* obj = 0);
~Event() override;
void SetNext(Event* n) { next_event = n; } void SetNext(Event* n) { next_event = n; }
Event* NextEvent() const { return next_event; } Event* NextEvent() const { return next_event; }
@ -25,7 +30,7 @@ public:
analyzer::ID Analyzer() const { return aid; } analyzer::ID Analyzer() const { return aid; }
TimerMgr* Mgr() const { return mgr; } TimerMgr* Mgr() const { return mgr; }
EventHandlerPtr Handler() const { return handler; } EventHandlerPtr Handler() const { return handler; }
val_list* Args() const { return args; } const val_list* Args() const { return &args; }
void Describe(ODesc* d) const override; void Describe(ODesc* d) const override;
@ -37,7 +42,7 @@ protected:
void Dispatch(bool no_remote = false); void Dispatch(bool no_remote = false);
EventHandlerPtr handler; EventHandlerPtr handler;
val_list* args; val_list args;
SourceID src; SourceID src;
analyzer::ID aid; analyzer::ID aid;
TimerMgr* mgr; TimerMgr* mgr;
@ -53,14 +58,25 @@ public:
EventMgr(); EventMgr();
~EventMgr() override; ~EventMgr() override;
void QueueEvent(const EventHandlerPtr &h, val_list* vl, void QueueEvent(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0) TimerMgr* mgr = 0, BroObj* obj = 0)
{ {
if ( h ) if ( h )
QueueEvent(new Event(h, vl, src, aid, mgr, obj)); QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
else else
delete_vals(vl); {
loop_over_list(vl, i)
Unref(vl[i]);
}
}
void QueueEvent(const EventHandlerPtr &h, val_list* vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)
{
QueueEvent(h, std::move(*vl), src, aid, mgr, obj);
delete vl;
} }
void Dispatch(Event* event, bool no_remote = false) void Dispatch(Event* event, bool no_remote = false)

9
src/EventHandler.cc
View file

@ -172,11 +172,10 @@ void EventHandler::NewEvent(val_list* vl)
vargs->Assign(i, rec); vargs->Assign(i, rec);
} }
val_list* mvl = new val_list(2); Event* ev = new Event(new_event, {
mvl->append(new StringVal(name)); new StringVal(name),
mvl->append(vargs); vargs,
});
Event* ev = new Event(new_event, mvl);
mgr.Dispatch(ev); mgr.Dispatch(ev);
} }

2
src/EventRegistry.cc
View file

@ -73,7 +73,7 @@ EventRegistry::string_list* EventRegistry::UsedHandlers()
EventRegistry::string_list* EventRegistry::AllHandlers() EventRegistry::string_list* EventRegistry::AllHandlers()
{ {
string_list* names = new string_list; string_list* names = new string_list(handlers.Length());
IterCookie* c = handlers.InitForIteration(); IterCookie* c = handlers.InitForIteration();

24
src/Expr.cc
View file

@ -2565,7 +2565,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( attrs ) if ( attrs )
{ {
attr_copy = new attr_list; attr_copy = new attr_list(attrs->length());
loop_over_list(*attrs, i) loop_over_list(*attrs, i)
attr_copy->append((*attrs)[i]); attr_copy->append((*attrs)[i]);
} }
@ -2634,7 +2634,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( sce->Attrs() ) if ( sce->Attrs() )
{ {
attr_list* a = sce->Attrs()->Attrs(); attr_list* a = sce->Attrs()->Attrs();
attrs = new attr_list; attrs = new attr_list(a->length());
loop_over_list(*a, i) loop_over_list(*a, i)
attrs->append((*a)[i]); attrs->append((*a)[i]);
} }
@ -3467,9 +3467,9 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
// Spin through the list, which should be comprised only of // Spin through the list, which should be comprised only of
// record-field-assign expressions, and build up a // record-field-assign expressions, and build up a
// record type to associate with this constructor. // record type to associate with this constructor.
type_decl_list* record_types = new type_decl_list;
const expr_list& exprs = constructor_list->Exprs(); const expr_list& exprs = constructor_list->Exprs();
type_decl_list* record_types = new type_decl_list(exprs.length());
loop_over_list(exprs, i) loop_over_list(exprs, i)
{ {
Expr* e = exprs[i]; Expr* e = exprs[i];
@ -4469,11 +4469,12 @@ bool FlattenExpr::DoUnserialize(UnserialInfo* info)
ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args, ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
double t, TimerMgr* arg_tmgr) double t, TimerMgr* arg_tmgr)
: Timer(t, TIMER_SCHEDULE) : Timer(t, TIMER_SCHEDULE),
event(arg_event),
args(std::move(*arg_args)),
tmgr(arg_tmgr)
{ {
event = arg_event; delete arg_args;
args = arg_args;
tmgr = arg_tmgr;
} }
ScheduleTimer::~ScheduleTimer() ScheduleTimer::~ScheduleTimer()
@ -4482,7 +4483,7 @@ ScheduleTimer::~ScheduleTimer()
void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */) void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
{ {
mgr.QueueEvent(event, args, SOURCE_LOCAL, 0, tmgr); mgr.QueueEvent(event, std::move(args), SOURCE_LOCAL, 0, tmgr);
} }
ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event) ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event)
@ -4998,7 +4999,8 @@ Val* EventExpr::Eval(Frame* f) const
return 0; return 0;
val_list* v = eval_list(f, args); val_list* v = eval_list(f, args);
mgr.QueueEvent(handler, v); mgr.QueueEvent(handler, std::move(*v));
delete v;
return 0; return 0;
} }
@ -5128,7 +5130,7 @@ BroType* ListExpr::InitType() const
if ( exprs[0]->IsRecordElement(0) ) if ( exprs[0]->IsRecordElement(0) )
{ {
type_decl_list* types = new type_decl_list; type_decl_list* types = new type_decl_list(exprs.length());
loop_over_list(exprs, i) loop_over_list(exprs, i)
{ {
TypeDecl* td = new TypeDecl(0, 0); TypeDecl* td = new TypeDecl(0, 0);

2
src/Expr.h
View file

@ -937,7 +937,7 @@ public:
protected: protected:
EventHandlerPtr event; EventHandlerPtr event;
val_list* args; val_list args;
TimerMgr* tmgr; TimerMgr* tmgr;
}; };

20
src/File.cc
View file

@ -65,10 +65,8 @@ void RotateTimer::Dispatch(double t, int is_expire)
{ {
if ( raise ) if ( raise )
{ {
val_list* vl = new val_list;
Ref(file); Ref(file);
vl->append(new Val(file)); mgr.QueueEvent(rotate_interval, {new Val(file)});
mgr.QueueEvent(rotate_interval, vl);
} }
file->InstallRotateTimer(); file->InstallRotateTimer();
@ -641,19 +639,15 @@ void BroFile::CloseCachedFiles()
// Send final rotate events (immediately). // Send final rotate events (immediately).
if ( f->rotate_interval ) if ( f->rotate_interval )
{ {
val_list* vl = new val_list;
Ref(f); Ref(f);
vl->append(new Val(f)); Event* event = new Event(::rotate_interval, {new Val(f)});
Event* event = new Event(::rotate_interval, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }
if ( f->rotate_size ) if ( f->rotate_size )
{ {
val_list* vl = new val_list;
Ref(f); Ref(f);
vl->append(new Val(f)); Event* event = new ::Event(::rotate_size, {new Val(f)});
Event* event = new ::Event(::rotate_size, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }
@ -801,9 +795,7 @@ int BroFile::Write(const char* data, int len)
if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size ) if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )
{ {
val_list* vl = new val_list; mgr.QueueEvent(::rotate_size, {new Val(this)});
vl->append(new Val(this));
mgr.QueueEvent(::rotate_size, vl);
} }
// This does not work if we seek around. But none of the logs does that // This does not work if we seek around. But none of the logs does that
@ -818,10 +810,8 @@ void BroFile::RaiseOpenEvent()
if ( ! ::file_opened ) if ( ! ::file_opened )
return; return;
val_list* vl = new val_list;
Ref(this); Ref(this);
vl->append(new Val(this)); Event* event = new ::Event(::file_opened, {new Val(this)});
Event* event = new ::Event(::file_opened, vl);
mgr.Dispatch(event, true); mgr.Dispatch(event, true);
} }

6
src/ID.cc
View file

@ -258,8 +258,7 @@ void ID::MakeDeprecated()
if ( IsDeprecated() ) if ( IsDeprecated() )
return; return;
attr_list* attr = new attr_list; attr_list* attr = new attr_list{new Attr(ATTR_DEPRECATED)};
attr->append(new Attr(ATTR_DEPRECATED));
AddAttrs(new Attributes(attr, Type(), false)); AddAttrs(new Attributes(attr, Type(), false));
} }
@ -305,8 +304,7 @@ void ID::SetOption()
// option implied redefinable // option implied redefinable
if ( ! IsRedefinable() ) if ( ! IsRedefinable() )
{ {
attr_list* attr = new attr_list; attr_list* attr = new attr_list{new Attr(ATTR_REDEF)};
attr->append(new Attr(ATTR_REDEF));
AddAttrs(new Attributes(attr, Type(), false)); AddAttrs(new Attributes(attr, Type(), false));
} }
} }

57
src/List.cc
View file

@ -12,11 +12,13 @@
BaseList::BaseList(int size) BaseList::BaseList(int size)
{ {
num_entries = 0; num_entries = 0;
max_entries = 0;
entry = 0;
if ( size <= 0 ) if ( size <= 0 )
{
max_entries = 0;
entry = 0;
return; return;
}
max_entries = size; max_entries = size;
@ -24,7 +26,7 @@ BaseList::BaseList(int size)
} }
BaseList::BaseList(BaseList& b) BaseList::BaseList(const BaseList& b)
{ {
max_entries = b.max_entries; max_entries = b.max_entries;
num_entries = b.num_entries; num_entries = b.num_entries;
@ -38,18 +40,34 @@ BaseList::BaseList(BaseList& b)
entry[i] = b.entry[i]; entry[i] = b.entry[i];
} }
BaseList::BaseList(BaseList&& b)
{
entry = b.entry;
num_entries = b.num_entries;
max_entries = b.max_entries;
b.entry = 0;
b.num_entries = b.max_entries = 0;
}
BaseList::BaseList(const ent* arr, int n)
{
num_entries = max_entries = n;
entry = (ent*) safe_malloc(max_entries * sizeof(ent));
memcpy(entry, arr, n * sizeof(ent));
}
void BaseList::sort(list_cmp_func cmp_func) void BaseList::sort(list_cmp_func cmp_func)
{ {
qsort(entry, num_entries, sizeof(ent), cmp_func); qsort(entry, num_entries, sizeof(ent), cmp_func);
} }
void BaseList::operator=(BaseList& b) BaseList& BaseList::operator=(const BaseList& b)
{ {
if ( this == &b ) if ( this == &b )
return; // i.e., this already equals itself return *this;
if ( entry ) free(entry);
free(entry);
max_entries = b.max_entries; max_entries = b.max_entries;
num_entries = b.num_entries; num_entries = b.num_entries;
@ -61,6 +79,23 @@ void BaseList::operator=(BaseList& b)
for ( int i = 0; i < num_entries; ++i ) for ( int i = 0; i < num_entries; ++i )
entry[i] = b.entry[i]; entry[i] = b.entry[i];
return *this;
}
BaseList& BaseList::operator=(BaseList&& b)
{
if ( this == &b )
return *this;
free(entry);
entry = b.entry;
num_entries = b.num_entries;
max_entries = b.max_entries;
b.entry = 0;
b.num_entries = b.max_entries = 0;
return *this;
} }
void BaseList::insert(ent a) void BaseList::insert(ent a)
@ -145,12 +180,8 @@ ent BaseList::get()
void BaseList::clear() void BaseList::clear()
{ {
if ( entry ) free(entry);
{ entry = 0;
free(entry);
entry = 0;
}
num_entries = max_entries = 0; num_entries = max_entries = 0;
} }

55
src/List.h
View file

@ -20,6 +20,8 @@
// Entries must be either a pointer to the data or nonzero data with // Entries must be either a pointer to the data or nonzero data with
// sizeof(data) <= sizeof(void*). // sizeof(data) <= sizeof(void*).
#include <initializer_list>
#include <utility>
#include <stdarg.h> #include <stdarg.h>
#include "util.h" #include "util.h"
@ -28,8 +30,6 @@ typedef int (*list_cmp_func)(const void* v1, const void* v2);
class BaseList { class BaseList {
public: public:
~BaseList() { clear(); }
void clear(); // remove all entries void clear(); // remove all entries
int length() const { return num_entries; } int length() const { return num_entries; }
int max() const { return max_entries; } int max() const { return max_entries; }
@ -41,8 +41,14 @@ public:
{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); } { return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
protected: protected:
~BaseList() { free(entry); }
explicit BaseList(int = 0); explicit BaseList(int = 0);
BaseList(BaseList&); BaseList(const BaseList&);
BaseList(BaseList&&);
BaseList(const ent* arr, int n);
BaseList& operator=(const BaseList&);
BaseList& operator=(BaseList&&);
void insert(ent); // add at head of list void insert(ent); // add at head of list
@ -75,7 +81,29 @@ protected:
return entry[i]; return entry[i];
} }
void operator=(BaseList&); // This could essentially be an std::vector if we wanted. Some
// reasons to maybe not refactor to use std::vector ?
//
// - Harder to use a custom growth factor. Also, the growth
// factor would be implementation-specific, taking some control over
// performance out of our hands.
//
// - It won't ever take advantage of realloc's occasional ability to
// grow in-place.
//
// - Combine above point this with lack of control of growth
// factor means the common choice of 2x growth factor causes
// a growth pattern that crawls forward in memory with no possible
// re-use of previous chunks (the new capacity is always larger than
// all previously allocated chunks combined). This point and
// whether 2x is empirically an issue still seems debated (at least
// GCC seems to stand by 2x as empirically better).
//
// - Sketchy shrinking behavior: standard says that requests to
// shrink are non-binding (it's expected implementations heed, but
// still not great to have no guarantee). Also, it would not take
// advantage of realloc's ability to contract in-place, it would
// allocate-and-copy.
ent* entry; ent* entry;
int max_entries; int max_entries;
@ -103,10 +131,13 @@ struct List(type) : BaseList \
explicit List(type)(type ...); \ explicit List(type)(type ...); \
List(type)() : BaseList(0) {} \ List(type)() : BaseList(0) {} \
explicit List(type)(int sz) : BaseList(sz) {} \ explicit List(type)(int sz) : BaseList(sz) {} \
List(type)(List(type)& l) : BaseList((BaseList&)l) {} \ List(type)(const List(type)& l) : BaseList(l) {} \
List(type)(List(type)&& l) : BaseList(std::move(l)) {} \
\ \
void operator=(List(type)& l) \ List(type)& operator=(const List(type)& l) \
{ BaseList::operator=((BaseList&)l); } \ { return (List(type)&) BaseList::operator=(l); } \
List(type)& operator=(List(type)&& l) \
{ return (List(type)&) BaseList::operator=(std::move(l)); } \
void insert(type a) { BaseList::insert(ent(a)); } \ void insert(type a) { BaseList::insert(ent(a)); } \
void sortedinsert(type a, list_cmp_func cmp_func) \ void sortedinsert(type a, list_cmp_func cmp_func) \
{ BaseList::sortedinsert(ent(a), cmp_func); } \ { BaseList::sortedinsert(ent(a), cmp_func); } \
@ -144,10 +175,14 @@ struct PList(type) : BaseList \
explicit PList(type)(type* ...); \ explicit PList(type)(type* ...); \
PList(type)() : BaseList(0) {} \ PList(type)() : BaseList(0) {} \
explicit PList(type)(int sz) : BaseList(sz) {} \ explicit PList(type)(int sz) : BaseList(sz) {} \
PList(type)(PList(type)& l) : BaseList((BaseList&)l) {} \ PList(type)(const PList(type)& l) : BaseList(l) {} \
PList(type)(PList(type)&& l) : BaseList(std::move(l)) {} \
PList(type)(std::initializer_list<type*> il) : BaseList((const ent*)il.begin(), il.size()) {} \
\ \
void operator=(PList(type)& l) \ PList(type)& operator=(const PList(type)& l) \
{ BaseList::operator=((BaseList&)l); } \ { return (PList(type)&) BaseList::operator=(l); } \
PList(type)& operator=(PList(type)&& l) \
{ return (PList(type)&) BaseList::operator=(std::move(l)); } \
void insert(type* a) { BaseList::insert(ent(a)); } \ void insert(type* a) { BaseList::insert(ent(a)); } \
void sortedinsert(type* a, list_cmp_func cmp_func) \ void sortedinsert(type* a, list_cmp_func cmp_func) \
{ BaseList::sortedinsert(ent(a), cmp_func); } \ { BaseList::sortedinsert(ent(a), cmp_func); } \

3
src/PersistenceSerializer.cc
View file

@ -201,7 +201,8 @@ void PersistenceSerializer::RaiseFinishedSendState()
void PersistenceSerializer::GotEvent(const char* name, double time, void PersistenceSerializer::GotEvent(const char* name, double time,
EventHandlerPtr event, val_list* args) EventHandlerPtr event, val_list* args)
{ {
mgr.QueueEvent(event, args); mgr.QueueEvent(event, std::move(*args));
delete args;
} }
void PersistenceSerializer::GotFunctionCall(const char* name, double time, void PersistenceSerializer::GotFunctionCall(const char* name, double time,

3
src/RE.h
View file

@ -229,9 +229,6 @@ protected:
Specific_RE_Matcher* re_exact; Specific_RE_Matcher* re_exact;
}; };
declare(PList, RE_Matcher);
typedef PList(RE_Matcher) re_matcher_list;
extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2); extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2);
extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2); extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2);

52
src/RemoteSerializer.cc
View file

@ -1435,7 +1435,9 @@ void RemoteSerializer::Process()
break; break;
BufferedEvent* be = events[0]; BufferedEvent* be = events[0];
::Event* event = new ::Event(be->handler, be->args, be->src); ::Event* event = new ::Event(be->handler, std::move(*be->args), be->src);
delete be->args;
be->args = nullptr;
Peer* old_current_peer = current_peer; Peer* old_current_peer = current_peer;
// Prevent the source peer from getting the event back. // Prevent the source peer from getting the event back.
@ -2260,14 +2262,14 @@ bool RemoteSerializer::ProcessPongMsg()
ping_args* args = (ping_args*) current_args->data; ping_args* args = (ping_args*) current_args->data;
val_list* vl = new val_list; mgr.QueueEvent(remote_pong, {
vl->append(current_peer->val->Ref()); current_peer->val->Ref(),
vl->append(val_mgr->GetCount((unsigned int) ntohl(args->seq))); val_mgr->GetCount((unsigned int) ntohl(args->seq)),
vl->append(new Val(current_time(true) - ntohd(args->time1), new Val(current_time(true) - ntohd(args->time1),
TYPE_INTERVAL)); TYPE_INTERVAL),
vl->append(new Val(ntohd(args->time2), TYPE_INTERVAL)); new Val(ntohd(args->time2), TYPE_INTERVAL),
vl->append(new Val(ntohd(args->time3), TYPE_INTERVAL)); new Val(ntohd(args->time3), TYPE_INTERVAL)
mgr.QueueEvent(remote_pong, vl); });
return true; return true;
} }
@ -3006,20 +3008,20 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
{ {
if ( peer ) if ( peer )
{ {
val_list* vl = new val_list(); mgr.QueueEvent(remote_log_peer, {
vl->append(peer->val->Ref()); peer->val->Ref(),
vl->append(val_mgr->GetCount(level)); val_mgr->GetCount(level),
vl->append(val_mgr->GetCount(src)); val_mgr->GetCount(src),
vl->append(new StringVal(msg)); new StringVal(msg)
mgr.QueueEvent(remote_log_peer, vl); });
} }
else else
{ {
val_list* vl = new val_list(); mgr.QueueEvent(remote_log, {
vl->append(val_mgr->GetCount(level)); val_mgr->GetCount(level),
vl->append(val_mgr->GetCount(src)); val_mgr->GetCount(src),
vl->append(new StringVal(msg)); new StringVal(msg)
mgr.QueueEvent(remote_log, vl); });
} }
#ifdef DEBUG #ifdef DEBUG
@ -3041,27 +3043,27 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer, void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
const char* arg) const char* arg)
{ {
val_list* vl = new val_list; val_list vl(1 + (bool)arg);
if ( peer ) if ( peer )
{ {
Ref(peer->val); Ref(peer->val);
vl->append(peer->val); vl.append(peer->val);
} }
else else
{ {
Val* v = mgr.GetLocalPeerVal(); Val* v = mgr.GetLocalPeerVal();
v->Ref(); v->Ref();
vl->append(v); vl.append(v);
} }
if ( arg ) if ( arg )
vl->append(new StringVal(arg)); vl.append(new StringVal(arg));
// If we only have remote sources, the network time // If we only have remote sources, the network time
// will not increase as long as no peers are connected. // will not increase as long as no peers are connected.
// Therefore, we send these events immediately. // Therefore, we send these events immediately.
mgr.Dispatch(new Event(event, vl, PEER_LOCAL)); mgr.Dispatch(new Event(event, std::move(vl), PEER_LOCAL));
} }
void RemoteSerializer::LogStats() void RemoteSerializer::LogStats()

39
src/Reporter.cc
View file

@ -216,36 +216,30 @@ void Reporter::Syslog(const char* fmt, ...)
void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...)
{ {
val_list* vl = new val_list(1); val_list vl(2);
if ( conn_val ) if ( conn_val )
vl->append(conn_val); vl.append(conn_val);
else if ( f ) else if ( f )
vl->append(f->GetVal()->Ref()); vl.append(f->GetVal()->Ref());
if ( addl ) if ( addl )
vl->append(new StringVal(addl)); vl.append(new StringVal(addl));
va_list ap; va_list ap;
va_start(ap, fmt_name); va_start(ap, fmt_name);
DoLog("weird", event, 0, 0, vl, false, false, 0, fmt_name, ap); DoLog("weird", event, 0, 0, &vl, false, false, 0, fmt_name, ap);
va_end(ap); va_end(ap);
delete vl;
} }
void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...) void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...)
{ {
val_list* vl = new val_list(2); val_list vl{new AddrVal(orig), new AddrVal(resp)};
vl->append(new AddrVal(orig));
vl->append(new AddrVal(resp));
va_list ap; va_list ap;
va_start(ap, fmt_name); va_start(ap, fmt_name);
DoLog("weird", flow_weird, 0, 0, vl, false, false, 0, fmt_name, ap); DoLog("weird", flow_weird, 0, 0, &vl, false, false, 0, fmt_name, ap);
va_end(ap); va_end(ap);
delete vl;
} }
void Reporter::UpdateWeirdStats(const char* name) void Reporter::UpdateWeirdStats(const char* name)
@ -489,29 +483,32 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
if ( raise_event && event && via_events && ! in_error_handler ) if ( raise_event && event && via_events && ! in_error_handler )
{ {
val_list* vl = new val_list; auto vl_size = 1 + (bool)time + (bool)location + (bool)conn +
(addl ? addl->length() : 0);
val_list vl(vl_size);
if ( time ) if ( time )
vl->append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME)); vl.append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME));
vl->append(new StringVal(buffer)); vl.append(new StringVal(buffer));
if ( location ) if ( location )
vl->append(new StringVal(loc_str.c_str())); vl.append(new StringVal(loc_str.c_str()));
if ( conn ) if ( conn )
vl->append(conn->BuildConnVal()); vl.append(conn->BuildConnVal());
if ( addl ) if ( addl )
{ {
loop_over_list(*addl, i) loop_over_list(*addl, i)
vl->append((*addl)[i]); vl.append((*addl)[i]);
} }
if ( conn ) if ( conn )
conn->ConnectionEvent(event, 0, vl); conn->ConnectionEvent(event, 0, std::move(vl));
else else
mgr.QueueEvent(event, vl); mgr.QueueEvent(event, std::move(vl));
} }
else else
{ {

15
src/RuleAction.cc
View file

@ -17,16 +17,11 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
{ {
if ( signature_match ) if ( signature_match )
{ {
val_list* vl = new val_list; mgr.QueueEvent(signature_match, {
vl->append(rule_matcher->BuildRuleStateValue(parent, state)); rule_matcher->BuildRuleStateValue(parent, state),
vl->append(new StringVal(msg)); new StringVal(msg),
data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),
if ( data ) });
vl->append(new StringVal(len, (const char*)data));
else
vl->append(val_mgr->GetEmptyString());
mgr.QueueEvent(signature_match, vl);
} }
} }

2
src/RuleCondition.cc
View file

@ -162,7 +162,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
return id->ID_Val()->AsBool(); return id->ID_Val()->AsBool();
// Call function with a signature_state value as argument. // Call function with a signature_state value as argument.
val_list args; val_list args(2);
args.append(rule_matcher->BuildRuleStateValue(rule, state)); args.append(rule_matcher->BuildRuleStateValue(rule, state));
if ( data ) if ( data )

3
src/Scope.cc
View file

@ -7,6 +7,9 @@
#include "Scope.h" #include "Scope.h"
#include "Reporter.h" #include "Reporter.h"
declare(PList,Scope);
typedef PList(Scope) scope_list;
static scope_list scopes; static scope_list scopes;
static Scope* top_scope; static Scope* top_scope;

7
src/Serializer.cc
View file

@ -365,7 +365,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info)
d.SetIncludeStats(true); d.SetIncludeStats(true);
d.SetShort(); d.SetShort();
val_list* args = new val_list; val_list* args = new val_list(len);
for ( int i = 0; i < len; ++i ) for ( int i = 0; i < len; ++i )
{ {
Val* v = Val::Unserialize(info); Val* v = Val::Unserialize(info);
@ -996,7 +996,8 @@ void EventPlayer::GotEvent(const char* name, double time,
{ {
ne_time = time; ne_time = time;
ne_handler = event; ne_handler = event;
ne_args = args; ne_args = std::move(*args);
delete args;
} }
void EventPlayer::GotFunctionCall(const char* name, double time, void EventPlayer::GotFunctionCall(const char* name, double time,
@ -1054,7 +1055,7 @@ void EventPlayer::Process()
if ( ! (io && ne_time) ) if ( ! (io && ne_time) )
return; return;
Event* event = new Event(ne_handler, ne_args); Event* event = new Event(ne_handler, std::move(ne_args));
mgr.Dispatch(event); mgr.Dispatch(event);
ne_time = 0; ne_time = 0;

2
src/Serializer.h
View file

@ -353,7 +353,7 @@ protected:
// Next event waiting to be dispatched. // Next event waiting to be dispatched.
double ne_time; double ne_time;
EventHandlerPtr ne_handler; EventHandlerPtr ne_handler;
val_list* ne_args; val_list ne_args;
}; };

26
src/Sessions.cc
View file

@ -171,11 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
SegmentProfiler(segment_logger, "dispatching-packet"); SegmentProfiler(segment_logger, "dispatching-packet");
if ( raw_packet ) if ( raw_packet )
{ mgr.QueueEvent(raw_packet, {pkt->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(pkt->BuildPktHdrVal());
mgr.QueueEvent(raw_packet, vl);
}
if ( pkt_profiler ) if ( pkt_profiler )
pkt_profiler->ProfilePkt(t, pkt->cap_len); pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -415,11 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
{ {
dump_this_packet = 1; dump_this_packet = 1;
if ( esp_packet ) if ( esp_packet )
{ mgr.QueueEvent(esp_packet, {ip_hdr->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(esp_packet, vl);
}
// Can't do more since upper-layer payloads are going to be encrypted. // Can't do more since upper-layer payloads are going to be encrypted.
return; return;
@ -439,11 +431,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
} }
if ( mobile_ipv6_message ) if ( mobile_ipv6_message )
{ mgr.QueueEvent(mobile_ipv6_message, {ip_hdr->BuildPktHdrVal()});
val_list* vl = new val_list();
vl->append(ip_hdr->BuildPktHdrVal());
mgr.QueueEvent(mobile_ipv6_message, vl);
}
if ( ip_hdr->NextProto() != IPPROTO_NONE ) if ( ip_hdr->NextProto() != IPPROTO_NONE )
Weird("mobility_piggyback", pkt, encapsulation); Weird("mobility_piggyback", pkt, encapsulation);
@ -1329,10 +1317,10 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
if ( external ) if ( external )
{ {
val_list* vl = new val_list(2); conn->ConnectionEvent(connection_external, 0, {
vl->append(conn->BuildConnVal()); conn->BuildConnVal(),
vl->append(new StringVal(conn->GetTimerMgr()->GetTag().c_str())); new StringVal(conn->GetTimerMgr()->GetTag().c_str()),
conn->ConnectionEvent(connection_external, 0, vl); });
} }
} }

47
src/StateAccess.cc
View file

@ -192,12 +192,12 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
else else
arg3 = new StringVal("<none>"); arg3 = new StringVal("<none>");
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal(op)); new StringVal(op),
args->append(arg1); arg1,
args->append(arg2); arg2,
args->append(arg3); arg3,
mgr.QueueEvent(remote_state_inconsistency, args); });
return false; return false;
} }
@ -219,12 +219,12 @@ bool StateAccess::CheckOldSet(const char* op, ID* id, Val* index,
Val* arg2 = new StringVal(should ? "set" : "not set"); Val* arg2 = new StringVal(should ? "set" : "not set");
Val* arg3 = new StringVal(is ? "set" : "not set"); Val* arg3 = new StringVal(is ? "set" : "not set");
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal(op)); new StringVal(op),
args->append(arg1); arg1,
args->append(arg2); arg2,
args->append(arg3); arg3,
mgr.QueueEvent(remote_state_inconsistency, args); });
return false; return false;
} }
@ -514,12 +514,12 @@ void StateAccess::Replay()
d.SetShort(); d.SetShort();
op1.val->Describe(&d); op1.val->Describe(&d);
val_list* args = new val_list; mgr.QueueEvent(remote_state_inconsistency, {
args->append(new StringVal("read")); new StringVal("read"),
args->append(new StringVal(fmt("%s[%s]", target.id->Name(), d.Description()))); new StringVal(fmt("%s[%s]", target.id->Name(), d.Description())),
args->append(new StringVal("existent")); new StringVal("existent"),
args->append(new StringVal("not existent")); new StringVal("not existent"),
mgr.QueueEvent(remote_state_inconsistency, args); });
} }
} }
} }
@ -536,10 +536,10 @@ void StateAccess::Replay()
if ( remote_state_access_performed ) if ( remote_state_access_performed )
{ {
val_list* vl = new val_list; mgr.QueueEvent(remote_state_access_performed, {
vl->append(new StringVal(target.id->Name())); new StringVal(target.id->Name()),
vl->append(target.id->ID_Val()->Ref()); target.id->ID_Val()->Ref(),
mgr.QueueEvent(remote_state_access_performed, vl); });
} }
} }
@ -943,8 +943,7 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
} }
else else
{ {
attr_list* a = new attr_list; attr_list* a = new attr_list{attr};
a->append(attr);
id->SetAttrs(new Attributes(a, id->Type(), false)); id->SetAttrs(new Attributes(a, id->Type(), false));
} }

19
src/Stats.cc
View file

@ -310,11 +310,11 @@ void ProfileLogger::Log()
// (and for consistency we dispatch it *now*) // (and for consistency we dispatch it *now*)
if ( profiling_update ) if ( profiling_update )
{ {
val_list* vl = new val_list;
Ref(file); Ref(file);
vl->append(new Val(file)); mgr.Dispatch(new Event(profiling_update, {
vl->append(val_mgr->GetBool(expensive)); new Val(file),
mgr.Dispatch(new Event(profiling_update, vl)); val_mgr->GetBool(expensive),
}));
} }
} }
@ -369,12 +369,11 @@ void SampleLogger::SegmentProfile(const char* /* name */,
const Location* /* loc */, const Location* /* loc */,
double dtime, int dmem) double dtime, int dmem)
{ {
val_list* vl = new val_list(2); mgr.QueueEvent(load_sample, {
vl->append(load_samples->Ref()); load_samples->Ref(),
vl->append(new IntervalVal(dtime, Seconds)); new IntervalVal(dtime, Seconds),
vl->append(val_mgr->GetInt(dmem)); val_mgr->GetInt(dmem)
});
mgr.QueueEvent(load_sample, vl);
} }
void SegmentProfiler::Init() void SegmentProfiler::Init()

20
src/Stmt.cc
View file

@ -292,13 +292,14 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
if ( print_hook ) if ( print_hook )
{ {
val_list* vl = new val_list(2);
::Ref(f); ::Ref(f);
vl->append(new Val(f));
vl->append(new StringVal(d.Len(), d.Description()));
// Note, this doesn't do remote printing. // Note, this doesn't do remote printing.
mgr.Dispatch(new Event(print_hook, vl), true); mgr.Dispatch(
new Event(
print_hook,
{new Val(f), new StringVal(d.Len(), d.Description())}),
true);
} }
if ( remote_serializer ) if ( remote_serializer )
@ -704,7 +705,7 @@ bool Case::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
type_cases = new id_list; type_cases = new id_list(len);
while ( len-- ) while ( len-- )
{ {
@ -1198,7 +1199,10 @@ Val* EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
val_list* args = eval_list(f, event_expr->Args()); val_list* args = eval_list(f, event_expr->Args());
if ( args ) if ( args )
mgr.QueueEvent(event_expr->Handler(), args); {
mgr.QueueEvent(event_expr->Handler(), std::move(*args));
delete args;
}
flow = FLOW_NEXT; flow = FLOW_NEXT;
@ -1633,7 +1637,7 @@ bool ForStmt::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
loop_vars = new id_list; loop_vars = new id_list(len);
while ( len-- ) while ( len-- )
{ {
@ -2149,7 +2153,7 @@ bool InitStmt::DoUnserialize(UnserialInfo* info)
if ( ! UNSERIALIZE(&len) ) if ( ! UNSERIALIZE(&len) )
return false; return false;
inits = new id_list; inits = new id_list(len);
while ( len-- ) while ( len-- )
{ {

3
src/Stmt.h
View file

@ -213,6 +213,9 @@ protected:
Stmt* s; Stmt* s;
}; };
declare(PList,Case);
typedef PList(Case) case_list;
class SwitchStmt : public ExprStmt { class SwitchStmt : public ExprStmt {
public: public:
SwitchStmt(Expr* index, case_list* cases); SwitchStmt(Expr* index, case_list* cases);

2
src/Type.cc
View file

@ -2266,7 +2266,7 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
if ( rt1->NumFields() != rt2->NumFields() ) if ( rt1->NumFields() != rt2->NumFields() )
return 0; return 0;
type_decl_list* tdl3 = new type_decl_list; type_decl_list* tdl3 = new type_decl_list(rt1->NumFields());
for ( int i = 0; i < rt1->NumFields(); ++i ) for ( int i = 0; i < rt1->NumFields(); ++i )
{ {

3
src/Type.h
View file

@ -460,6 +460,9 @@ public:
const char* id; const char* id;
}; };
declare(PList,TypeDecl);
typedef PList(TypeDecl) type_decl_list;
class RecordType : public BroType { class RecordType : public BroType {
public: public:
explicit RecordType(type_decl_list* types); explicit RecordType(type_decl_list* types);

49
src/Val.cc
View file

@ -1861,29 +1861,30 @@ Val* TableVal::Default(Val* index)
return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone(); return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone();
const Func* f = def_val->AsFunc(); const Func* f = def_val->AsFunc();
val_list* vl = new val_list(); val_list vl;
if ( index->Type()->Tag() == TYPE_LIST ) if ( index->Type()->Tag() == TYPE_LIST )
{ {
const val_list* vl0 = index->AsListVal()->Vals(); const val_list* vl0 = index->AsListVal()->Vals();
vl = val_list(vl0->length());
loop_over_list(*vl0, i) loop_over_list(*vl0, i)
vl->append((*vl0)[i]->Ref()); vl.append((*vl0)[i]->Ref());
} }
else else
vl->append(index->Ref()); {
vl = val_list{index->Ref()};
}
Val* result = 0; Val* result = 0;
try try
{ {
result = f->Call(vl); result = f->Call(&vl);
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )
{ /* Already reported. */ } { /* Already reported. */ }
delete vl;
if ( ! result ) if ( ! result )
{ {
Error("no value returned from &default function"); Error("no value returned from &default function");
@ -2423,21 +2424,6 @@ double TableVal::CallExpireFunc(Val* idx)
return 0; return 0;
} }
val_list* vl = new val_list;
vl->append(Ref());
// Flatten lists of a single element.
if ( idx->Type()->Tag() == TYPE_LIST &&
idx->AsListVal()->Length() == 1 )
{
Val* old = idx;
idx = idx->AsListVal()->Index(0);
idx->Ref();
Unref(old);
}
vl->append(idx);
double secs = 0; double secs = 0;
try try
@ -2447,19 +2433,31 @@ double TableVal::CallExpireFunc(Val* idx)
if ( ! vf ) if ( ! vf )
{ {
// Will have been reported already. // Will have been reported already.
delete_vals(vl); Unref(idx);
return 0; return 0;
} }
if ( vf->Type()->Tag() != TYPE_FUNC ) if ( vf->Type()->Tag() != TYPE_FUNC )
{ {
Unref(vf);
delete_vals(vl);
vf->Error("not a function"); vf->Error("not a function");
Unref(vf);
Unref(idx);
return 0; return 0;
} }
Val* vs = vf->AsFunc()->Call(vl);
// Flatten lists of a single element.
if ( idx->Type()->Tag() == TYPE_LIST &&
idx->AsListVal()->Length() == 1 )
{
Val* old = idx;
idx = idx->AsListVal()->Index(0);
idx->Ref();
Unref(old);
}
val_list vl{Ref(), idx};
Val* vs = vf->AsFunc()->Call(&vl);
if ( vs ) if ( vs )
{ {
@ -2468,7 +2466,6 @@ double TableVal::CallExpireFunc(Val* idx)
} }
Unref(vf); Unref(vf);
delete vl;
} }
catch ( InterpreterException& e ) catch ( InterpreterException& e )

3
src/Var.cc
View file

@ -325,8 +325,7 @@ static void transfer_arg_defaults(RecordType* args, RecordType* recv)
if ( ! recv_i->attrs ) if ( ! recv_i->attrs )
{ {
attr_list* a = new attr_list(); attr_list* a = new attr_list{def};
a->append(def);
recv_i->attrs = new Attributes(a, recv_i->type, true); recv_i->attrs = new Attributes(a, recv_i->type, true);
} }

27
src/analyzer/Analyzer.cc
View file

@ -665,11 +665,11 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal(); EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
Ref(tval); Ref(tval);
val_list* vl = new val_list; mgr.QueueEvent(protocol_confirmation, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(tval); tval,
vl->append(val_mgr->GetCount(id)); val_mgr->GetCount(id),
mgr.QueueEvent(protocol_confirmation, vl); });
protocol_confirmed = true; protocol_confirmed = true;
} }
@ -692,12 +692,12 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
EnumVal* tval = tag.AsEnumVal(); EnumVal* tval = tag.AsEnumVal();
Ref(tval); Ref(tval);
val_list* vl = new val_list; mgr.QueueEvent(protocol_violation, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(tval); tval,
vl->append(val_mgr->GetCount(id)); val_mgr->GetCount(id),
vl->append(r); r,
mgr.QueueEvent(protocol_violation, vl); });
} }
void Analyzer::AddTimer(analyzer_timer_func timer, double t, void Analyzer::AddTimer(analyzer_timer_func timer, double t,
@ -782,6 +782,11 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
conn->ConnectionEvent(f, this, vl); conn->ConnectionEvent(f, this, vl);
} }
void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
{
conn->ConnectionEvent(f, this, std::move(vl));
}
void Analyzer::Weird(const char* name, const char* addl) void Analyzer::Weird(const char* name, const char* addl)
{ {
conn->Weird(name, addl); conn->Weird(name, addl);

6
src/analyzer/Analyzer.h
View file

@ -541,6 +541,12 @@ public:
*/ */
void ConnectionEvent(EventHandlerPtr f, val_list* vl); void ConnectionEvent(EventHandlerPtr f, val_list* vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEvent().
*/
void ConnectionEvent(EventHandlerPtr f, val_list vl);
/** /**
* Convenience function that forwards directly to the corresponding * Convenience function that forwards directly to the corresponding
* Connection::Weird(). * Connection::Weird().

34
src/analyzer/protocol/arp/ARP.cc
View file

@ -190,13 +190,13 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
if ( ! bad_arp ) if ( ! bad_arp )
return; return;
val_list* vl = new val_list; mgr.QueueEvent(bad_arp, {
vl->append(ConstructAddrVal(ar_spa(hdr))); ConstructAddrVal(ar_spa(hdr)),
vl->append(EthAddrToStr((const u_char*) ar_sha(hdr))); EthAddrToStr((const u_char*) ar_sha(hdr)),
vl->append(ConstructAddrVal(ar_tpa(hdr))); ConstructAddrVal(ar_tpa(hdr)),
vl->append(EthAddrToStr((const u_char*) ar_tha(hdr))); EthAddrToStr((const u_char*) ar_tha(hdr)),
vl->append(new StringVal(msg)); new StringVal(msg),
mgr.QueueEvent(bad_arp, vl); });
} }
void ARP_Analyzer::Corrupted(const char* msg) void ARP_Analyzer::Corrupted(const char* msg)
@ -212,18 +212,14 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
if ( ! e ) if ( ! e )
return; return;
// init the val_list mgr.QueueEvent(e, {
val_list* vl = new val_list; EthAddrToStr(src),
EthAddrToStr(dst),
// prepare the event arguments ConstructAddrVal(spa),
vl->append(EthAddrToStr(src)); EthAddrToStr((const u_char*) sha),
vl->append(EthAddrToStr(dst)); ConstructAddrVal(tpa),
vl->append(ConstructAddrVal(spa)); EthAddrToStr((const u_char*) tha),
vl->append(EthAddrToStr((const u_char*) sha)); });
vl->append(ConstructAddrVal(tpa));
vl->append(EthAddrToStr((const u_char*) tha));
mgr.QueueEvent(e, vl);
} }
AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)

49
src/analyzer/protocol/backdoor/BackDoor.cc
View file

@ -246,13 +246,12 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
rlogin_checking_done = 1; rlogin_checking_done = 1;
val_list* vl = new val_list; endp->TCP()->ConnectionEvent(rlogin_signature_found, {
vl->append(endp->TCP()->BuildConnVal()); endp->TCP()->BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
vl->append(val_mgr->GetCount(rlogin_num_null)); val_mgr->GetCount(rlogin_num_null),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
});
endp->TCP()->ConnectionEvent(rlogin_signature_found, vl);
} }
void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data) void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
@ -338,12 +337,11 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d
void BackDoorEndpoint::TelnetSignatureFound(int len) void BackDoorEndpoint::TelnetSignatureFound(int len)
{ {
val_list* vl = new val_list; endp->TCP()->ConnectionEvent(telnet_signature_found, {
vl->append(endp->TCP()->BuildConnVal()); endp->TCP()->BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
});
endp->TCP()->ConnectionEvent(telnet_signature_found, vl);
} }
void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data) void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
@ -643,13 +641,12 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig) void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
{ {
val_list* vl = new val_list;
vl->append(endp->TCP()->BuildConnVal());
if ( do_orig ) if ( do_orig )
vl->append(val_mgr->GetBool(endp->IsOrig())); endp->TCP()->ConnectionEvent(e,
{endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())});
endp->TCP()->ConnectionEvent(e, vl); else
endp->TCP()->ConnectionEvent(e, {endp->TCP()->BuildConnVal()});
} }
@ -776,20 +773,16 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire)
void BackDoor_Analyzer::StatEvent() void BackDoor_Analyzer::StatEvent()
{ {
val_list* vl = new val_list; TCP()->ConnectionEvent(backdoor_stats, {
vl->append(TCP()->BuildConnVal()); TCP()->BuildConnVal(),
vl->append(orig_endp->BuildStats()); orig_endp->BuildStats(),
vl->append(resp_endp->BuildStats()); resp_endp->BuildStats(),
});
TCP()->ConnectionEvent(backdoor_stats, vl);
} }
void BackDoor_Analyzer::RemoveEvent() void BackDoor_Analyzer::RemoveEvent()
{ {
val_list* vl = new val_list; TCP()->ConnectionEvent(backdoor_remove_conn, {TCP()->BuildConnVal()});
vl->append(TCP()->BuildConnVal());
TCP()->ConnectionEvent(backdoor_remove_conn, vl);
} }
BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a) BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)

10
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,10 +120,10 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
{ {
val_list* vl = new val_list; ConnectionEvent(bittorrent_peer_weird, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(msg)); new StringVal(msg),
ConnectionEvent(bittorrent_peer_weird, vl); });
} }
} }

48
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,11 +247,11 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bt_tracker_weird ) if ( bt_tracker_weird )
{ {
val_list* vl = new val_list; ConnectionEvent(bt_tracker_weird, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(msg)); new StringVal(msg),
ConnectionEvent(bt_tracker_weird, vl); });
} }
} }
@ -346,19 +346,16 @@ void BitTorrentTracker_Analyzer::RequestGet(char* uri)
void BitTorrentTracker_Analyzer::EmitRequest(void) void BitTorrentTracker_Analyzer::EmitRequest(void)
{ {
val_list* vl;
ProtocolConfirmation(); ProtocolConfirmation();
vl = new val_list; ConnectionEvent(bt_tracker_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(req_val_uri); req_val_uri,
vl->append(req_val_headers); req_val_headers,
});
req_val_uri = 0; req_val_uri = 0;
req_val_headers = 0; req_val_headers = 0;
ConnectionEvent(bt_tracker_request, vl);
} }
bool BitTorrentTracker_Analyzer::ParseResponse(char* line) bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
@ -404,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{ {
if ( res_status != 200 ) if ( res_status != 200 )
{ {
val_list* vl = new val_list; ConnectionEvent(bt_tracker_response_not_ok, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetCount(res_status)); val_mgr->GetCount(res_status),
vl->append(res_val_headers); res_val_headers,
ConnectionEvent(bt_tracker_response_not_ok, vl); });
res_val_headers = 0; res_val_headers = 0;
res_buf_pos = res_buf + res_buf_len; res_buf_pos = res_buf + res_buf_len;
res_state = BTT_RES_DONE; res_state = BTT_RES_DONE;
@ -790,16 +787,15 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
{ {
ProtocolConfirmation(); ProtocolConfirmation();
val_list* vl = new val_list; ConnectionEvent(bt_tracker_response, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetCount(res_status)); val_mgr->GetCount(res_status),
vl->append(res_val_headers); res_val_headers,
vl->append(res_val_peers); res_val_peers,
vl->append(res_val_benc); res_val_benc,
});
res_val_headers = 0; res_val_headers = 0;
res_val_peers = 0; res_val_peers = 0;
res_val_benc = 0; res_val_benc = 0;
ConnectionEvent(bt_tracker_response, vl);
} }

10
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -47,11 +47,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list; ConnectionEvent(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetCount(threshold)); val_mgr->GetCount(threshold),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
ConnectionEvent(f, vl); });
} }
void ConnSize_Analyzer::CheckSizes(bool is_orig) void ConnSize_Analyzer::CheckSizes(bool is_orig)

274
src/analyzer/protocol/dns/DNS.cc
View file

@ -46,13 +46,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message ) if ( dns_message )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(dns_message, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_query)); val_mgr->GetBool(is_query),
vl->append(msg.BuildHdrVal()); msg.BuildHdrVal(),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
});
analyzer->ConnectionEvent(dns_message, vl);
} }
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
@ -133,11 +132,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_end, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); });
analyzer->ConnectionEvent(dns_end, vl);
return 1; return 1;
} }
@ -336,11 +334,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event ) if ( dns_unknown_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_unknown_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
analyzer->ConnectionEvent(dns_unknown_reply, vl); });
} }
analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype)); analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
@ -551,14 +549,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event ) if ( reply_event && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(reply_event, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); });
analyzer->ConnectionEvent(reply_event, vl);
} }
return 1; return 1;
@ -598,14 +594,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
if ( dns_SOA_reply && ! msg->skip_event ) if ( dns_SOA_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(msg->BuildHdrVal());
vl->append(msg->BuildAnswerVal());
RecordVal* r = new RecordVal(dns_soa); RecordVal* r = new RecordVal(dns_soa);
r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1))); r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1)));
r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1))); r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1)));
r->Assign(2, val_mgr->GetCount(serial)); r->Assign(2, val_mgr->GetCount(serial));
@ -614,9 +603,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
r->Assign(5, new IntervalVal(double(expire), Seconds)); r->Assign(5, new IntervalVal(double(expire), Seconds));
r->Assign(6, new IntervalVal(double(minimum), Seconds)); r->Assign(6, new IntervalVal(double(minimum), Seconds));
vl->append(r); analyzer->ConnectionEvent(dns_SOA_reply, {
analyzer->BuildConnVal(),
analyzer->ConnectionEvent(dns_SOA_reply, vl); msg->BuildHdrVal(),
msg->BuildAnswerVal(),
r
});
} }
return 1; return 1;
@ -642,15 +634,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event ) if ( dns_MX_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_MX_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); val_mgr->GetCount(preference),
vl->append(val_mgr->GetCount(preference)); });
analyzer->ConnectionEvent(dns_MX_reply, vl);
} }
return 1; return 1;
@ -687,16 +677,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event ) if ( dns_SRV_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_SRV_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildAnswerVal(),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(val_mgr->GetCount(priority)); val_mgr->GetCount(priority),
vl->append(val_mgr->GetCount(weight)); val_mgr->GetCount(weight),
vl->append(val_mgr->GetCount(port)); val_mgr->GetCount(port),
});
analyzer->ConnectionEvent(dns_SRV_reply, vl);
} }
return 1; return 1;
@ -711,12 +700,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event ) if ( dns_EDNS_addl && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_EDNS_addl, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildEDNS_Val(),
vl->append(msg->BuildEDNS_Val()); });
analyzer->ConnectionEvent(dns_EDNS_addl, vl);
} }
// Currently EDNS supports the movement of type:data pairs // Currently EDNS supports the movement of type:data pairs
@ -789,13 +777,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
msg->tsig->orig_id = orig_id; msg->tsig->orig_id = orig_id;
msg->tsig->rr_error = rr_error; msg->tsig->rr_error = rr_error;
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_TSIG_addl, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildTSIG_Val(),
vl->append(msg->BuildTSIG_Val()); });
analyzer->ConnectionEvent(dns_TSIG_addl, vl);
return 1; return 1;
} }
@ -889,14 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signer_name = new BroString(name, name_end - name, 1); rrsig.signer_name = new BroString(name, name_end - name, 1);
rrsig.signature = sign; rrsig.signature = sign;
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_RRSIG, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildRRSIG_Val(&rrsig),
vl->append(msg->BuildRRSIG_Val(&rrsig)); });
analyzer->ConnectionEvent(dns_RRSIG, vl);
return 1; return 1;
} }
@ -983,14 +967,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.dprotocol = dprotocol; dnskey.dprotocol = dprotocol;
dnskey.public_key = key; dnskey.public_key = key;
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_DNSKEY, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildDNSKEY_Val(&dnskey),
vl->append(msg->BuildDNSKEY_Val(&dnskey)); });
analyzer->ConnectionEvent(dns_DNSKEY, vl);
return 1; return 1;
} }
@ -1035,15 +1017,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
typebitmaps_len = typebitmaps_len - (2 + bmlen); typebitmaps_len = typebitmaps_len - (2 + bmlen);
} }
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_NSEC, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new StringVal(new BroString(name, name_end - name, 1)),
vl->append(new StringVal(new BroString(name, name_end - name, 1))); char_strings,
vl->append(char_strings); });
analyzer->ConnectionEvent(dns_NSEC, vl);
return 1; return 1;
} }
@ -1121,14 +1101,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.nsec_hash = hash_val; nsec3.nsec_hash = hash_val;
nsec3.bitmaps = char_strings; nsec3.bitmaps = char_strings;
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_NSEC3, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildNSEC3_Val(&nsec3),
vl->append(msg->BuildNSEC3_Val(&nsec3)); });
analyzer->ConnectionEvent(dns_NSEC3, vl);
return 1; return 1;
} }
@ -1178,14 +1156,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_type = ds_dtype; ds.digest_type = ds_dtype;
ds.digest_val = ds_digest; ds.digest_val = ds_digest;
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_DS, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); msg->BuildDS_Val(&ds),
vl->append(msg->BuildDS_Val(&ds)); });
analyzer->ConnectionEvent(dns_DS, vl);
return 1; return 1;
} }
@ -1203,14 +1179,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event ) if ( dns_A_reply && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_A_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new AddrVal(htonl(addr)),
vl->append(new AddrVal(htonl(addr))); });
analyzer->ConnectionEvent(dns_A_reply, vl);
} }
return 1; return 1;
@ -1242,13 +1216,12 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
event = dns_A6_reply; event = dns_A6_reply;
if ( event && ! msg->skip_event ) if ( event && ! msg->skip_event )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(event, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); new AddrVal(addr),
vl->append(new AddrVal(addr)); });
analyzer->ConnectionEvent(event, vl);
} }
return 1; return 1;
@ -1317,14 +1290,12 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string); char_strings->Assign(char_strings->Size(), char_string);
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_TXT_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); char_strings,
vl->append(char_strings); });
analyzer->ConnectionEvent(dns_TXT_reply, vl);
return rdlength == 0; return rdlength == 0;
} }
@ -1359,16 +1330,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
data += value->Len(); data += value->Len();
rdlength -= value->Len(); rdlength -= value->Len();
val_list* vl = new val_list; analyzer->ConnectionEvent(dns_CAA_reply, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); msg->BuildHdrVal(),
vl->append(msg->BuildHdrVal()); msg->BuildAnswerVal(),
vl->append(msg->BuildAnswerVal()); val_mgr->GetCount(flags),
vl->append(val_mgr->GetCount(flags)); new StringVal(tag),
vl->append(new StringVal(tag)); new StringVal(value),
vl->append(new StringVal(value)); });
analyzer->ConnectionEvent(dns_CAA_reply, vl);
return rdlength == 0; return rdlength == 0;
} }
@ -1382,14 +1351,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
RR_Type qtype = RR_Type(ExtractShort(data, len)); RR_Type qtype = RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len); int qclass = ExtractShort(data, len);
val_list* vl = new val_list; analyzer->ConnectionEvent(event, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(msg->BuildHdrVal()); msg->BuildHdrVal(),
vl->append(new StringVal(question_name)); new StringVal(question_name),
vl->append(val_mgr->GetCount(qtype)); val_mgr->GetCount(qtype),
vl->append(val_mgr->GetCount(qclass)); val_mgr->GetCount(qclass),
});
analyzer->ConnectionEvent(event, vl);
} }
@ -1737,10 +1705,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
{ {
if ( ! interp->ParseMessage(data, len, 1) && non_dns_request ) if ( ! interp->ParseMessage(data, len, 1) && non_dns_request )
{ {
val_list* vl = new val_list; ConnectionEvent(non_dns_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(len, (const char*) data)); new StringVal(len, (const char*) data),
ConnectionEvent(non_dns_request, vl); });
} }
} }

13
src/analyzer/protocol/file/File.cc
View file

@ -77,10 +77,11 @@ void File_Analyzer::Identify()
&matches); &matches);
string match = matches.empty() ? "<unknown>" string match = matches.empty() ? "<unknown>"
: *(matches.begin()->second.begin()); : *(matches.begin()->second.begin());
val_list* vl = new val_list;
vl->append(BuildConnVal()); ConnectionEvent(file_transferred, {
vl->append(new StringVal(buffer_len, buffer)); BuildConnVal(),
vl->append(new StringVal("<unknown>")); new StringVal(buffer_len, buffer),
vl->append(new StringVal(match)); new StringVal("<unknown>"),
ConnectionEvent(file_transferred, vl); new StringVal(match),
});
} }

24
src/analyzer/protocol/finger/Finger.cc
View file

@ -66,14 +66,15 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
else else
host = at + 1; host = at + 1;
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(long_cnt));
vl->append(new StringVal(at - line, line));
vl->append(new StringVal(end_of_line - host, host));
if ( finger_request ) if ( finger_request )
ConnectionEvent(finger_request, vl); {
ConnectionEvent(finger_request, {
BuildConnVal(),
val_mgr->GetBool(long_cnt),
new StringVal(at - line, line),
new StringVal(end_of_line - host, host),
});
}
Conn()->Match(Rule::FINGER, (const u_char *) line, Conn()->Match(Rule::FINGER, (const u_char *) line,
end_of_line - line, true, true, 1, true); end_of_line - line, true, true, 1, true);
@ -86,10 +87,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_reply ) if ( ! finger_reply )
return; return;
val_list* vl = new val_list; ConnectionEvent(finger_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
});
ConnectionEvent(finger_reply, vl);
} }
} }

21
src/analyzer/protocol/ftp/FTP.cc
View file

@ -73,8 +73,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Could emit "ftp empty request/reply" weird, but maybe not worth it. // Could emit "ftp empty request/reply" weird, but maybe not worth it.
return; return;
val_list* vl = new val_list; val_list vl;
vl->append(BuildConnVal());
EventHandlerPtr f; EventHandlerPtr f;
if ( orig ) if ( orig )
@ -95,8 +94,11 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
else else
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper(); cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl->append(cmd_str); vl = val_list{
vl->append(new StringVal(end_of_line - line, line)); BuildConnVal(),
cmd_str,
new StringVal(end_of_line - line, line),
};
f = ftp_request; f = ftp_request;
ProtocolConfirmation(); ProtocolConfirmation();
@ -171,14 +173,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
} }
} }
vl->append(val_mgr->GetCount(reply_code)); vl = val_list{
vl->append(new StringVal(end_of_line - line, line)); BuildConnVal(),
vl->append(val_mgr->GetBool(cont_resp)); val_mgr->GetCount(reply_code),
new StringVal(end_of_line - line, line),
val_mgr->GetBool(cont_resp),
};
f = ftp_reply; f = ftp_reply;
} }
ConnectionEvent(f, vl); ConnectionEvent(f, std::move(vl));
ForwardStream(length, data, orig); ForwardStream(length, data, orig);
} }

73
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -58,16 +58,10 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
if ( Established() && gnutella_establish ) if ( Established() && gnutella_establish )
ConnectionEvent(gnutella_establish, vl); ConnectionEvent(gnutella_establish, {BuildConnVal()});
else if ( ! Established () && gnutella_not_establish ) else if ( ! Established () && gnutella_not_establish )
ConnectionEvent(gnutella_not_establish, vl); ConnectionEvent(gnutella_not_establish, {BuildConnVal()});
else
delete_vals(vl);
} }
if ( gnutella_partial_binary_msg ) if ( gnutella_partial_binary_msg )
@ -78,14 +72,12 @@ void Gnutella_Analyzer::Done()
{ {
if ( ! p->msg_sent && p->msg_pos ) if ( ! p->msg_sent && p->msg_pos )
{ {
val_list* vl = new val_list; ConnectionEvent(gnutella_partial_binary_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(p->msg),
vl->append(new StringVal(p->msg)); val_mgr->GetBool((i == 0)),
vl->append(val_mgr->GetBool((i == 0))); val_mgr->GetCount(p->msg_pos),
vl->append(val_mgr->GetCount(p->msg_pos)); });
ConnectionEvent(gnutella_partial_binary_msg, vl);
} }
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
@ -129,10 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
if ( gnutella_http_notify ) if ( gnutella_http_notify )
{ {
val_list* vl = new val_list; ConnectionEvent(gnutella_http_notify, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(gnutella_http_notify, vl);
} }
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -192,13 +181,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{ {
if ( gnutella_text_msg ) if ( gnutella_text_msg )
{ {
val_list* vl = new val_list; ConnectionEvent(gnutella_text_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(orig),
vl->append(val_mgr->GetBool(orig)); new StringVal(ms->headers.data()),
vl->append(new StringVal(ms->headers.data())); });
ConnectionEvent(gnutella_text_msg, vl);
} }
ms->headers = ""; ms->headers = "";
@ -206,12 +193,9 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
if ( Established () && gnutella_establish ) if ( Established () && gnutella_establish )
{ {
val_list* vl = new val_list;
sent_establish = 1; sent_establish = 1;
vl->append(BuildConnVal());
ConnectionEvent(gnutella_establish, vl); ConnectionEvent(gnutella_establish, {BuildConnVal()});
} }
} }
} }
@ -237,21 +221,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
{ {
val_list* vl = new val_list; ConnectionEvent(gnutella_binary_msg, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetCount(p->msg_type),
vl->append(val_mgr->GetCount(p->msg_type)); val_mgr->GetCount(p->msg_ttl),
vl->append(val_mgr->GetCount(p->msg_ttl)); val_mgr->GetCount(p->msg_hops),
vl->append(val_mgr->GetCount(p->msg_hops)); val_mgr->GetCount(p->msg_len),
vl->append(val_mgr->GetCount(p->msg_len)); new StringVal(p->payload),
vl->append(new StringVal(p->payload)); val_mgr->GetCount(p->payload_len),
vl->append(val_mgr->GetCount(p->payload_len)); val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
vl->append(val_mgr->GetBool( val_mgr->GetBool((p->payload_left == 0)),
(p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))); });
vl->append(val_mgr->GetBool((p->payload_left == 0)));
ConnectionEvent(gnutella_binary_msg, vl);
} }
} }

130
src/analyzer/protocol/http/HTTP.cc
View file

@ -646,11 +646,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
if ( http_message_done ) if ( http_message_done )
{ {
val_list* vl = new val_list; GetAnalyzer()->ConnectionEvent(http_message_done, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(BuildMessageStat(interrupted, detail)); BuildMessageStat(interrupted, detail),
GetAnalyzer()->ConnectionEvent(http_message_done, vl); });
} }
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this); MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
@ -679,10 +679,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity ) if ( http_begin_entity )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(http_begin_entity, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
analyzer->ConnectionEvent(http_begin_entity, vl); });
} }
} }
@ -696,10 +696,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity ) if ( http_end_entity )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(http_end_entity, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
analyzer->ConnectionEvent(http_end_entity, vl); });
} }
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
@ -737,11 +737,11 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{ {
if ( http_all_headers ) if ( http_all_headers )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(http_all_headers, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(BuildHeaderTable(hlist)); BuildHeaderTable(hlist),
analyzer->ConnectionEvent(http_all_headers, vl); });
} }
if ( http_content_type ) if ( http_content_type )
@ -751,12 +751,12 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
ty->Ref(); ty->Ref();
subty->Ref(); subty->Ref();
val_list* vl = new val_list(); analyzer->ConnectionEvent(http_content_type, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(ty); ty,
vl->append(subty); subty,
analyzer->ConnectionEvent(http_content_type, vl); });
} }
} }
@ -1182,12 +1182,8 @@ void HTTP_Analyzer::GenStats()
r->Assign(2, new Val(request_version, TYPE_DOUBLE)); r->Assign(2, new Val(request_version, TYPE_DOUBLE));
r->Assign(3, new Val(reply_version, TYPE_DOUBLE)); r->Assign(3, new Val(reply_version, TYPE_DOUBLE));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(r);
// DEBUG_MSG("%.6f http_stats\n", network_time); // DEBUG_MSG("%.6f http_stats\n", network_time);
ConnectionEvent(http_stats, vl); ConnectionEvent(http_stats, {BuildConnVal(), r});
} }
} }
@ -1384,13 +1380,12 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
{ {
if ( http_event ) if ( http_event )
{ {
val_list* vl = new val_list();
vl->append(BuildConnVal());
vl->append(new StringVal(category));
vl->append(detail);
// DEBUG_MSG("%.6f http_event\n", network_time); // DEBUG_MSG("%.6f http_event\n", network_time);
ConnectionEvent(http_event, vl); ConnectionEvent(http_event, {
BuildConnVal(),
new StringVal(category),
detail,
});
} }
else else
delete detail; delete detail;
@ -1426,17 +1421,16 @@ void HTTP_Analyzer::HTTP_Request()
if ( http_request ) if ( http_request )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
Ref(request_method); Ref(request_method);
vl->append(request_method);
vl->append(TruncateURI(request_URI->AsStringVal()));
vl->append(TruncateURI(unescaped_URI->AsStringVal()));
vl->append(new StringVal(fmt("%.1f", request_version)));
// DEBUG_MSG("%.6f http_request\n", network_time); // DEBUG_MSG("%.6f http_request\n", network_time);
ConnectionEvent(http_request, vl); ConnectionEvent(http_request, {
BuildConnVal(),
request_method,
TruncateURI(request_URI->AsStringVal()),
TruncateURI(unescaped_URI->AsStringVal()),
new StringVal(fmt("%.1f", request_version)),
});
} }
} }
@ -1444,15 +1438,14 @@ void HTTP_Analyzer::HTTP_Reply()
{ {
if ( http_reply ) if ( http_reply )
{ {
val_list* vl = new val_list; ConnectionEvent(http_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(fmt("%.1f", reply_version))); new StringVal(fmt("%.1f", reply_version)),
vl->append(val_mgr->GetCount(reply_code)); val_mgr->GetCount(reply_code),
if ( reply_reason_phrase ) reply_reason_phrase ?
vl->append(reply_reason_phrase->Ref()); reply_reason_phrase->Ref() :
else new StringVal("<empty>"),
vl->append(new StringVal("<empty>")); });
ConnectionEvent(http_reply, vl);
} }
else else
{ {
@ -1524,10 +1517,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
if ( http_connection_upgrade ) if ( http_connection_upgrade )
{ {
val_list* vl = new val_list(); ConnectionEvent(http_connection_upgrade, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(upgrade_protocol)); new StringVal(upgrade_protocol),
ConnectionEvent(http_connection_upgrade, vl); });
} }
} }
@ -1697,14 +1690,15 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length, Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length,
is_orig, false, true, false); is_orig, false, true, false);
val_list* vl = new val_list();
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(is_orig));
vl->append(mime::new_string_val(h->get_name())->ToUpper());
vl->append(mime::new_string_val(h->get_value()));
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time); DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEvent(http_header, vl);
ConnectionEvent(http_header, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
mime::new_string_val(h->get_name())->ToUpper(),
mime::new_string_val(h->get_value()),
});
} }
} }
@ -1833,12 +1827,12 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
{ {
if ( http_entity_data ) if ( http_entity_data )
{ {
val_list* vl = new val_list(); ConnectionEvent(http_entity_data, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetCount(entity_data->Len())); val_mgr->GetCount(entity_data->Len()),
vl->append(new StringVal(entity_data)); new StringVal(entity_data),
ConnectionEvent(http_entity_data, vl); });
} }
else else
delete entity_data; delete entity_data;

147
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -199,20 +199,21 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{ {
if ( icmp_sent ) if ( icmp_sent )
{ {
val_list* vl = new val_list; ConnectionEvent(icmp_sent, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
ConnectionEvent(icmp_sent, vl); });
} }
if ( icmp_sent_payload ) if ( icmp_sent_payload )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
BroString* payload = new BroString(data, min(len, caplen), 0); BroString* payload = new BroString(data, min(len, caplen), 0);
vl->append(new StringVal(payload));
ConnectionEvent(icmp_sent_payload, vl); ConnectionEvent(icmp_sent_payload, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
new StringVal(payload),
});
} }
} }
@ -511,14 +512,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, 0); BroString* payload = new BroString(data, caplen, 0);
val_list* vl = new val_list; ConnectionEvent(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)); BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
vl->append(val_mgr->GetCount(iid)); val_mgr->GetCount(iid),
vl->append(val_mgr->GetCount(iseq)); val_mgr->GetCount(iseq),
vl->append(new StringVal(payload)); new StringVal(payload),
});
ConnectionEvent(f, vl);
} }
@ -534,24 +534,23 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) ) if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) )
memcpy(&retrans, data + sizeof(reachable), sizeof(retrans)); memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(val_mgr->GetCount(icmpp->icmp_num_addrs)); // Cur Hop Limit
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x80)); // Managed
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x40)); // Other
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x20)); // Home Agent
vl->append(val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)); // Pref
vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x04)); // Proxy
vl->append(val_mgr->GetCount(icmpp->icmp_wpa & 0x02)); // Reserved
vl->append(new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds));
vl->append(new IntervalVal((double)ntohl(reachable), Milliseconds));
vl->append(new IntervalVal((double)ntohl(retrans), Milliseconds));
int opt_offset = sizeof(reachable) + sizeof(retrans); int opt_offset = sizeof(reachable) + sizeof(retrans);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEvent(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
new IntervalVal((double)ntohl(reachable), Milliseconds),
new IntervalVal((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -564,18 +563,17 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)); // Router
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)); // Solicited
vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)); // Override
vl->append(new AddrVal(tgtaddr));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEvent(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -588,15 +586,14 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = IPAddr(*((const in6_addr*)data));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(new AddrVal(tgtaddr));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEvent(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -612,16 +609,15 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
if ( caplen >= 2 * (int)sizeof(in6_addr) ) if ( caplen >= 2 * (int)sizeof(in6_addr) )
dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
vl->append(new AddrVal(tgtaddr));
vl->append(new AddrVal(dstaddr));
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
ConnectionEvent(f, vl); ConnectionEvent(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
new AddrVal(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
});
} }
@ -630,12 +626,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
{ {
EventHandlerPtr f = icmp_router_solicitation; EventHandlerPtr f = icmp_router_solicitation;
val_list* vl = new val_list; ConnectionEvent(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); BuildICMPVal(icmpp, len, 1, ip_hdr),
vl->append(BuildNDOptionsVal(caplen, data)); BuildNDOptionsVal(caplen, data),
});
ConnectionEvent(f, vl);
} }
@ -657,12 +652,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f ) if ( f )
{ {
val_list* vl = new val_list; ConnectionEvent(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, 0, ip_hdr)); BuildICMPVal(icmpp, len, 0, ip_hdr),
vl->append(val_mgr->GetCount(icmpp->icmp_code)); val_mgr->GetCount(icmpp->icmp_code),
vl->append(ExtractICMP4Context(caplen, data)); ExtractICMP4Context(caplen, data),
ConnectionEvent(f, vl); });
} }
} }
@ -697,12 +692,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f ) if ( f )
{ {
val_list* vl = new val_list; ConnectionEvent(f, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); BuildICMPVal(icmpp, len, 1, ip_hdr),
vl->append(val_mgr->GetCount(icmpp->icmp_code)); val_mgr->GetCount(icmpp->icmp_code),
vl->append(ExtractICMP6Context(caplen, data)); ExtractICMP6Context(caplen, data),
ConnectionEvent(f, vl); });
} }
} }

39
src/analyzer/protocol/ident/Ident.cc
View file

@ -83,12 +83,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
Weird("ident_request_addendum", s.CheckString()); Weird("ident_request_addendum", s.CheckString());
} }
val_list* vl = new val_list; ConnectionEvent(ident_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
});
ConnectionEvent(ident_request, vl);
did_deliver = 1; did_deliver = 1;
} }
@ -144,13 +143,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( is_error ) if ( is_error )
{ {
val_list* vl = new val_list; ConnectionEvent(ident_error, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
});
ConnectionEvent(ident_error, vl);
} }
else else
@ -178,14 +176,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line); line = skip_whitespace(colon + 1, end_of_line);
val_list* vl = new val_list; ConnectionEvent(ident_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP)); val_mgr->GetPort(local_port, TRANSPORT_TCP),
vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP)); val_mgr->GetPort(remote_port, TRANSPORT_TCP),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
vl->append(new StringVal(sys_type_s)); new StringVal(sys_type_s),
});
ConnectionEvent(ident_reply, vl);
} }
} }
} }

16
src/analyzer/protocol/interconn/InterConn.cc
View file

@ -241,20 +241,16 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire)
void InterConn_Analyzer::StatEvent() void InterConn_Analyzer::StatEvent()
{ {
val_list* vl = new val_list; Conn()->ConnectionEvent(interconn_stats, this, {
vl->append(Conn()->BuildConnVal()); Conn()->BuildConnVal(),
vl->append(orig_endp->BuildStats()); orig_endp->BuildStats(),
vl->append(resp_endp->BuildStats()); resp_endp->BuildStats(),
});
Conn()->ConnectionEvent(interconn_stats, this, vl);
} }
void InterConn_Analyzer::RemoveEvent() void InterConn_Analyzer::RemoveEvent()
{ {
val_list* vl = new val_list; Conn()->ConnectionEvent(interconn_remove_conn, this, {Conn()->BuildConnVal()});
vl->append(Conn()->BuildConnVal());
Conn()->ConnectionEvent(interconn_remove_conn, this, vl);
} }
InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a) InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)

510
src/analyzer/protocol/irc/IRC.cc
View file

@ -233,14 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
val_list* vl = new val_list; ConnectionEvent(irc_network_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(users)); val_mgr->GetInt(users),
vl->append(val_mgr->GetInt(services)); val_mgr->GetInt(services),
vl->append(val_mgr->GetInt(servers)); val_mgr->GetInt(servers),
});
ConnectionEvent(irc_network_info, vl);
} }
break; break;
@ -271,13 +270,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(type.c_str()));
vl->append(new StringVal(channel.c_str()));
TableVal* set = new TableVal(string_set); TableVal* set = new TableVal(string_set);
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
if ( parts[i][0] == '@' ) if ( parts[i][0] == '@' )
@ -286,9 +280,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
set->Assign(idx, 0); set->Assign(idx, 0);
Unref(idx); Unref(idx);
} }
vl->append(set);
ConnectionEvent(irc_names_info, vl); ConnectionEvent(irc_names_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(type.c_str()),
new StringVal(channel.c_str()),
set,
});
} }
break; break;
@ -316,14 +315,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ### // else ###
} }
val_list* vl = new val_list; ConnectionEvent(irc_server_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(users)); val_mgr->GetInt(users),
vl->append(val_mgr->GetInt(services)); val_mgr->GetInt(services),
vl->append(val_mgr->GetInt(servers)); val_mgr->GetInt(servers),
});
ConnectionEvent(irc_server_info, vl);
} }
break; break;
@ -339,12 +337,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[i] == ":channels" ) if ( parts[i] == ":channels" )
channels = atoi(parts[i - 1].c_str()); channels = atoi(parts[i - 1].c_str());
val_list* vl = new val_list; ConnectionEvent(irc_channel_info, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetInt(channels)); val_mgr->GetInt(channels),
});
ConnectionEvent(irc_channel_info, vl);
} }
break; break;
@ -372,12 +369,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
break; break;
} }
val_list* vl = new val_list; ConnectionEvent(irc_global_users, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(eop - prefix, prefix)); new StringVal(eop - prefix, prefix),
vl->append(new StringVal(++msg)); new StringVal(++msg),
ConnectionEvent(irc_global_users, vl); });
break; break;
} }
@ -397,12 +394,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str())); vl.append(new StringVal(parts[2].c_str()));
parts.erase(parts.begin(), parts.begin() + 4); parts.erase(parts.begin(), parts.begin() + 4);
@ -413,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( real_name[0] == ':' ) if ( real_name[0] == ':' )
real_name = real_name.substr(1); real_name = real_name.substr(1);
vl->append(new StringVal(real_name.c_str())); vl.append(new StringVal(real_name.c_str()));
ConnectionEvent(irc_whois_user_line, vl); ConnectionEvent(irc_whois_user_line, std::move(vl));
} }
break; break;
@ -436,12 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; ConnectionEvent(irc_whois_operator_line, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
});
ConnectionEvent(irc_whois_operator_line, vl);
} }
break; break;
@ -467,11 +463,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(nick.c_str()));
TableVal* set = new TableVal(string_set); TableVal* set = new TableVal(string_set);
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
{ {
Val* idx = new StringVal(parts[i].c_str()); Val* idx = new StringVal(parts[i].c_str());
@ -479,9 +472,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx); Unref(idx);
} }
vl->append(set); ConnectionEvent(irc_whois_channel_line, {
BuildConnVal(),
ConnectionEvent(irc_whois_channel_line, vl); val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
set,
});
} }
break; break;
@ -502,19 +498,17 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( pos < params.size() ) if ( pos < params.size() )
{ {
string topic = params.substr(pos + 1); string topic = params.substr(pos + 1);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[1].c_str()));
const char* t = topic.c_str(); const char* t = topic.c_str();
if ( *t == ':' ) if ( *t == ':' )
++t; ++t;
vl->append(new StringVal(t)); ConnectionEvent(irc_channel_topic, {
BuildConnVal(),
ConnectionEvent(irc_channel_topic, vl); val_mgr->GetBool(orig),
new StringVal(parts[1].c_str()),
new StringVal(t),
});
} }
else else
{ {
@ -537,24 +531,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str()));
if ( parts[2][0] == '~' ) if ( parts[2][0] == '~' )
parts[2] = parts[2].substr(1); parts[2] = parts[2].substr(1);
vl->append(new StringVal(parts[2].c_str()));
vl->append(new StringVal(parts[3].c_str()));
vl->append(new StringVal(parts[4].c_str()));
vl->append(new StringVal(parts[5].c_str()));
vl->append(new StringVal(parts[6].c_str()));
if ( parts[7][0] == ':' ) if ( parts[7][0] == ':' )
parts[7] = parts[7].substr(1); parts[7] = parts[7].substr(1);
vl->append(val_mgr->GetInt(atoi(parts[7].c_str())));
vl->append(new StringVal(parts[8].c_str()));
ConnectionEvent(irc_who_line, vl); ConnectionEvent(irc_who_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new StringVal(parts[3].c_str()),
new StringVal(parts[4].c_str()),
new StringVal(parts[5].c_str()),
new StringVal(parts[6].c_str()),
val_mgr->GetInt(atoi(parts[7].c_str())),
new StringVal(parts[8].c_str()),
});
} }
break; break;
@ -565,10 +560,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436: case 436:
if ( irc_invalid_nick ) if ( irc_invalid_nick )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_invalid_nick, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
ConnectionEvent(irc_invalid_nick, vl); });
} }
break; break;
@ -577,11 +572,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator case 491: // user is not operator
if ( irc_oper_response ) if ( irc_oper_response )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_oper_response, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetBool(code == 381)); val_mgr->GetBool(code == 381),
ConnectionEvent(irc_oper_response, vl); });
} }
break; break;
@ -592,14 +587,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// All other server replies. // All other server replies.
default: default:
val_list* vl = new val_list; ConnectionEvent(irc_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(val_mgr->GetCount(code)); val_mgr->GetCount(code),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_reply, vl);
break; break;
} }
return; return;
@ -662,33 +656,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
raw_ip = (10 * raw_ip) + atoi(s.c_str()); raw_ip = (10 * raw_ip) + atoi(s.c_str());
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str()));
vl->append(new AddrVal(htonl(raw_ip)));
vl->append(val_mgr->GetCount(atoi(parts[4].c_str())));
if ( parts.size() >= 6 )
vl->append(val_mgr->GetCount(atoi(parts[5].c_str())));
else
vl->append(val_mgr->GetCount(0));
ConnectionEvent(irc_dcc_message, vl); ConnectionEvent(irc_dcc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(target.c_str()),
new StringVal(parts[1].c_str()),
new StringVal(parts[2].c_str()),
new AddrVal(htonl(raw_ip)),
val_mgr->GetCount(atoi(parts[4].c_str())),
parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0),
});
} }
else else
{ {
val_list* vl = new val_list; ConnectionEvent(irc_privmsg_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(target.c_str())); new StringVal(target.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_privmsg_message, vl);
} }
} }
@ -707,14 +699,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
val_list* vl = new val_list; ConnectionEvent(irc_notice_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(target.c_str())); new StringVal(target.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_notice_message, vl);
} }
else if ( irc_squery_message && command == "SQUERY" ) else if ( irc_squery_message && command == "SQUERY" )
@ -732,35 +723,34 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' ) if ( message[0] == ':' )
message = message.substr(1); message = message.substr(1);
val_list* vl = new val_list; ConnectionEvent(irc_squery_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(target.c_str())); new StringVal(target.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_squery_message, vl);
} }
else if ( irc_user_message && command == "USER" ) else if ( irc_user_message && command == "USER" )
{ {
// extract username and real name // extract username and real name
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl->append(new StringVal(parts[2].c_str())); vl.append(new StringVal(parts[2].c_str()));
else vl->append(val_mgr->GetEmptyString()); else vl.append(val_mgr->GetEmptyString());
string realname; string realname;
for ( unsigned int i = 3; i < parts.size(); i++ ) for ( unsigned int i = 3; i < parts.size(); i++ )
@ -771,9 +761,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
const char* name = realname.c_str(); const char* name = realname.c_str();
vl->append(new StringVal(*name == ':' ? name + 1 : name)); vl.append(new StringVal(*name == ':' ? name + 1 : name));
ConnectionEvent(irc_user_message, vl); ConnectionEvent(irc_user_message, std::move(vl));
} }
else if ( irc_oper_message && command == "OPER" ) else if ( irc_oper_message && command == "OPER" )
@ -782,13 +772,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 ) if ( parts.size() == 2 )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_oper_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
vl->append(new StringVal(parts[1].c_str())); new StringVal(parts[1].c_str()),
});
ConnectionEvent(irc_oper_message, vl);
} }
else else
@ -805,12 +794,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
val_list* vl = new val_list; val_list vl(6);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(orig)); vl.append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str())); vl.append(new StringVal(prefix.c_str()));
vl->append(new StringVal(parts[0].c_str())); vl.append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl.append(new StringVal(parts[1].c_str()));
if ( parts.size() > 2 ) if ( parts.size() > 2 )
{ {
string comment = parts[2]; string comment = parts[2];
@ -820,12 +809,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( comment[0] == ':' ) if ( comment[0] == ':' )
comment = comment.substr(1); comment = comment.substr(1);
vl->append(new StringVal(comment.c_str())); vl.append(new StringVal(comment.c_str()));
} }
else else
vl->append(val_mgr->GetEmptyString()); vl.append(val_mgr->GetEmptyString());
ConnectionEvent(irc_kick_message, vl); ConnectionEvent(irc_kick_message, std::move(vl));
} }
else if ( irc_join_message && command == "JOIN" ) else if ( irc_join_message && command == "JOIN" )
@ -849,11 +838,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
vector<string> channels = SplitWords(parts[0], ','); vector<string> channels = SplitWords(parts[0], ',');
vector<string> passwords; vector<string> passwords;
@ -876,9 +862,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info); Unref(info);
} }
vl->append(list); ConnectionEvent(irc_join_message, {
BuildConnVal(),
ConnectionEvent(irc_join_message, vl); val_mgr->GetBool(orig),
list,
});
} }
else if ( irc_join_message && command == "NJOIN" ) else if ( irc_join_message && command == "NJOIN" )
@ -895,12 +883,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
vector<string> users = SplitWords(parts[1], ','); vector<string> users = SplitWords(parts[1], ',');
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
string empty_string = ""; string empty_string = "";
for ( unsigned int i = 0; i < users.size(); ++i ) for ( unsigned int i = 0; i < users.size(); ++i )
@ -939,9 +923,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info); Unref(info);
} }
vl->append(list); ConnectionEvent(irc_join_message, {
BuildConnVal(),
ConnectionEvent(irc_join_message, vl); val_mgr->GetBool(orig),
list,
});
} }
else if ( irc_part_message && command == "PART" ) else if ( irc_part_message && command == "PART" )
@ -977,14 +963,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx); Unref(idx);
} }
val_list* vl = new val_list; ConnectionEvent(irc_part_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(nick.c_str())); new StringVal(nick.c_str()),
vl->append(set); set,
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_part_message, vl);
} }
else if ( irc_quit_message && command == "QUIT" ) else if ( irc_quit_message && command == "QUIT" )
@ -1001,13 +986,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos); nickname = prefix.substr(0, pos);
} }
val_list* vl = new val_list; ConnectionEvent(irc_quit_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(nickname.c_str())); new StringVal(nickname.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_quit_message, vl);
} }
else if ( irc_nick_message && command == "NICK" ) else if ( irc_nick_message && command == "NICK" )
@ -1016,13 +1000,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( nick[0] == ':' ) if ( nick[0] == ':' )
nick = nick.substr(1); nick = nick.substr(1);
val_list* vl = new val_list; ConnectionEvent(irc_nick_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(nick.c_str())); new StringVal(nick.c_str())
});
ConnectionEvent(irc_nick_message, vl);
} }
else if ( irc_who_message && command == "WHO" ) else if ( irc_who_message && command == "WHO" )
@ -1042,16 +1025,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' ) if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
val_list* vl = new val_list; ConnectionEvent(irc_who_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
if ( parts.size() > 0 ) parts.size() > 0 ?
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()) :
else val_mgr->GetEmptyString(),
vl->append(val_mgr->GetEmptyString()); val_mgr->GetBool(oper),
vl->append(val_mgr->GetBool(oper)); });
ConnectionEvent(irc_who_message, vl);
} }
else if ( irc_whois_message && command == "WHOIS" ) else if ( irc_whois_message && command == "WHOIS" )
@ -1074,26 +1055,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else else
users = parts[0]; users = parts[0];
val_list* vl = new val_list; ConnectionEvent(irc_whois_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(server.c_str())); new StringVal(server.c_str()),
vl->append(new StringVal(users.c_str())); new StringVal(users.c_str()),
});
ConnectionEvent(irc_whois_message, vl);
} }
else if ( irc_error_message && command == "ERROR" ) else if ( irc_error_message && command == "ERROR" )
{ {
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(val_mgr->GetBool(orig));
vl->append(new StringVal(prefix.c_str()));
if ( params[0] == ':' ) if ( params[0] == ':' )
params = params.substr(1); params = params.substr(1);
vl->append(new StringVal(params.c_str()));
ConnectionEvent(irc_error_message, vl); ConnectionEvent(irc_error_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
new StringVal(params.c_str()),
});
} }
else if ( irc_invite_message && command == "INVITE" ) else if ( irc_invite_message && command == "INVITE" )
@ -1104,14 +1084,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[1].size() > 0 && parts[1][0] == ':' ) if ( parts[1].size() > 0 && parts[1][0] == ':' )
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
val_list* vl = new val_list; ConnectionEvent(irc_invite_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(parts[0].c_str())); new StringVal(parts[0].c_str()),
vl->append(new StringVal(parts[1].c_str())); new StringVal(parts[1].c_str()),
});
ConnectionEvent(irc_invite_message, vl);
} }
else else
Weird("irc_invalid_invite_message_format"); Weird("irc_invalid_invite_message_format");
@ -1121,13 +1100,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( params.size() > 0 ) if ( params.size() > 0 )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_mode_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_mode_message, vl);
} }
else else
@ -1136,11 +1114,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" ) else if ( irc_password_message && command == "PASS" )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_password_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
ConnectionEvent(irc_password_message, vl); });
} }
else if ( irc_squit_message && command == "SQUIT" ) else if ( irc_squit_message && command == "SQUIT" )
@ -1158,14 +1136,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1); message = message.substr(1);
} }
val_list* vl = new val_list; ConnectionEvent(irc_squit_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(server.c_str())); new StringVal(server.c_str()),
vl->append(new StringVal(message.c_str())); new StringVal(message.c_str()),
});
ConnectionEvent(irc_squit_message, vl);
} }
@ -1173,14 +1150,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_request ) if ( irc_request )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_request, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(command.c_str())); new StringVal(command.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_request, vl);
} }
} }
@ -1188,14 +1164,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_message ) if ( irc_message )
{ {
val_list* vl = new val_list; ConnectionEvent(irc_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(prefix.c_str())); new StringVal(prefix.c_str()),
vl->append(new StringVal(command.c_str())); new StringVal(command.c_str()),
vl->append(new StringVal(params.c_str())); new StringVal(params.c_str()),
});
ConnectionEvent(irc_message, vl);
} }
} }
@ -1224,10 +1199,7 @@ void IRC_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; ConnectionEvent(irc_starttls, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(irc_starttls, vl);
} }
vector<string> IRC_Analyzer::SplitWords(const string input, const char split) vector<string> IRC_Analyzer::SplitWords(const string input, const char split)

79
src/analyzer/protocol/login/Login.cc
View file

@ -289,9 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
{ {
if ( authentication_skipped ) if ( authentication_skipped )
{ {
val_list* vl = new val_list; ConnectionEvent(authentication_skipped, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(authentication_skipped, vl);
} }
state = LOGIN_STATE_SKIP; state = LOGIN_STATE_SKIP;
@ -334,32 +332,26 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") ) else if ( login_terminal && streq(name, "TERM") )
{ {
val_list* vl = new val_list; ConnectionEvent(login_terminal, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_terminal, vl);
} }
else if ( login_display && streq(name, "DISPLAY") ) else if ( login_display && streq(name, "DISPLAY") )
{ {
val_list* vl = new val_list; ConnectionEvent(login_display, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_display, vl);
} }
else if ( login_prompt && streq(name, "TTYPROMPT") ) else if ( login_prompt && streq(name, "TTYPROMPT") )
{ {
val_list* vl = new val_list; ConnectionEvent(login_prompt, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(val),
vl->append(new StringVal(val)); });
ConnectionEvent(login_prompt, vl);
} }
} }
@ -433,15 +425,13 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
Val* password = HaveTypeahead() ? Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>"); PopUserTextVal() : new StringVal("<none>");
val_list* vl = new val_list; ConnectionEvent(f, {
BuildConnVal(),
vl->append(BuildConnVal()); username->Ref(),
vl->append(username->Ref()); client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
vl->append(client_name ? client_name->Ref() : val_mgr->GetEmptyString()); password,
vl->append(password); new StringVal(line),
vl->append(new StringVal(line)); });
ConnectionEvent(f, vl);
} }
const char* Login_Analyzer::GetUsername(const char* line) const const char* Login_Analyzer::GetUsername(const char* line) const
@ -454,12 +444,10 @@ const char* Login_Analyzer::GetUsername(const char* line) const
void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line) void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
{ {
val_list* vl = new val_list; ConnectionEvent(f, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(line),
vl->append(new StringVal(line)); });
ConnectionEvent(f, vl);
} }
@ -469,12 +457,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused ) if ( login_confused )
{ {
val_list* vl = new val_list; ConnectionEvent(login_confused, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(msg)); new StringVal(msg),
vl->append(new StringVal(line)); new StringVal(line),
});
ConnectionEvent(login_confused, vl);
} }
if ( login_confused_text ) if ( login_confused_text )
@ -496,10 +483,10 @@ void Login_Analyzer::ConfusionText(const char* line)
{ {
if ( login_confused_text ) if ( login_confused_text )
{ {
val_list* vl = new val_list; ConnectionEvent(login_confused_text, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(line)); new StringVal(line),
ConnectionEvent(login_confused_text, vl); });
} }
} }

9
src/analyzer/protocol/login/NVT.cc
View file

@ -461,11 +461,10 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{ {
if ( login_terminal ) if ( login_terminal )
{ {
val_list* vl = new val_list; ConnectionEvent(login_terminal, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(new StringVal(new BroString(terminal, len, 0))); new StringVal(new BroString(terminal, len, 0)),
});
ConnectionEvent(login_terminal, vl);
} }
} }

35
src/analyzer/protocol/login/RSH.cc
View file

@ -156,31 +156,38 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
Login_Analyzer::DeliverStream(len, data, orig); Login_Analyzer::DeliverStream(len, data, orig);
if ( orig )
{
if ( ! rsh_request )
return;
}
else
{
if ( ! rsh_reply )
return;
}
val_list vl(4 + orig);
const char* line = (const char*) data; const char* line = (const char*) data;
val_list* vl = new val_list;
line = skip_whitespace(line); line = skip_whitespace(line);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(client_name ? client_name->Ref() : new StringVal("<none>")); vl.append(client_name ? client_name->Ref() : new StringVal("<none>"));
vl->append(username ? username->Ref() : new StringVal("<none>")); vl.append(username ? username->Ref() : new StringVal("<none>"));
vl->append(new StringVal(line)); vl.append(new StringVal(line));
if ( orig && rsh_request ) if ( orig )
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl->append(val_mgr->GetTrue()); vl.append(val_mgr->GetTrue());
else else
vl->append(val_mgr->GetFalse()); vl.append(val_mgr->GetFalse());
ConnectionEvent(rsh_request, vl); ConnectionEvent(rsh_request, std::move(vl));
} }
else if ( rsh_reply )
ConnectionEvent(rsh_reply, vl);
else else
delete_vals(vl); ConnectionEvent(rsh_reply, std::move(vl));
} }
void Rsh_Analyzer::ClientUserName(const char* s) void Rsh_Analyzer::ClientUserName(const char* s)

10
src/analyzer/protocol/login/Rlogin.cc
View file

@ -244,11 +244,9 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{ {
if ( login_terminal ) if ( login_terminal )
{ {
val_list* vl = new val_list; ConnectionEvent(login_terminal, {
BuildConnVal(),
vl->append(BuildConnVal()); new StringVal(s),
vl->append(new StringVal(s)); });
ConnectionEvent(login_terminal, vl);
} }
} }

79
src/analyzer/protocol/mime/MIME.cc
View file

@ -1358,11 +1358,11 @@ void MIME_Mail::Done()
hash_final(md5_hash, digest); hash_final(md5_hash, digest);
md5_hash = nullptr; md5_hash = nullptr;
val_list* vl = new val_list; analyzer->ConnectionEvent(mime_content_hash, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(content_hash_length)); val_mgr->GetCount(content_hash_length),
vl->append(new StringVal(new BroString(1, digest, 16))); new StringVal(new BroString(1, digest, 16)),
analyzer->ConnectionEvent(mime_content_hash, vl); });
} }
MIME_Message::Done(); MIME_Message::Done();
@ -1386,11 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear(); cur_entity_id.clear();
if ( mime_begin_entity ) if ( mime_begin_entity )
{ analyzer->ConnectionEvent(mime_begin_entity, {analyzer->BuildConnVal()});
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
analyzer->ConnectionEvent(mime_begin_entity, vl);
}
buffer_start = data_start = 0; buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0); ASSERT(entity_content.size() == 0);
@ -1402,12 +1398,12 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{ {
BroString* s = concatenate(entity_content); BroString* s = concatenate(entity_content);
val_list* vl = new val_list();
vl->append(analyzer->BuildConnVal());
vl->append(val_mgr->GetCount(s->Len()));
vl->append(new StringVal(s));
analyzer->ConnectionEvent(mime_entity_data, vl); analyzer->ConnectionEvent(mime_entity_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(s->Len()),
new StringVal(s),
});
if ( ! mime_all_data ) if ( ! mime_all_data )
delete_strings(entity_content); delete_strings(entity_content);
@ -1416,11 +1412,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
} }
if ( mime_end_entity ) if ( mime_end_entity )
{ analyzer->ConnectionEvent(mime_end_entity, {analyzer->BuildConnVal()});
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
analyzer->ConnectionEvent(mime_end_entity, vl);
}
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear(); cur_entity_id.clear();
@ -1430,10 +1422,10 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{ {
if ( mime_one_header ) if ( mime_one_header )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(mime_one_header, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(BuildHeaderVal(h)); BuildHeaderVal(h),
analyzer->ConnectionEvent(mime_one_header, vl); });
} }
} }
@ -1441,10 +1433,10 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{ {
if ( mime_all_headers ) if ( mime_all_headers )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(mime_all_headers, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(BuildHeaderTable(hlist)); BuildHeaderTable(hlist),
analyzer->ConnectionEvent(mime_all_headers, vl); });
} }
} }
@ -1478,11 +1470,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
const char* data = (char*) data_buffer->Bytes() + data_start; const char* data = (char*) data_buffer->Bytes() + data_start;
int data_len = (buf + len) - data; int data_len = (buf + len) - data;
val_list* vl = new val_list(); analyzer->ConnectionEvent(mime_segment_data, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(data_len)); val_mgr->GetCount(data_len),
vl->append(new StringVal(data_len, data)); new StringVal(data_len, data),
analyzer->ConnectionEvent(mime_segment_data, vl); });
} }
cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1525,12 +1517,11 @@ void MIME_Mail::SubmitAllData()
BroString* s = concatenate(all_content); BroString* s = concatenate(all_content);
delete_strings(all_content); delete_strings(all_content);
val_list* vl = new val_list(); analyzer->ConnectionEvent(mime_all_data, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(s->Len())); val_mgr->GetCount(s->Len()),
vl->append(new StringVal(s)); new StringVal(s),
});
analyzer->ConnectionEvent(mime_all_data, vl);
} }
} }
@ -1555,10 +1546,10 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event ) if ( mime_event )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(mime_event, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(new StringVal(category)); new StringVal(category),
vl->append(new StringVal(detail)); new StringVal(detail),
analyzer->ConnectionEvent(mime_event, vl); });
} }
} }

26
src/analyzer/protocol/ncp/NCP.cc
View file

@ -61,21 +61,27 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply; EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
if ( f ) if ( f )
{ {
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(val_mgr->GetCount(frame->frame_type()));
vl->append(val_mgr->GetCount(frame->body_length()));
if ( frame->is_orig() ) if ( frame->is_orig() )
vl->append(val_mgr->GetCount(req_func)); {
analyzer->ConnectionEvent(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_func),
});
}
else else
{ {
vl->append(val_mgr->GetCount(req_frame_type)); analyzer->ConnectionEvent(f, {
vl->append(val_mgr->GetCount(req_func)); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(frame->reply()->completion_code())); val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
val_mgr->GetCount(req_frame_type),
val_mgr->GetCount(req_func),
val_mgr->GetCount(frame->reply()->completion_code()),
});
} }
analyzer->ConnectionEvent(f, vl);
} }
} }

30
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -58,12 +58,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
{ {
if ( netbios_session_message ) if ( netbios_session_message )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(netbios_session_message, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(is_query)); val_mgr->GetBool(is_query),
vl->append(val_mgr->GetCount(type)); val_mgr->GetCount(type),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
analyzer->ConnectionEvent(netbios_session_message, vl); });
} }
switch ( type ) { switch ( type ) {
@ -328,13 +328,19 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( ! event ) if ( ! event )
return; return;
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
if ( is_orig >= 0 ) if ( is_orig >= 0 )
vl->append(val_mgr->GetBool(is_orig)); {
vl->append(new StringVal(new BroString(data, len, 0))); analyzer->ConnectionEvent(event, {
analyzer->BuildConnVal(),
analyzer->ConnectionEvent(event, vl); val_mgr->GetBool(is_orig),
new StringVal(new BroString(data, len, 0)),
});
}
else
analyzer->ConnectionEvent(event, {
analyzer->BuildConnVal(),
new StringVal(new BroString(data, len, 0)),
});
} }

11
src/analyzer/protocol/ntp/NTP.cc
View file

@ -78,12 +78,11 @@ void NTP_Analyzer::Message(const u_char* data, int len)
msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME)); msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME)); msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
val_list* vl = new val_list; ConnectionEvent(ntp_message, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(msg); msg,
vl->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
});
ConnectionEvent(ntp_message, vl);
} }
double NTP_Analyzer::ShortFloat(struct s_fixedpt fp) double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)

17
src/analyzer/protocol/pop3/POP3.cc
View file

@ -833,10 +833,7 @@ void POP3_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; ConnectionEvent(pop3_starttls, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(pop3_starttls, vl);
} }
void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::AuthSuccessfull()
@ -926,14 +923,14 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
if ( ! event ) if ( ! event )
return; return;
val_list* vl = new val_list; val_list vl(2 + (bool)arg1 + (bool)arg2);
vl->append(BuildConnVal()); vl.append(BuildConnVal());
vl->append(val_mgr->GetBool(is_orig)); vl.append(val_mgr->GetBool(is_orig));
if ( arg1 ) if ( arg1 )
vl->append(new StringVal(arg1)); vl.append(new StringVal(arg1));
if ( arg2 ) if ( arg2 )
vl->append(new StringVal(arg2)); vl.append(new StringVal(arg2));
ConnectionEvent(event, vl); ConnectionEvent(event, std::move(vl));
} }

28
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -93,9 +93,9 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
if ( mount_reply_status ) if ( mount_reply_status )
{ {
val_list* vl = event_common_vl(c, rpc_status, mount_status, auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len); start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(mount_reply_status, vl); analyzer->ConnectionEvent(mount_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -162,34 +162,34 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
// optional and all are set to 0 ... // optional and all are set to 0 ...
if ( event ) if ( event )
{ {
val_list* vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len);
Val *request = c->TakeRequestVal(); Val *request = c->TakeRequestVal();
auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
analyzer->ConnectionEvent(event, vl); analyzer->ConnectionEvent(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
return 1; return 1;
} }
val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c, val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
BifEnum::rpc_status rpc_status, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and mount3_info. // Returns a new val_list that already has a conn_val, and mount3_info.
// These are the first parameters for each mount_* event ... // These are the first parameters for each mount_* event ...
val_list *vl = new val_list; val_list vl(2 + extra_elements);
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
for (size_t i = 0; i < c->AuxGIDs().size(); ++i) for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
@ -212,7 +212,7 @@ val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
info->Assign(11, new StringVal(c->MachineName())); info->Assign(11, new StringVal(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, auxgids);
vl->append(info); vl.append(info);
return vl; return vl;
} }

4
src/analyzer/protocol/rpc/MOUNT.h
View file

@ -22,10 +22,10 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// mount_status. These are the first parameters for each mount_* event // mount_status. These are the first parameters for each mount_* event
// ... // ...
val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::MOUNT3::status_t mount_status, BifEnum::MOUNT3::status_t mount_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len); int reply_len, int extra_elements);
// These methods parse the appropriate MOUNTv3 "type" out of buf. If // These methods parse the appropriate MOUNTv3 "type" out of buf. If
// there are any errors (i.e., buffer to short, etc), buf will be set // there are any errors (i.e., buffer to short, etc), buf will be set

28
src/analyzer/protocol/rpc/NFS.cc
View file

@ -147,9 +147,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
if ( nfs_reply_status ) if ( nfs_reply_status )
{ {
val_list* vl = event_common_vl(c, rpc_status, nfs_status, auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len); start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(nfs_reply_status, vl); analyzer->ConnectionEvent(nfs_reply_status, std::move(vl));
} }
if ( ! rpc_success ) if ( ! rpc_success )
@ -274,18 +274,18 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
// optional and all are set to 0 ... // optional and all are set to 0 ...
if ( event ) if ( event )
{ {
val_list* vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len);
Val *request = c->TakeRequestVal(); Val *request = c->TakeRequestVal();
auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len, (bool)request + (bool)reply);
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
analyzer->ConnectionEvent(event, vl); analyzer->ConnectionEvent(event, std::move(vl));
} }
else else
Unref(reply); Unref(reply);
@ -317,15 +317,15 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
return 0; return 0;
} }
val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_start_time,
double rep_last_time, int reply_len) double rep_last_time, int reply_len, int extra_elements)
{ {
// Returns a new val_list that already has a conn_val, and nfs3_info. // Returns a new val_list that already has a conn_val, and nfs3_info.
// These are the first parameters for each nfs_* event ... // These are the first parameters for each nfs_* event ...
val_list *vl = new val_list; val_list vl(2 + extra_elements);
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
@ -346,7 +346,7 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
info->Assign(11, new StringVal(c->MachineName())); info->Assign(11, new StringVal(c->MachineName()));
info->Assign(12, auxgids); info->Assign(12, auxgids);
vl->append(info); vl.append(info);
return vl; return vl;
} }

4
src/analyzer/protocol/rpc/NFS.h
View file

@ -22,10 +22,10 @@ protected:
// Returns a new val_list that already has a conn_val, rpc_status and // Returns a new val_list that already has a conn_val, rpc_status and
// nfs_status. These are the first parameters for each nfs_* event // nfs_status. These are the first parameters for each nfs_* event
// ... // ...
val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status, val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
BifEnum::NFS3::status_t nfs_status, BifEnum::NFS3::status_t nfs_status,
double rep_start_time, double rep_last_time, double rep_start_time, double rep_last_time,
int reply_len); int reply_len, int extra_elements);
// These methods parse the appropriate NFSv3 "type" out of buf. If // These methods parse the appropriate NFSv3 "type" out of buf. If
// there are any errors (i.e., buffer to short, etc), buf will be set // there are any errors (i.e., buffer to short, etc), buf will be set

22
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -261,10 +261,10 @@ uint32 PortmapperInterp::CheckPort(uint32 port)
{ {
if ( pm_bad_port ) if ( pm_bad_port )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(pm_bad_port, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(port)); val_mgr->GetCount(port),
analyzer->ConnectionEvent(pm_bad_port, vl); });
} }
port = 0; port = 0;
@ -282,25 +282,25 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
return; return;
} }
val_list* vl = new val_list; val_list vl;
vl->append(analyzer->BuildConnVal()); vl.append(analyzer->BuildConnVal());
if ( status == BifEnum::RPC_SUCCESS ) if ( status == BifEnum::RPC_SUCCESS )
{ {
if ( request ) if ( request )
vl->append(request); vl.append(request);
if ( reply ) if ( reply )
vl->append(reply); vl.append(reply);
} }
else else
{ {
vl->append(BifType::Enum::rpc_status->GetVal(status)); vl.append(BifType::Enum::rpc_status->GetVal(status));
if ( request ) if ( request )
vl->append(request); vl.append(request);
} }
analyzer->ConnectionEvent(f, vl); analyzer->ConnectionEvent(f, std::move(vl));
} }
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)

48
src/analyzer/protocol/rpc/RPC.cc
View file

@ -330,16 +330,16 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
{ {
if ( rpc_dialogue ) if ( rpc_dialogue )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(rpc_dialogue, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(c->Program())); val_mgr->GetCount(c->Program()),
vl->append(val_mgr->GetCount(c->Version())); val_mgr->GetCount(c->Version()),
vl->append(val_mgr->GetCount(c->Proc())); val_mgr->GetCount(c->Proc()),
vl->append(BifType::Enum::rpc_status->GetVal(status)); BifType::Enum::rpc_status->GetVal(status),
vl->append(new Val(c->StartTime(), TYPE_TIME)); new Val(c->StartTime(), TYPE_TIME),
vl->append(val_mgr->GetCount(c->CallLen())); val_mgr->GetCount(c->CallLen()),
vl->append(val_mgr->GetCount(reply_len)); val_mgr->GetCount(reply_len),
analyzer->ConnectionEvent(rpc_dialogue, vl); });
} }
} }
@ -347,14 +347,14 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
{ {
if ( rpc_call ) if ( rpc_call )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(rpc_call, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(c->XID())); val_mgr->GetCount(c->XID()),
vl->append(val_mgr->GetCount(c->Program())); val_mgr->GetCount(c->Program()),
vl->append(val_mgr->GetCount(c->Version())); val_mgr->GetCount(c->Version()),
vl->append(val_mgr->GetCount(c->Proc())); val_mgr->GetCount(c->Proc()),
vl->append(val_mgr->GetCount(c->CallLen())); val_mgr->GetCount(c->CallLen()),
analyzer->ConnectionEvent(rpc_call, vl); });
} }
} }
@ -362,12 +362,12 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
{ {
if ( rpc_reply ) if ( rpc_reply )
{ {
val_list* vl = new val_list; analyzer->ConnectionEvent(rpc_reply, {
vl->append(analyzer->BuildConnVal()); analyzer->BuildConnVal(),
vl->append(val_mgr->GetCount(xid)); val_mgr->GetCount(xid),
vl->append(BifType::Enum::rpc_status->GetVal(status)); BifType::Enum::rpc_status->GetVal(status),
vl->append(val_mgr->GetCount(reply_len)); val_mgr->GetCount(reply_len),
analyzer->ConnectionEvent(rpc_reply, vl); });
} }
} }

59
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -220,11 +220,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( smtp_data && ! skip_data ) if ( smtp_data && ! skip_data )
{ {
val_list* vl = new val_list; ConnectionEvent(smtp_data, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(new StringVal(data_len, line)); new StringVal(data_len, line),
ConnectionEvent(smtp_data, vl); });
} }
} }
@ -350,15 +350,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
break; break;
} }
val_list* vl = new val_list; ConnectionEvent(smtp_reply, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(orig)); val_mgr->GetBool(orig),
vl->append(val_mgr->GetCount(reply_code)); val_mgr->GetCount(reply_code),
vl->append(new StringVal(cmd)); new StringVal(cmd),
vl->append(new StringVal(end_of_line - line, line)); new StringVal(end_of_line - line, line),
vl->append(val_mgr->GetBool((pending_reply > 0))); val_mgr->GetBool((pending_reply > 0)),
});
ConnectionEvent(smtp_reply, vl);
} }
} }
@ -411,10 +410,7 @@ void SMTP_Analyzer::StartTLS()
if ( ssl ) if ( ssl )
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
val_list* vl = new val_list; ConnectionEvent(smtp_starttls, {BuildConnVal()});
vl->append(BuildConnVal());
ConnectionEvent(smtp_starttls, vl);
} }
@ -856,14 +852,12 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
int arg_len, const char* arg) int arg_len, const char* arg)
{ {
ProtocolConfirmation(); ProtocolConfirmation();
val_list* vl = new val_list; ConnectionEvent(smtp_request, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(orig_is_sender),
vl->append(val_mgr->GetBool(orig_is_sender)); (new StringVal(cmd_len, cmd))->ToUpper(),
vl->append((new StringVal(cmd_len, cmd))->ToUpper()); new StringVal(arg_len, arg),
vl->append(new StringVal(arg_len, arg)); });
ConnectionEvent(smtp_request, vl);
} }
void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,17 +868,16 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
if ( smtp_unexpected ) if ( smtp_unexpected )
{ {
val_list* vl = new val_list;
int is_orig = is_sender; int is_orig = is_sender;
if ( ! orig_is_sender ) if ( ! orig_is_sender )
is_orig = ! is_orig; is_orig = ! is_orig;
vl->append(BuildConnVal()); ConnectionEvent(smtp_unexpected, {
vl->append(val_mgr->GetBool(is_orig)); BuildConnVal(),
vl->append(new StringVal(msg)); val_mgr->GetBool(is_orig),
vl->append(new StringVal(detail_len, detail)); new StringVal(msg),
new StringVal(detail_len, detail),
ConnectionEvent(smtp_unexpected, vl); });
} }
} }

21
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -139,25 +139,20 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
if ( ! f ) if ( ! f )
return; return;
val_list* vl = new val_list;
vl->append(val_mgr->GetInt(id1));
if ( id2 >= 0 ) if ( id2 >= 0 )
vl->append(val_mgr->GetInt(id2)); endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
else
endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1)});
endp->TCP()->ConnectionEvent(f, vl);
} }
void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
{ {
val_list* vl = new val_list; endp->TCP()->ConnectionEvent(stp_create_endp, {
endp->TCP()->BuildConnVal(),
vl->append(endp->TCP()->BuildConnVal()); val_mgr->GetInt(stp_id),
vl->append(val_mgr->GetInt(stp_id)); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); });
endp->TCP()->ConnectionEvent(stp_create_endp, vl);
} }
SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)

92
src/analyzer/protocol/tcp/TCP.cc
View file

@ -299,11 +299,11 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
if ( OS_val ) if ( OS_val )
{ // found new OS version { // found new OS version
val_list* vl = new val_list; tcp->ConnectionEvent(OS_version_found, {
vl->append(tcp->BuildConnVal()); tcp->BuildConnVal(),
vl->append(src_addr_val->Ref()); src_addr_val->Ref(),
vl->append(OS_val); OS_val,
tcp->ConnectionEvent(OS_version_found, vl); });
} }
} }
@ -965,20 +965,17 @@ void TCP_Analyzer::GeneratePacketEvent(
const u_char* data, int len, int caplen, const u_char* data, int len, int caplen,
int is_orig, TCP_Flags flags) int is_orig, TCP_Flags flags)
{ {
val_list* vl = new val_list(); ConnectionEvent(tcp_packet, {
BuildConnVal(),
vl->append(BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); new StringVal(flags.AsString()),
vl->append(new StringVal(flags.AsString())); val_mgr->GetCount(rel_seq),
vl->append(val_mgr->GetCount(rel_seq)); val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
vl->append(val_mgr->GetCount(flags.ACK() ? rel_ack : 0)); val_mgr->GetCount(len),
vl->append(val_mgr->GetCount(len)); // We need the min() here because Ethernet padding can lead to
// caplen > len.
// We need the min() here because Ethernet padding can lead to new StringVal(min(caplen, len), (const char*) data),
// caplen > len. });
vl->append(new StringVal(min(caplen, len), (const char*) data));
ConnectionEvent(tcp_packet, vl);
} }
int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen, int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1283,10 +1280,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( connection_SYN_packet ) if ( connection_SYN_packet )
{ {
val_list* vl = new val_list; ConnectionEvent(connection_SYN_packet, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(SYN_vals->Ref()); SYN_vals->Ref(),
ConnectionEvent(connection_SYN_packet, vl); });
} }
passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len); passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
@ -1503,14 +1500,12 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt,
{ {
if ( tcp_option ) if ( tcp_option )
{ {
val_list* vl = new val_list(); analyzer->ConnectionEvent(tcp_option, {
analyzer->BuildConnVal(),
vl->append(analyzer->BuildConnVal()); val_mgr->GetBool(is_orig),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetCount(opt),
vl->append(val_mgr->GetCount(opt)); val_mgr->GetCount(optlen),
vl->append(val_mgr->GetCount(optlen)); });
analyzer->ConnectionEvent(tcp_option, vl);
} }
return 0; return 0;
@ -1826,10 +1821,10 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
{ {
if ( connection_EOF ) if ( connection_EOF )
{ {
val_list* vl = new val_list(); ConnectionEvent(connection_EOF, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
ConnectionEvent(connection_EOF, vl); });
} }
const analyzer_list& children(GetChildren()); const analyzer_list& children(GetChildren());
@ -2108,15 +2103,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
if ( tcp_rexmit ) if ( tcp_rexmit )
{ {
val_list* vl = new val_list(); endp->TCP()->ConnectionEvent(tcp_rexmit, {
vl->append(endp->TCP()->BuildConnVal()); endp->TCP()->BuildConnVal(),
vl->append(val_mgr->GetBool(endp->IsOrig())); val_mgr->GetBool(endp->IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
vl->append(val_mgr->GetCount(data_in_flight)); val_mgr->GetCount(data_in_flight),
vl->append(val_mgr->GetCount(endp->peer->window)); val_mgr->GetCount(endp->peer->window),
});
endp->TCP()->ConnectionEvent(tcp_rexmit, vl);
} }
} }
else else
@ -2164,11 +2158,11 @@ void TCPStats_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); TCP_ApplicationAnalyzer::Done();
val_list* vl = new val_list; ConnectionEvent(conn_stats, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(orig_stats->BuildStats()); orig_stats->BuildStats(),
vl->append(resp_stats->BuildStats()); resp_stats->BuildStats(),
ConnectionEvent(conn_stats, vl); });
} }
void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)

10
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -237,11 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
vl->append(Conn()->BuildConnVal()); Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal(buf)); new StringVal(buf),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
} }

57
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -136,12 +136,12 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len)
if ( report_gap(endp, endp->peer) ) if ( report_gap(endp, endp->peer) )
{ {
val_list* vl = new val_list; dst_analyzer->ConnectionEvent(content_gap, {
vl->append(dst_analyzer->BuildConnVal()); dst_analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
dst_analyzer->ConnectionEvent(content_gap, vl); });
} }
if ( type == Direct ) if ( type == Direct )
@ -335,11 +335,11 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
vl->append(Endpoint()->Conn()->BuildConnVal()); Endpoint()->Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal("TCP reassembler content write failure")); new StringVal("TCP reassembler content write failure"),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
@ -352,11 +352,11 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
if ( contents_file_write_failure ) if ( contents_file_write_failure )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
vl->append(Endpoint()->Conn()->BuildConnVal()); Endpoint()->Conn()->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(new StringVal("TCP reassembler gap write failure")); new StringVal("TCP reassembler gap write failure"),
tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl); });
} }
} }
@ -425,12 +425,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
BroString* b1_s = new BroString((const u_char*) b1, n, 0); BroString* b1_s = new BroString((const u_char*) b1, n, 0);
BroString* b2_s = new BroString((const u_char*) b2, n, 0); BroString* b2_s = new BroString((const u_char*) b2, n, 0);
val_list* vl = new val_list(3); tcp_analyzer->ConnectionEvent(rexmit_inconsistency, {
vl->append(tcp_analyzer->BuildConnVal()); tcp_analyzer->BuildConnVal(),
vl->append(new StringVal(b1_s)); new StringVal(b1_s),
vl->append(new StringVal(b2_s)); new StringVal(b2_s),
vl->append(new StringVal(flags.AsString())); new StringVal(flags.AsString()),
tcp_analyzer->ConnectionEvent(rexmit_inconsistency, vl); });
} }
} }
@ -596,13 +596,12 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
if ( deliver_tcp_contents ) if ( deliver_tcp_contents )
{ {
val_list* vl = new val_list(); tcp_analyzer->ConnectionEvent(tcp_contents, {
vl->append(tcp_analyzer->BuildConnVal()); tcp_analyzer->BuildConnVal(),
vl->append(val_mgr->GetBool(IsOrig())); val_mgr->GetBool(IsOrig()),
vl->append(val_mgr->GetCount(seq)); val_mgr->GetCount(seq),
vl->append(new StringVal(len, (const char*) data)); new StringVal(len, (const char*) data),
});
tcp_analyzer->ConnectionEvent(tcp_contents, vl);
} }
// Q. Can we say this because it is already checked in DataSent()? // Q. Can we say this because it is already checked in DataSent()?

10
src/analyzer/protocol/udp/UDP.cc
View file

@ -157,11 +157,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( do_udp_contents ) if ( do_udp_contents )
{ {
val_list* vl = new val_list; ConnectionEvent(udp_contents, {
vl->append(BuildConnVal()); BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
vl->append(new StringVal(len, (const char*) data)); new StringVal(len, (const char*) data),
ConnectionEvent(udp_contents, vl); });
} }
Unref(port_val); Unref(port_val);

35
src/broker/Manager.cc
View file

@ -540,9 +540,11 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
std::string serial_data(data, len); std::string serial_data(data, len);
free(data); free(data);
val_list vl(2); val_list vl{
vl.append(stream->Ref()); stream->Ref(),
vl.append(new StringVal(path)); new StringVal(path),
};
Val* v = log_topic_func->Call(&vl); Val* v = log_topic_func->Call(&vl);
if ( ! v ) if ( ! v )
@ -993,7 +995,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
return; return;
} }
auto vl = new val_list; val_list vl(args.size());
for ( auto i = 0u; i < args.size(); ++i ) for ( auto i = 0u; i < args.size(); ++i )
{ {
@ -1002,7 +1004,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
auto val = data_to_val(std::move(args[i]), expected_type); auto val = data_to_val(std::move(args[i]), expected_type);
if ( val ) if ( val )
vl->append(val); vl.append(val);
else else
{ {
reporter->Warning("failed to convert remote event '%s' arg #%d," reporter->Warning("failed to convert remote event '%s' arg #%d,"
@ -1013,10 +1015,13 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
} }
} }
if ( static_cast<size_t>(vl->length()) == args.size() ) if ( static_cast<size_t>(vl.length()) == args.size() )
mgr.QueueEvent(handler, vl, SOURCE_BROKER); mgr.QueueEvent(handler, std::move(vl), SOURCE_BROKER);
else else
delete_vals(vl); {
loop_over_list(vl, i)
Unref(vl[i]);
}
} }
bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc) bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
@ -1270,11 +1275,7 @@ void Manager::ProcessStatus(broker::status stat)
auto str = stat.message(); auto str = stat.message();
auto msg = new StringVal(str ? *str : ""); auto msg = new StringVal(str ? *str : "");
auto vl = new val_list; mgr.QueueEvent(event, {endpoint_info, msg});
vl->append(endpoint_info);
vl->append(msg);
mgr.QueueEvent(event, vl);
} }
void Manager::ProcessError(broker::error err) void Manager::ProcessError(broker::error err)
@ -1351,10 +1352,10 @@ void Manager::ProcessError(broker::error err)
msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str()); msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
} }
auto vl = new val_list; mgr.QueueEvent(Broker::error, {
vl->append(BifType::Enum::Broker::ErrorCode->GetVal(ec)); BifType::Enum::Broker::ErrorCode->GetVal(ec),
vl->append(new StringVal(msg)); new StringVal(msg),
mgr.QueueEvent(Broker::error, vl); });
} }
void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response) void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)

8
src/broker/messaging.bif
View file

@ -183,9 +183,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
if ( ! topic_func ) if ( ! topic_func )
topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc(); topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
val_list vl(2); val_list vl{pool->Ref(), key->Ref()};
vl.append(pool->Ref());
vl.append(key->Ref());
auto topic = topic_func->Call(&vl); auto topic = topic_func->Call(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )
@ -226,9 +224,7 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
if ( ! topic_func ) if ( ! topic_func )
topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc(); topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
val_list vl(2); val_list vl{pool->Ref(), key->Ref()};
vl.append(pool->Ref());
vl.append(key->Ref());
auto topic = topic_func->Call(&vl); auto topic = topic_func->Call(&vl);
if ( ! topic->AsString()->Len() ) if ( ! topic->AsString()->Len() )

53
src/file_analysis/File.cc
View file

@ -154,11 +154,11 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
{ {
if ( conn && FileEventAvailable(file_over_new_connection) ) if ( conn && FileEventAvailable(file_over_new_connection) )
{ {
val_list* vl = new val_list(); FileEvent(file_over_new_connection, {
vl->append(val->Ref()); val->Ref(),
vl->append(conn->BuildConnVal()); conn->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
FileEvent(file_over_new_connection, vl); });
} }
} }
@ -303,13 +303,11 @@ bool File::SetMime(const string& mime_type)
if ( ! FileEventAvailable(file_sniff) ) if ( ! FileEventAvailable(file_sniff) )
return false; return false;
val_list* vl = new val_list();
vl->append(val->Ref());
RecordVal* meta = new RecordVal(fa_metadata_type); RecordVal* meta = new RecordVal(fa_metadata_type);
vl->append(meta);
meta->Assign(meta_mime_type_idx, new StringVal(mime_type)); meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->GetBool(0)); meta->Assign(meta_inferred_idx, val_mgr->GetBool(0));
FileEvent(file_sniff, vl);
FileEvent(file_sniff, {val->Ref(), meta});
return true; return true;
} }
@ -338,10 +336,7 @@ void File::InferMetadata()
len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
file_mgr->DetectMIME(data, len, &matches); file_mgr->DetectMIME(data, len, &matches);
val_list* vl = new val_list();
vl->append(val->Ref());
RecordVal* meta = new RecordVal(fa_metadata_type); RecordVal* meta = new RecordVal(fa_metadata_type);
vl->append(meta);
if ( ! matches.empty() ) if ( ! matches.empty() )
{ {
@ -351,7 +346,7 @@ void File::InferMetadata()
file_analysis::GenMIMEMatchesVal(matches)); file_analysis::GenMIMEMatchesVal(matches));
} }
FileEvent(file_sniff, vl); FileEvent(file_sniff, {val->Ref(), meta});
return; return;
} }
@ -463,11 +458,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
if ( FileEventAvailable(file_reassembly_overflow) ) if ( FileEventAvailable(file_reassembly_overflow) )
{ {
val_list* vl = new val_list(); FileEvent(file_reassembly_overflow, {
vl->append(val->Ref()); val->Ref(),
vl->append(val_mgr->GetCount(current_offset)); val_mgr->GetCount(current_offset),
vl->append(val_mgr->GetCount(gap_bytes)); val_mgr->GetCount(gap_bytes),
FileEvent(file_reassembly_overflow, vl); });
} }
} }
@ -608,11 +603,11 @@ void File::Gap(uint64 offset, uint64 len)
if ( FileEventAvailable(file_gap) ) if ( FileEventAvailable(file_gap) )
{ {
val_list* vl = new val_list(); FileEvent(file_gap, {
vl->append(val->Ref()); val->Ref(),
vl->append(val_mgr->GetCount(offset)); val_mgr->GetCount(offset),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
FileEvent(file_gap, vl); });
} }
analyzers.DrainModifications(); analyzers.DrainModifications();
@ -631,14 +626,18 @@ void File::FileEvent(EventHandlerPtr h)
if ( ! FileEventAvailable(h) ) if ( ! FileEventAvailable(h) )
return; return;
val_list* vl = new val_list(); FileEvent(h, {val->Ref()});
vl->append(val->Ref());
FileEvent(h, vl);
} }
void File::FileEvent(EventHandlerPtr h, val_list* vl) void File::FileEvent(EventHandlerPtr h, val_list* vl)
{ {
mgr.QueueEvent(h, vl); FileEvent(h, std::move(*vl));
delete vl;
}
void File::FileEvent(EventHandlerPtr h, val_list vl)
{
mgr.QueueEvent(h, std::move(vl));
if ( h == file_new || h == file_over_new_connection || if ( h == file_new || h == file_over_new_connection ||
h == file_sniff || h == file_sniff ||

6
src/file_analysis/File.h
View file

@ -172,6 +172,12 @@ public:
*/ */
void FileEvent(EventHandlerPtr h, val_list* vl); void FileEvent(EventHandlerPtr h, val_list* vl);
/**
* Raises an event related to the file's life-cycle.
* @param h pointer to an event handler.
* @param vl list of argument values to pass to event call.
*/
void FileEvent(EventHandlerPtr h, val_list vl);
/** /**
* Sets the MIME type for a file to a specific value. * Sets the MIME type for a file to a specific value.

11
src/file_analysis/Manager.cc
View file

@ -443,12 +443,11 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
EnumVal* tagval = tag.AsEnumVal(); EnumVal* tagval = tag.AsEnumVal();
Ref(tagval); Ref(tagval);
val_list* vl = new val_list(); mgr.QueueEvent(get_file_handle, {
vl->append(tagval); tagval,
vl->append(c->BuildConnVal()); c->BuildConnVal(),
vl->append(val_mgr->GetBool(is_orig)); val_mgr->GetBool(is_orig),
});
mgr.QueueEvent(get_file_handle, vl);
mgr.Drain(); // need file handle immediately so we don't have to buffer data mgr.Drain(); // need file handle immediately so we don't have to buffer data
return current_file_id; return current_file_id;
} }

20
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -41,12 +41,11 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
{ {
if ( ! chunk_event ) return true; if ( ! chunk_event ) return true;
val_list* args = new val_list; mgr.QueueEvent(chunk_event, {
args->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
args->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
args->append(val_mgr->GetCount(offset)); val_mgr->GetCount(offset),
});
mgr.QueueEvent(chunk_event, args);
return true; return true;
} }
@ -55,11 +54,10 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len)
{ {
if ( ! stream_event ) return true; if ( ! stream_event ) return true;
val_list* args = new val_list; mgr.QueueEvent(stream_event, {
args->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
args->append(new StringVal(new BroString(data, len, 0))); new StringVal(new BroString(data, len, 0)),
});
mgr.QueueEvent(stream_event, args);
return true; return true;
} }

9
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -53,9 +53,6 @@ void Entropy::Finalize()
if ( ! fed ) if ( ! fed )
return; return;
val_list* vl = new val_list();
vl->append(GetFile()->GetVal()->Ref());
double montepi, scc, ent, mean, chisq; double montepi, scc, ent, mean, chisq;
montepi = scc = ent = mean = chisq = 0.0; montepi = scc = ent = mean = chisq = 0.0;
entropy->Get(&ent, &chisq, &mean, &montepi, &scc); entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
@ -67,6 +64,8 @@ void Entropy::Finalize()
ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); ent_result->Assign(4, new Val(scc, TYPE_DOUBLE));
vl->append(ent_result); mgr.QueueEvent(file_entropy, {
mgr.QueueEvent(file_entropy, vl); GetFile()->GetVal()->Ref(),
ent_result,
});
} }

12
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -90,12 +90,12 @@ bool Extract::DeliverStream(const u_char* data, uint64 len)
if ( limit_exceeded && file_extraction_limit ) if ( limit_exceeded && file_extraction_limit )
{ {
File* f = GetFile(); File* f = GetFile();
val_list* vl = new val_list(); f->FileEvent(file_extraction_limit, {
vl->append(f->GetVal()->Ref()); f->GetVal()->Ref(),
vl->append(Args()->Ref()); Args()->Ref(),
vl->append(val_mgr->GetCount(limit)); val_mgr->GetCount(limit),
vl->append(val_mgr->GetCount(len)); val_mgr->GetCount(len),
f->FileEvent(file_extraction_limit, vl); });
// Limit may have been modified by a BIF, re-check it. // Limit may have been modified by a BIF, re-check it.
limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite); limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite);

11
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -48,10 +48,9 @@ void Hash::Finalize()
if ( ! hash->IsValid() || ! fed ) if ( ! hash->IsValid() || ! fed )
return; return;
val_list* vl = new val_list(); mgr.QueueEvent(file_hash, {
vl->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
vl->append(new StringVal(kind)); new StringVal(kind),
vl->append(hash->Get()); hash->Get(),
});
mgr.QueueEvent(file_hash, vl);
} }

27
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -81,10 +81,11 @@ refine flow Flow += {
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action})); ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action}));
val_list* vl = new val_list(); mgr.QueueEvent(::unified2_event, {
vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref()); connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
vl->append(ids_event); ids_event,
mgr.QueueEvent(::unified2_event, vl, SOURCE_LOCAL); },
SOURCE_LOCAL);
} }
return true; return true;
%} %}
@ -112,10 +113,11 @@ refine flow Flow += {
ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label})); ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label}));
ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id})); ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id}));
val_list* vl = new val_list(); mgr.QueueEvent(::unified2_event, {
vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref()); connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
vl->append(ids_event); ids_event,
mgr.QueueEvent(::unified2_event, vl, SOURCE_LOCAL); },
SOURCE_LOCAL);
} }
return true; return true;
@ -133,10 +135,11 @@ refine flow Flow += {
packet->Assign(4, val_mgr->GetCount(${pkt.link_type})); packet->Assign(4, val_mgr->GetCount(${pkt.link_type}));
packet->Assign(5, bytestring_to_val(${pkt.packet_data})); packet->Assign(5, bytestring_to_val(${pkt.packet_data}));
val_list* vl = new val_list(); mgr.QueueEvent(::unified2_packet, {
vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref()); connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
vl->append(packet); packet,
mgr.QueueEvent(::unified2_packet, vl, SOURCE_LOCAL); },
SOURCE_LOCAL);
} }
return true; return true;

86
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -417,10 +417,6 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
// build up our response as we go along...
val_list* vl = new val_list();
vl->append(GetFile()->GetVal()->Ref());
uint64 version = 0; uint64 version = 0;
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
@ -431,23 +427,24 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
// TODO: try to parse out general name ? // TODO: try to parse out general name ?
#endif #endif
vl->append(val_mgr->GetCount(version)); mgr.QueueEvent(ocsp_request, {
GetFile()->GetVal()->Ref(),
val_mgr->GetCount(version),
});
BIO *bio = BIO_new(BIO_s_mem()); BIO *bio = BIO_new(BIO_s_mem());
mgr.QueueEvent(ocsp_request, vl);
int req_count = OCSP_request_onereq_count(req); int req_count = OCSP_request_onereq_count(req);
for ( int i=0; i<req_count; i++ ) for ( int i=0; i<req_count; i++ )
{ {
val_list* rvl = new val_list(); val_list rvl(5);
rvl->append(GetFile()->GetVal()->Ref()); rvl.append(GetFile()->GetVal()->Ref());
OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i); OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req); OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
ocsp_add_cert_id(cert_id, rvl, bio); ocsp_add_cert_id(cert_id, &rvl, bio);
mgr.QueueEvent(ocsp_request_certificate, rvl); mgr.QueueEvent(ocsp_request_certificate, std::move(rvl));
} }
BIO_free(bio); BIO_free(bio);
@ -470,14 +467,13 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
char buf[OCSP_STRING_BUF_SIZE]; char buf[OCSP_STRING_BUF_SIZE];
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
val_list* vl = new val_list();
vl->append(GetFile()->GetVal()->Ref());
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
StringVal* status_val = new StringVal(strlen(status_str), status_str); StringVal* status_val = new StringVal(strlen(status_str), status_str);
vl->append(status_val->Ref());
mgr.QueueEvent(ocsp_response_status, vl); mgr.QueueEvent(ocsp_response_status, {
vl = nullptr; GetFile()->GetVal()->Ref(),
status_val->Ref(),
});
//if (!resp_bytes) //if (!resp_bytes)
// { // {
@ -490,6 +486,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
//int len = BIO_read(bio, buf, sizeof(buf)); //int len = BIO_read(bio, buf, sizeof(buf));
//BIO_reset(bio); //BIO_reset(bio);
val_list vl(8);
// get the basic response // get the basic response
basic_resp = OCSP_response_get1_basic(resp); basic_resp = OCSP_response_get1_basic(resp);
if ( !basic_resp ) if ( !basic_resp )
@ -501,28 +499,27 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
goto clean_up; goto clean_up;
#endif #endif
vl = new val_list(); vl.append(GetFile()->GetVal()->Ref());
vl->append(GetFile()->GetVal()->Ref()); vl.append(resp_val->Ref());
vl->append(resp_val->Ref()); vl.append(status_val);
vl->append(status_val);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
vl->append(val_mgr->GetCount((uint64)ASN1_INTEGER_get(resp_data->version))); vl.append(val_mgr->GetCount((uint64)ASN1_INTEGER_get(resp_data->version)));
#else #else
vl->append(parse_basic_resp_data_version(basic_resp)); vl.append(parse_basic_resp_data_version(basic_resp));
#endif #endif
// responderID // responderID
if ( OCSP_RESPID_bio(basic_resp, bio) ) if ( OCSP_RESPID_bio(basic_resp, bio) )
{ {
len = BIO_read(bio, buf, sizeof(buf)); len = BIO_read(bio, buf, sizeof(buf));
vl->append(new StringVal(len, buf)); vl.append(new StringVal(len, buf));
BIO_reset(bio); BIO_reset(bio);
} }
else else
{ {
reporter->Weird("OpenSSL failed to get OCSP responder id"); reporter->Weird("OpenSSL failed to get OCSP responder id");
vl->append(val_mgr->GetEmptyString()); vl.append(val_mgr->GetEmptyString());
} }
// producedAt // producedAt
@ -532,7 +529,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
produced_at = OCSP_resp_get0_produced_at(basic_resp); produced_at = OCSP_resp_get0_produced_at(basic_resp);
#endif #endif
vl->append(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME)); vl.append(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
// responses // responses
@ -545,8 +542,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
if ( !single_resp ) if ( !single_resp )
continue; continue;
val_list* rvl = new val_list(); val_list rvl(10);
rvl->append(GetFile()->GetVal()->Ref()); rvl.append(GetFile()->GetVal()->Ref());
// cert id // cert id
const OCSP_CERTID* cert_id = nullptr; const OCSP_CERTID* cert_id = nullptr;
@ -557,7 +554,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
cert_id = OCSP_SINGLERESP_get0_id(single_resp); cert_id = OCSP_SINGLERESP_get0_id(single_resp);
#endif #endif
ocsp_add_cert_id(cert_id, rvl, bio); ocsp_add_cert_id(cert_id, &rvl, bio);
BIO_reset(bio); BIO_reset(bio);
// certStatus // certStatus
@ -574,38 +571,38 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
reporter->Weird("OpenSSL failed to find status of OCSP response"); reporter->Weird("OpenSSL failed to find status of OCSP response");
const char* cert_status_str = OCSP_cert_status_str(status); const char* cert_status_str = OCSP_cert_status_str(status);
rvl->append(new StringVal(strlen(cert_status_str), cert_status_str)); rvl.append(new StringVal(strlen(cert_status_str), cert_status_str));
// revocation time and reason if revoked // revocation time and reason if revoked
if ( status == V_OCSP_CERTSTATUS_REVOKED ) if ( status == V_OCSP_CERTSTATUS_REVOKED )
{ {
rvl->append(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME)); rvl.append(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
{ {
const char* revoke_reason = OCSP_crl_reason_str(reason); const char* revoke_reason = OCSP_crl_reason_str(reason);
rvl->append(new StringVal(strlen(revoke_reason), revoke_reason)); rvl.append(new StringVal(strlen(revoke_reason), revoke_reason));
} }
else else
rvl->append(new StringVal(0, "")); rvl.append(new StringVal(0, ""));
} }
else else
{ {
rvl->append(new Val(0.0, TYPE_TIME)); rvl.append(new Val(0.0, TYPE_TIME));
rvl->append(new StringVal(0, "")); rvl.append(new StringVal(0, ""));
} }
if ( this_update ) if ( this_update )
rvl->append(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME)); rvl.append(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
else else
rvl->append(new Val(0.0, TYPE_TIME)); rvl.append(new Val(0.0, TYPE_TIME));
if ( next_update ) if ( next_update )
rvl->append(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME)); rvl.append(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
else else
rvl->append(new Val(0.0, TYPE_TIME)); rvl.append(new Val(0.0, TYPE_TIME));
mgr.QueueEvent(ocsp_response_certificate, rvl); mgr.QueueEvent(ocsp_response_certificate, std::move(rvl));
num_ext = OCSP_SINGLERESP_get_ext_count(single_resp); num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
for ( int k = 0; k < num_ext; ++k ) for ( int k = 0; k < num_ext; ++k )
@ -621,10 +618,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
len = BIO_read(bio, buf, sizeof(buf)); len = BIO_read(bio, buf, sizeof(buf));
vl->append(new StringVal(len, buf)); vl.append(new StringVal(len, buf));
BIO_reset(bio); BIO_reset(bio);
#else #else
vl->append(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); vl.append(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
#endif #endif
//i2a_ASN1_OBJECT(bio, basic_resp->signature); //i2a_ASN1_OBJECT(bio, basic_resp->signature);
@ -633,7 +630,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
//BIO_reset(bio); //BIO_reset(bio);
certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
vl->append(certs_vector); vl.append(certs_vector);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
certs = basic_resp->certs; certs = basic_resp->certs;
@ -654,7 +651,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
reporter->Weird("OpenSSL returned null certificate"); reporter->Weird("OpenSSL returned null certificate");
} }
} }
mgr.QueueEvent(ocsp_response_bytes, vl);
mgr.QueueEvent(ocsp_response_bytes, std::move(vl));
// ok, now that we are done with the actual certificate - let's parse extensions :) // ok, now that we are done with the actual certificate - let's parse extensions :)
num_ext = OCSP_BASICRESP_get_ext_count(basic_resp); num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);

27
src/file_analysis/analyzer/x509/X509.cc
View file

@ -57,11 +57,11 @@ bool file_analysis::X509::EndOfFile()
RecordVal* cert_record = ParseCertificate(cert_val, GetFile()); RecordVal* cert_record = ParseCertificate(cert_val, GetFile());
// and send the record on to scriptland // and send the record on to scriptland
val_list* vl = new val_list(); mgr.QueueEvent(x509_certificate, {
vl->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
vl->append(cert_val->Ref()); cert_val->Ref(),
vl->append(cert_record->Ref()); // we Ref it here, because we want to keep a copy around for now... cert_record->Ref(), // we Ref it here, because we want to keep a copy around for now...
mgr.QueueEvent(x509_certificate, vl); });
// after parsing the certificate - parse the extensions... // after parsing the certificate - parse the extensions...
@ -227,11 +227,10 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
if ( constr->pathlen ) if ( constr->pathlen )
pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen))); pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen)));
val_list* vl = new val_list(); mgr.QueueEvent(x509_ext_basic_constraints, {
vl->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
vl->append(pBasicConstraint); pBasicConstraint,
});
mgr.QueueEvent(x509_ext_basic_constraints, vl);
BASIC_CONSTRAINTS_free(constr); BASIC_CONSTRAINTS_free(constr);
} }
@ -367,10 +366,10 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
sanExt->Assign(4, val_mgr->GetBool(otherfields)); sanExt->Assign(4, val_mgr->GetBool(otherfields));
val_list* vl = new val_list(); mgr.QueueEvent(x509_ext_subject_alternative_name, {
vl->append(GetFile()->GetVal()->Ref()); GetFile()->GetVal()->Ref(),
vl->append(sanExt); sanExt,
mgr.QueueEvent(x509_ext_subject_alternative_name, vl); });
GENERAL_NAMES_free(altname); GENERAL_NAMES_free(altname);
} }

17
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -277,13 +277,18 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
// parsed. And if we have it, we send the specialized event on top of the // parsed. And if we have it, we send the specialized event on top of the
// generic event that we just had. I know, that is... kind of not nice, // generic event that we just had. I know, that is... kind of not nice,
// but I am not sure if there is a better way to do it... // but I am not sure if there is a better way to do it...
val_list* vl = new val_list();
vl->append(GetFile()->GetVal()->Ref());
vl->append(pX509Ext);
if ( h == ocsp_extension )
vl->append(val_mgr->GetBool(global ? 1 : 0));
mgr.QueueEvent(h, vl); if ( h == ocsp_extension )
mgr.QueueEvent(h, {
GetFile()->GetVal()->Ref(),
pX509Ext,
val_mgr->GetBool(global ? 1 : 0),
});
else
mgr.QueueEvent(h, {
GetFile()->GetVal()->Ref(),
pX509Ext,
});
// let individual analyzers parse more. // let individual analyzers parse more.
ParseExtensionsSpecific(ex, global, ext_asn, oid); ParseExtensionsSpecific(ex, global, ext_asn, oid);

25
src/input/Manager.cc
View file

@ -1865,11 +1865,12 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
bool convert_error = false; bool convert_error = false;
val_list* vl = new val_list; val_list vl(num_vals);
for ( int j = 0; j < num_vals; j++) for ( int j = 0; j < num_vals; j++)
{ {
Val* v = ValueToVal(i, vals[j], convert_error); Val* v = ValueToVal(i, vals[j], convert_error);
vl->append(v); vl.append(v);
if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) ) if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) )
{ {
convert_error = true; convert_error = true;
@ -1881,18 +1882,20 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
if ( convert_error ) if ( convert_error )
{ {
delete_vals(vl); loop_over_list(vl, i)
Unref(vl[i]);
return false; return false;
} }
else else
mgr.QueueEvent(handler, vl, SOURCE_LOCAL); mgr.QueueEvent(handler, std::move(vl), SOURCE_LOCAL);
return true; return true;
} }
void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
{ {
val_list* vl = new val_list; val_list vl(numvals);
#ifdef DEBUG #ifdef DEBUG
DBG_LOG(DBG_INPUT, "SendEvent with %d vals", DBG_LOG(DBG_INPUT, "SendEvent with %d vals",
@ -1902,16 +1905,16 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
va_list lP; va_list lP;
va_start(lP, numvals); va_start(lP, numvals);
for ( int i = 0; i < numvals; i++ ) for ( int i = 0; i < numvals; i++ )
vl->append( va_arg(lP, Val*) ); vl.append( va_arg(lP, Val*) );
va_end(lP); va_end(lP);
mgr.QueueEvent(ev, vl, SOURCE_LOCAL); mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
} }
void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
{ {
val_list* vl = new val_list; val_list vl(events.size());
#ifdef DEBUG #ifdef DEBUG
DBG_LOG(DBG_INPUT, "SendEvent with %" PRIuPTR " vals (list)", DBG_LOG(DBG_INPUT, "SendEvent with %" PRIuPTR " vals (list)",
@ -1919,11 +1922,9 @@ void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
#endif #endif
for ( list<Val*>::iterator i = events.begin(); i != events.end(); i++ ) for ( list<Val*>::iterator i = events.begin(); i != events.end(); i++ )
{ vl.append( *i );
vl->append( *i );
}
mgr.QueueEvent(ev, vl, SOURCE_LOCAL); mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
} }
// Convert a bro list value to a bro record value. // Convert a bro list value to a bro record value.

26
src/logging/Manager.cc
View file

@ -715,11 +715,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
// Raise the log event. // Raise the log event.
if ( stream->event ) if ( stream->event )
{ mgr.QueueEvent(stream->event, {columns->Ref()}, SOURCE_LOCAL);
val_list* vl = new val_list(1);
vl->append(columns->Ref());
mgr.QueueEvent(stream->event, vl, SOURCE_LOCAL);
}
// Send to each of our filters. // Send to each of our filters.
for ( list<Filter*>::iterator i = stream->filters.begin(); for ( list<Filter*>::iterator i = stream->filters.begin();
@ -732,8 +728,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
{ {
// See whether the predicates indicates that we want // See whether the predicates indicates that we want
// to log this record. // to log this record.
val_list vl(1); val_list vl{columns->Ref()};
vl.append(columns->Ref());
int result = 1; int result = 1;
@ -750,17 +745,12 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
if ( filter->path_func ) if ( filter->path_func )
{ {
val_list vl(3);
vl.append(id->Ref());
Val* path_arg; Val* path_arg;
if ( filter->path_val ) if ( filter->path_val )
path_arg = filter->path_val->Ref(); path_arg = filter->path_val->Ref();
else else
path_arg = val_mgr->GetEmptyString(); path_arg = val_mgr->GetEmptyString();
vl.append(path_arg);
Val* rec_arg; Val* rec_arg;
BroType* rt = filter->path_func->FType()->Args()->FieldType("rec"); BroType* rt = filter->path_func->FType()->Args()->FieldType("rec");
@ -770,7 +760,11 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
// Can be TYPE_ANY here. // Can be TYPE_ANY here.
rec_arg = columns->Ref(); rec_arg = columns->Ref();
vl.append(rec_arg); val_list vl{
id->Ref(),
path_arg,
rec_arg,
};
Val* v = 0; Val* v = 0;
@ -1087,8 +1081,7 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
RecordVal* ext_rec = nullptr; RecordVal* ext_rec = nullptr;
if ( filter->num_ext_fields > 0 ) if ( filter->num_ext_fields > 0 )
{ {
val_list vl(1); val_list vl{filter->path_val->Ref()};
vl.append(filter->path_val->Ref());
Val* res = filter->ext_func->Call(&vl); Val* res = filter->ext_func->Call(&vl);
if ( res ) if ( res )
ext_rec = res->AsRecordVal(); ext_rec = res->AsRecordVal();
@ -1593,8 +1586,7 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
assert(func); assert(func);
// Call the postprocessor function. // Call the postprocessor function.
val_list vl(1); val_list vl{info};
vl.append(info);
int result = 0; int result = 0;

22
src/main.cc
View file

@ -284,12 +284,11 @@ void done_with_network()
if ( net_done ) if ( net_done )
{ {
val_list* args = new val_list;
args->append(new Val(timer_mgr->Time(), TYPE_TIME));
mgr.Drain(); mgr.Drain();
// Don't propagate this event to remote clients. // Don't propagate this event to remote clients.
mgr.Dispatch(new Event(net_done, args), true); mgr.Dispatch(new Event(net_done,
{new Val(timer_mgr->Time(), TYPE_TIME)}),
true);
} }
// Save state before expiring the remaining events/timers. // Save state before expiring the remaining events/timers.
@ -341,7 +340,7 @@ void terminate_bro()
EventHandlerPtr bro_done = internal_handler("bro_done"); EventHandlerPtr bro_done = internal_handler("bro_done");
if ( bro_done ) if ( bro_done )
mgr.QueueEvent(bro_done, new val_list); mgr.QueueEvent(bro_done, val_list{});
timer_mgr->Expire(); timer_mgr->Expire();
mgr.Drain(); mgr.Drain();
@ -1137,8 +1136,9 @@ int main(int argc, char** argv)
net_update_time(current_time()); net_update_time(current_time());
EventHandlerPtr bro_init = internal_handler("bro_init"); EventHandlerPtr bro_init = internal_handler("bro_init");
if ( bro_init ) //### this should be a function
mgr.QueueEvent(bro_init, new val_list); if ( bro_init )
mgr.QueueEvent(bro_init, val_list{});
EventRegistry::string_list* dead_handlers = EventRegistry::string_list* dead_handlers =
event_registry->UnusedHandlers(); event_registry->UnusedHandlers();
@ -1190,10 +1190,10 @@ int main(int argc, char** argv)
if ( i->skipped ) if ( i->skipped )
continue; continue;
val_list* vl = new val_list; mgr.QueueEvent(bro_script_loaded, {
vl->append(new StringVal(i->name.c_str())); new StringVal(i->name.c_str()),
vl->append(val_mgr->GetCount(i->include_level)); val_mgr->GetCount(i->include_level),
mgr.QueueEvent(bro_script_loaded, vl); });
} }
reporter->ReportViaEvents(true); reporter->ReportViaEvents(true);

6
src/option.bif
View file

@ -15,10 +15,12 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val,
{ {
for ( auto handler_function : i->GetOptionHandlers() ) for ( auto handler_function : i->GetOptionHandlers() )
{ {
val_list vl(2); bool add_loc = handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3;
val_list vl(2 + add_loc);
vl.append(name->Ref()); vl.append(name->Ref());
vl.append(val); vl.append(val);
if ( handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3 )
if ( add_loc )
vl.append(location->Ref()); vl.append(location->Ref());
val = handler_function->Call(&vl); // consumed by next call. val = handler_function->Call(&vl); // consumed by next call.