diff --git a/src/Conn.cc b/src/Conn.cc index 6de529c26c..4f6e3880fc 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -690,7 +690,8 @@ void Connection::IDString(zeek::ODesc* d) const d->Add(ntohs(resp_port)); } -void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia) +void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, + zeek::analyzer::pia::PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 881c3920f2..10a937e681 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -303,9 +303,9 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia); + void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, zeek::analyzer::pia::PIA* pia); zeek::analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } - ::analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; } + zeek::analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. void SetTransport(TransportProto arg_proto) { proto = arg_proto; } @@ -382,7 +382,7 @@ protected: uint32_t hist_seen; zeek::analyzer::TransportLayerAnalyzer* root_analyzer; - ::analyzer::pia::PIA* primary_PIA; + zeek::analyzer::pia::PIA* primary_PIA; zeek::UID uid; // Globally unique connection ID. zeek::detail::WeirdStateMap weird_state; diff --git a/src/Reassem.h b/src/Reassem.h index 57a3fcc33f..2fd129a9a7 100644 --- a/src/Reassem.h +++ b/src/Reassem.h @@ -27,7 +27,6 @@ enum ReassemblerType { class Reassembler; - /** * A block/segment of data for use in the reassembly process. */ diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index a9847e4503..09ce04cc79 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -9,15 +9,15 @@ #include "ID.h" #include "Val.h" -static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) +static inline bool is_established(const zeek::analyzer::tcp::TCP_Endpoint* e) { // We more or less follow Snort here: an established session // is one for which the initial handshake has succeded (but we // add partial connections). The connection tear-down is part // of the connection. - return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE && - e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT && - e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; + return e->state != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE && + e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT && + e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; } namespace zeek::detail { @@ -30,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, if ( ! root || ! root->IsAnalyzer("TCP") ) return false; - ::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root); + auto* ta = static_cast(root); if ( tcpstates & STATE_STATELESS ) return true; diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 8b726c5b6a..65df3eede4 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -184,8 +184,8 @@ void RuleHdrTest::PrintDebug() } RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig, - RuleEndpointState* arg_opposite, - ::analyzer::pia::PIA* arg_PIA) + RuleEndpointState* arg_opposite, + zeek::analyzer::pia::PIA* arg_PIA) { payload_size = -1; analyzer = arg_analyzer; @@ -741,7 +741,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state, RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip, int caplen, RuleEndpointState* opposite, - bool from_orig, ::analyzer::pia::PIA* pia) + bool from_orig, zeek::analyzer::pia::PIA* pia) { RuleEndpointState* state = new RuleEndpointState(analyzer, from_orig, opposite, pia); @@ -1420,7 +1420,7 @@ uint32_t id_to_uint(const char* id) } void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip, - int caplen, bool from_orig, ::analyzer::pia::PIA* pia) + int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia) { if ( ! rule_matcher ) return; diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 2ad94f490a..9413e7d57c 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -37,10 +37,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer); ZEEK_FORWARD_DECLARE_NAMESPACED(IntSet, zeek::detail); - -namespace analyzer { - namespace pia { class PIA; } -} +ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia); namespace zeek::detail { @@ -154,7 +151,7 @@ public: // Returns -1 if no chunk has been fed yet at all. int PayloadSize() { return payload_size; } - ::analyzer::pia::PIA* PIA() const { return pia; } + zeek::analyzer::pia::PIA* PIA() const { return pia; } private: friend class RuleMatcher; @@ -162,7 +159,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig, - RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA); + RuleEndpointState* arg_opposite, zeek::analyzer::pia::PIA* arg_PIA); struct Matcher { RE_Match_State* state; @@ -173,7 +170,7 @@ private: zeek::analyzer::Analyzer* analyzer; RuleEndpointState* opposite; - ::analyzer::pia::PIA* pia; + zeek::analyzer::pia::PIA* pia; matcher_list matchers; rule_hdr_test_list hdr_tests; @@ -267,7 +264,7 @@ public: // it needs to be given. RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool is_orig, - ::analyzer::pia::PIA* pia); + zeek::analyzer::pia::PIA* pia); // Finish matching for this stream. void FinishEndpoint(RuleEndpointState* state); @@ -376,7 +373,7 @@ public: // ip may be nil. void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip, - int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr); + int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia = nullptr); // bol/eol should be set to false for type Rule::PAYLOAD; they're // deduced automatically. diff --git a/src/Sessions.cc b/src/Sessions.cc index 46690b080a..ef90e09094 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -72,7 +72,7 @@ void IPTunnelTimer::Dispatch(double t, bool is_expire) NetSessions::NetSessions() { if ( stp_correlate_pair ) - stp_manager = new ::analyzer::stepping_stone::SteppingStoneManager(); + stp_manager = new zeek::analyzer::stepping_stone::SteppingStoneManager(); else stp_manager = nullptr; @@ -96,7 +96,7 @@ NetSessions::NetSessions() pkt_profiler = nullptr; if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new ::analyzer::arp::ARP_Analyzer(); + arp_analyzer = new zeek::analyzer::arp::ARP_Analyzer(); else arp_analyzer = nullptr; @@ -403,9 +403,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = zeek::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -419,9 +419,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = zeek::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -1011,10 +1011,10 @@ void NetSessions::Remove(Connection* c) if ( c->ConnTransport() == TRANSPORT_TCP ) { - auto ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer()); + auto ta = static_cast(c->GetRootAnalyzer()); assert(ta->IsAnalyzer("TCP")); - ::analyzer::tcp::TCP_Endpoint* to = ta->Orig(); - ::analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); + zeek::analyzer::tcp::TCP_Endpoint* to = ta->Orig(); + zeek::analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); tcp_stats.StateLeft(to->state, tr->state); } diff --git a/src/Sessions.h b/src/Sessions.h index 26e6d0bde7..1831323d44 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -23,9 +23,8 @@ namespace zeek { struct ConnID; } using ConnID [[deprecated("Remove in v4.1. Use zeek::ConnID.")]] = zeek::ConnID; ZEEK_FORWARD_DECLARE_NAMESPACED(Discarder, zeek::detail); - -namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } } -namespace analyzer { namespace arp { class ARP_Analyzer; } } +ZEEK_FORWARD_DECLARE_NAMESPACED(SteppingStoneManager, zeek, analyzer::stepping_stone); +ZEEK_FORWARD_DECLARE_NAMESPACED(ARP_Analyzer, zeek, analyzer::arp); namespace zeek { @@ -95,7 +94,7 @@ public: return packet_filter; } - ::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } + zeek::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } unsigned int CurrentConnections() { @@ -172,7 +171,7 @@ public: unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); - ::analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states + zeek::analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states protected: friend class ConnCompressor; @@ -235,9 +234,9 @@ protected: using IPTunnelMap = std::map; IPTunnelMap ip_tunnels; - ::analyzer::arp::ARP_Analyzer* arp_analyzer; + zeek::analyzer::arp::ARP_Analyzer* arp_analyzer; - ::analyzer::stepping_stone::SteppingStoneManager* stp_manager; + zeek::analyzer::stepping_stone::SteppingStoneManager* stp_manager; zeek::detail::Discarder* discarder; zeek::detail::PacketFilter* packet_filter; uint64_t num_packets_processed; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 57f176ed64..938d3b3f0d 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -19,6 +19,8 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp); +ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia); namespace zeek { using RecordValPtr = zeek::IntrusivePtr; @@ -29,11 +31,6 @@ using FilePtr = zeek::IntrusivePtr; using BroFile [[deprecated("Remove in v4.1. Use zeek::File.")]] = zeek::File; using BroFilePtr [[deprecated("Remove in v4.1. Use zeek::FilePtr.")]] = zeek::FilePtr; -namespace analyzer { -namespace tcp { class TCP_ApplicationAnalyzer; } -namespace pia { class PIA; } -} - namespace zeek::analyzer { class Analyzer; @@ -633,7 +630,7 @@ protected: friend class AnalyzerTimer; friend class Manager; friend class zeek::Connection; - friend class ::analyzer::tcp::TCP_ApplicationAnalyzer; + friend class zeek::analyzer::tcp::TCP_ApplicationAnalyzer; /** * Return a string represantation of an analyzer, containing its name @@ -938,13 +935,13 @@ public: * transport-layer input and determine which protocol analyzer(s) to * use for parsing it. */ - void SetPIA(::analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; } + void SetPIA(zeek::analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; } /** * Returns the associated PIA, or null of none. Does not take * ownership. */ - ::analyzer::pia::PIA* GetPIA() const { return pia; } + zeek::analyzer::pia::PIA* GetPIA() const { return pia; } /** * Helper to raise a \c packet_contents event. @@ -956,7 +953,7 @@ public: void PacketContents(const u_char* data, int len); private: - ::analyzer::pia::PIA* pia; + zeek::analyzer::pia::PIA* pia; }; } // namespace zeek::analyzer diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 75bb28d1db..82e230f761 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -20,7 +20,7 @@ using namespace zeek::analyzer; Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, - uint16_t _resp_p, uint16_t _proto) + uint16_t _resp_p, uint16_t _proto) { if ( _orig == IPAddr::v4_unspecified ) // don't use the IPv4 mapping, use the literal unspecified address @@ -360,31 +360,29 @@ Manager::tag_set* Manager::LookupPort(zeek::PortVal* val, bool add_if_not_found) bool Manager::BuildInitialAnalyzerTree(Connection* conn) { - ::analyzer::tcp::TCP_Analyzer* tcp = nullptr; - ::analyzer::udp::UDP_Analyzer* udp = nullptr; - ::analyzer::icmp::ICMP_Analyzer* icmp = nullptr; + zeek::analyzer::tcp::TCP_Analyzer* tcp = nullptr; TransportLayerAnalyzer* root = nullptr; - ::analyzer::pia::PIA* pia = nullptr; + zeek::analyzer::pia::PIA* pia = nullptr; bool check_port = false; switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: - root = tcp = new ::analyzer::tcp::TCP_Analyzer(conn); - pia = new ::analyzer::pia::PIA_TCP(conn); + root = tcp = new zeek::analyzer::tcp::TCP_Analyzer(conn); + pia = new zeek::analyzer::pia::PIA_TCP(conn); check_port = true; DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: - root = udp = new ::analyzer::udp::UDP_Analyzer(conn); - pia = new ::analyzer::pia::PIA_UDP(conn); + root = new zeek::analyzer::udp::UDP_Analyzer(conn); + pia = new zeek::analyzer::pia::PIA_UDP(conn); check_port = true; DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { - root = icmp = new ::analyzer::icmp::ICMP_Analyzer(conn); + root = new zeek::analyzer::icmp::ICMP_Analyzer(conn); DBG_ANALYZER(conn, "activated ICMP analyzer"); break; } @@ -466,14 +464,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) auto src = zeek::make_intrusive(conn->OrigAddr()); if ( ! stp_skip_src->FindOrDefault(src) ) - tcp->AddChildAnalyzer(new ::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false); + tcp->AddChildAnalyzer(new zeek::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false); } } if ( IsEnabled(analyzer_tcpstats) ) // Add TCPStats analyzer. This needs to see packets so // we cannot add it as a normal child. - tcp->AddChildPacketAnalyzer(new ::analyzer::tcp::TCPStats_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new zeek::analyzer::tcp::TCPStats_Analyzer(conn)); if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index 9f0c9be579..8896d911ba 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -7,7 +7,7 @@ #include "events.bif.h" -using namespace analyzer::arp; +namespace zeek::analyzer::arp { ARP_Analyzer::ARP_Analyzer() { @@ -240,3 +240,5 @@ zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); return zeek::make_intrusive(buf); } + +} // namespace zeek::analyzer::arp diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h index 3f85f69d30..d3d2fdc052 100644 --- a/src/analyzer/protocol/arp/ARP.h +++ b/src/analyzer/protocol/arp/ARP.h @@ -30,7 +30,7 @@ extern "C" { #include } -namespace analyzer::arp { +namespace zeek::analyzer::arp { class ARP_Analyzer : public zeek::Obj { public: @@ -57,4 +57,8 @@ protected: void Corrupted(const char* string); }; -} // namespace analyzer::arp +} // namespace zeek::analyzer::arp + +namespace analyer::arp { + using ARP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::arp::ARP_Analyzer.")]] = zeek::analyzer::arp::ARP_Analyzer; +} diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index c9eabac6ff..f9e09847df 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -8,7 +8,7 @@ using namespace analyzer::bittorrent; BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c) -: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; @@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer() void BitTorrent_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp; bool& this_stop = orig ? stop_orig : stop_resp; - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // TODO: Code commented out for now. I think that shoving data that // is definitely wrong into the parser seems like a really bad idea. @@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h index 17c42336ed..6a4306baec 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.h +++ b/src/analyzer/protocol/bittorrent/BitTorrent.h @@ -8,7 +8,7 @@ namespace analyzer { namespace bittorrent { -class BitTorrent_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit BitTorrent_Analyzer(zeek::Connection* conn); ~BitTorrent_Analyzer() override; diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 2b72028148..a4a0662c08 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -22,7 +22,7 @@ static zeek::RecordTypePtr bittorrent_benc_value; static zeek::TableTypePtr bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c) -: tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) { if ( ! bt_tracker_headers ) { @@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer() void BitTorrentTracker_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); } void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); @@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void BitTorrentTracker_Analyzer::InitBencParser(void) diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h index 23186110ca..6b7c6defbd 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h @@ -43,7 +43,7 @@ enum btt_benc_states { BENC_STATE_STR2, }; -class BitTorrentTracker_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit BitTorrentTracker_Analyzer(zeek::Connection* conn); ~BitTorrentTracker_Analyzer() override; diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc index 8f2610e24f..022ac998cc 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc @@ -13,7 +13,7 @@ using namespace std; using namespace analyzer::dce_rpc; DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { had_gap = false; interp = new binpac::DCE_RPC::DCE_RPC_Conn(this); diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h index 6954dc290a..50676d91c2 100644 --- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -11,7 +11,7 @@ namespace analyzer { namespace dce_rpc { -class DCE_RPC_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit DCE_RPC_Analyzer(zeek::Connection* conn); ~DCE_RPC_Analyzer() override; diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index ee690b9220..c18e508310 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -61,7 +61,7 @@ protected: Endpoint resp_state; }; -class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer { +class DNP3_TCP_Analyzer : public DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit DNP3_TCP_Analyzer(zeek::Connection* conn); ~DNP3_TCP_Analyzer() override; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 3d8d8cc0ab..931a078ceb 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -1797,7 +1797,7 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) +: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1890,7 +1890,7 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig) } DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("DNS", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = nullptr; @@ -1921,7 +1921,7 @@ void DNS_Analyzer::Init() void DNS_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( Conn()->ConnTransport() == TRANSPORT_UDP ) Event(udp_session_done); @@ -1932,15 +1932,16 @@ void DNS_Analyzer::Done() void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { - tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->ParseMessage(data, len, orig ? 1 : 0); } -void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, - bool gen_event) +void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, + zeek::analyzer::tcp::TCP_Endpoint* peer, + bool gen_event) { - tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); assert(contents_dns_orig && contents_dns_resp); contents_dns_orig->Flush(); diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 57b14e1e48..1754274a8d 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -369,7 +369,7 @@ typedef enum { // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. -class Contents_DNS final : public tcp::TCP_SupportAnalyzer { +class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: Contents_DNS(zeek::Connection* c, bool orig, DNS_Interpreter* interp); ~Contents_DNS() override; @@ -392,7 +392,7 @@ protected: }; // Works for both TCP and UDP. -class DNS_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit DNS_Analyzer(zeek::Connection* conn); ~DNS_Analyzer() override; @@ -402,8 +402,8 @@ public: void Init() override; void Done() override; - void ConnectionClosed(tcp::TCP_Endpoint* endpoint, - tcp::TCP_Endpoint* peer, bool gen_event) override; + void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, + zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; void ExpireTimer(double t); static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index 22cb3486c3..9c6ec217d4 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); int n = std::min(len, BUFFER_SIZE - buffer_len); @@ -54,7 +54,7 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void File_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h index bbc6a47272..a9903ac81e 100644 --- a/src/analyzer/protocol/file/File.h +++ b/src/analyzer/protocol/file/File.h @@ -8,7 +8,7 @@ namespace analyzer { namespace file { -class File_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: File_Analyzer(const char* name, zeek::Connection* conn); diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index b6c1042a3d..8dfba74f2d 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -14,24 +14,24 @@ using namespace analyzer::finger; Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("FINGER", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000); + content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000); + content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } void Finger_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || content_line_orig->HasPartialLine()) && - (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_finger_request"); } diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h index 20c21def80..43eaf43426 100644 --- a/src/analyzer/protocol/finger/Finger.h +++ b/src/analyzer/protocol/finger/Finger.h @@ -7,7 +7,7 @@ namespace analyzer { namespace finger { -class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit Finger_Analyzer(zeek::Connection* conn); ~Finger_Analyzer() override {} @@ -20,8 +20,8 @@ public: { return new Finger_Analyzer(conn); } protected: - tcp::ContentLine_Analyzer* content_line_orig; - tcp::ContentLine_Analyzer* content_line_resp; + zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; + zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; int did_deliver; }; diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index 3fa86830ff..d635d1caec 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -18,7 +18,7 @@ using namespace analyzer::ftp; FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("FTP", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; @@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn) void FTP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( nvt_orig->HasPartialLine() && - (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_ftp_request"); } @@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) return; diff --git a/src/analyzer/protocol/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h index aab729ea3d..fde1827826 100644 --- a/src/analyzer/protocol/ftp/FTP.h +++ b/src/analyzer/protocol/ftp/FTP.h @@ -8,7 +8,7 @@ namespace analyzer { namespace login { class NVT_Analyzer; }} namespace analyzer { namespace ftp { -class FTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit FTP_Analyzer(zeek::Connection* conn); diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc index d5dc545dff..69523da1fa 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -34,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -54,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer() void Gnutella_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { @@ -126,9 +126,9 @@ bool Gnutella_Analyzer::IsHTTP(std::string header) if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - pia::PIA* pia = static_cast(Parent())->GetPIA(); + zeek::analyzer::pia::PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) - static_cast(pia)->ReplayStreamBuffer(a); + static_cast(pia)->ReplayStreamBuffer(a); } Parent()->RemoveChildAnalyzer(this); @@ -301,7 +301,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); ms = orig ? orig_msg_state : resp_msg_state; ms->current_offset = 0; diff --git a/src/analyzer/protocol/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h index da3633e085..9201ccadba 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.h +++ b/src/analyzer/protocol/gnutella/Gnutella.h @@ -33,7 +33,7 @@ public: }; -class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit Gnutella_Analyzer(zeek::Connection* conn); ~Gnutella_Analyzer() override; diff --git a/src/analyzer/protocol/gssapi/GSSAPI.cc b/src/analyzer/protocol/gssapi/GSSAPI.cc index 6f52240f4c..9fdf35be3f 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.cc +++ b/src/analyzer/protocol/gssapi/GSSAPI.cc @@ -8,7 +8,7 @@ using namespace analyzer::gssapi; GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("GSSAPI", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c) { interp = new binpac::GSSAPI::GSSAPI_Conn(this); } @@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer() void GSSAPI_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done() void GSSAPI_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -51,6 +51,6 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/gssapi/GSSAPI.h b/src/analyzer/protocol/gssapi/GSSAPI.h index dec78a324b..d230a0c951 100644 --- a/src/analyzer/protocol/gssapi/GSSAPI.h +++ b/src/analyzer/protocol/gssapi/GSSAPI.h @@ -9,7 +9,7 @@ namespace analyzer { namespace gssapi { -class GSSAPI_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit GSSAPI_Analyzer(zeek::Connection* conn); @@ -21,7 +21,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index d3e4f4fe3d..ced07017f9 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -595,8 +595,8 @@ void HTTP_Entity::SubmitAllHeaders() } HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, - tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, - int expect_body, int64_t init_header_length) + zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, + int expect_body, int64_t init_header_length) : MIME_Message (arg_analyzer) { analyzer = arg_analyzer; @@ -836,7 +836,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("HTTP", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -858,10 +858,10 @@ HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn) upgrade_connection = false; upgrade_protocol.clear(); - content_line_orig = new tcp::ContentLine_Analyzer(conn, true); + content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(content_line_orig); - content_line_resp = new tcp::ContentLine_Analyzer(conn, false); + content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); content_line_resp->SetSkipPartial(true); AddSupportAnalyzer(content_line_resp); } @@ -871,7 +871,7 @@ void HTTP_Analyzer::Done() if ( IsFinished() ) return; - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); RequestMade(true, "message interrupted when connection done"); ReplyMade(true, "message interrupted when connection done"); @@ -897,7 +897,7 @@ void HTTP_Analyzer::Done() void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( TCP() && TCP()->IsPartial() ) return; @@ -916,7 +916,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) const char* line = reinterpret_cast(data); const char* end_of_line = line + len; - tcp::ContentLine_Analyzer* content_line = + zeek::analyzer::tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( content_line->IsPlainDelivery() ) @@ -1048,7 +1048,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { // End of message header reached, set up // tunnel decapsulation. - pia = new pia::PIA_TCP(Conn()); + pia = new zeek::analyzer::pia::PIA_TCP(Conn()); if ( AddChildAnalyzer(pia) ) { @@ -1080,14 +1080,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); // DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length); HTTP_Message* msg = is_orig ? request_message : reply_message; - tcp::ContentLine_Analyzer* content_line = + zeek::analyzer::tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( ! content_line->IsSkippedContents(seq, len) ) @@ -1123,7 +1123,7 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); // DEBUG_MSG("%.6f eof\n", network_time); @@ -1135,7 +1135,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::ConnectionFinished(bool half_finished) { - tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); // DEBUG_MSG("%.6f connection finished\n", network_time); RequestMade(true, "message ends as connection is finished"); @@ -1144,7 +1144,7 @@ void HTTP_Analyzer::ConnectionFinished(bool half_finished) void HTTP_Analyzer::ConnectionReset() { - tcp::TCP_ApplicationAnalyzer::ConnectionReset(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset(); RequestMade(true, "message interrupted by RST"); ReplyMade(true, "message interrupted by RST"); @@ -1152,7 +1152,7 @@ void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::PacketWithRST() { - tcp::TCP_ApplicationAnalyzer::PacketWithRST(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST(); RequestMade(true, "message interrupted by RST"); ReplyMade(true, "message interrupted by RST"); @@ -1680,8 +1680,8 @@ void HTTP_Analyzer::HTTP_MessageDone(bool is_orig, HTTP_Message* /* message */) ReplyMade(false, "message ends normally"); } -void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, - bool is_orig, int expect_body, int64_t init_header_length) +void HTTP_Analyzer::InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, + bool is_orig, int expect_body, int64_t init_header_length) { if ( message ) { diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h index 64fb9aa8f8..874e859044 100644 --- a/src/analyzer/protocol/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -100,8 +100,8 @@ class HTTP_Message final : public mime::MIME_Message { friend class HTTP_Entity; public: - HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, - bool is_orig, int expect_body, int64_t init_header_length); + HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl, + bool is_orig, int expect_body, int64_t init_header_length); ~HTTP_Message() override; void Done(bool interrupted, const char* msg); void Done() override { Done(false, "message ends normally"); } @@ -129,7 +129,7 @@ public: protected: HTTP_Analyzer* analyzer; - tcp::ContentLine_Analyzer* content_line; + zeek::analyzer::tcp::ContentLine_Analyzer* content_line; bool is_orig; char* entity_data_buffer; @@ -148,7 +148,7 @@ protected: zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg); }; -class HTTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: HTTP_Analyzer(zeek::Connection* conn); @@ -168,7 +168,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer void EndpointEOF(bool is_orig) override; void ConnectionFinished(bool half_finished) override; void ConnectionReset() override; @@ -210,8 +210,8 @@ protected: int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line); - void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, - int expect_body, int64_t init_header_length); + void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, + int expect_body, int64_t init_header_length); const char* PrefixMatch(const char* line, const char* end_of_line, const char* prefix); @@ -248,7 +248,7 @@ protected: int request_ongoing, reply_ongoing; bool connect_request; - pia::PIA_TCP *pia; + zeek::analyzer::pia::PIA_TCP *pia; // set to true after a connection was upgraded bool upgraded; // set to true when encountering an "connection" header in a reply. @@ -271,8 +271,8 @@ protected: int reply_code; zeek::StringValPtr reply_reason_phrase; - tcp::ContentLine_Analyzer* content_line_orig; - tcp::ContentLine_Analyzer* content_line_resp; + zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig; + zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp; HTTP_Message* request_message; HTTP_Message* reply_message; diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 4fe0347b16..bbce6be44d 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -18,7 +18,7 @@ #include -using namespace analyzer::icmp; +namespace zeek::analyzer::icmp { ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c) : TransportLayerAnalyzer("ICMP", c), @@ -873,7 +873,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da return vv; } -int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; @@ -901,7 +901,7 @@ int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one } } -int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; @@ -932,3 +932,5 @@ int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one default: is_one_way = true; return icmp_code; } } + +} // namespace zeek::analyzer::icmp diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h index db12ca6a3d..edb58f2e2d 100644 --- a/src/analyzer/protocol/icmp/ICMP.h +++ b/src/analyzer/protocol/icmp/ICMP.h @@ -11,12 +11,12 @@ namespace zeek { using VectorValPtr = zeek::IntrusivePtr; } -namespace analyzer { namespace icmp { +namespace zeek::analyzer::icmp { -typedef enum { +enum ICMP_EndpointState { ICMP_INACTIVE, // no packet seen ICMP_ACTIVE, // packets seen -} ICMP_EndpointState; +}; // We do not have an PIA for ICMP (yet) and therefore derive from // RuleMatcherState to perform our own matching. @@ -98,4 +98,17 @@ private: extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); -} } // namespace analyzer::* +} // namespace zeek::analyzer::icmp + +namespace analyzer::icmp { + + using ICMP_EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_EndpointState.")]] = zeek::analyzer::icmp::ICMP_EndpointState; + constexpr auto ICMP_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_INACTIVE.")]] = zeek::analyzer::icmp::ICMP_INACTIVE; + constexpr auto ICMP_ACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_ACTIVE.")]] = zeek::analyzer::icmp::ICMP_ACTIVE; + + using ICMP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_Analyzer.")]] = zeek::analyzer::icmp::ICMP_Analyzer; + + constexpr auto ICMP4_counterpart [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP4_counterpart.")]] = zeek::analyzer::icmp::ICMP4_counterpart; + constexpr auto ICMP6_counterpart [[deprecated("Remove in v6.1. Use zeek::analyzer::icmp::ICMP6_counterpart.")]] = zeek::analyzer::icmp::ICMP6_counterpart; + +} // namespace analyzer::icmp diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc index 8690cf92e8..3d08378f4d 100644 --- a/src/analyzer/protocol/icmp/Plugin.cc +++ b/src/analyzer/protocol/icmp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("ICMP", zeek::analyzer::icmp::ICMP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::ICMP"; diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index b76833cca3..6dc3ce6818 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -14,12 +14,12 @@ using namespace analyzer::ident; Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("IDENT", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = false; - orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000); - resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000); + orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); + resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); @@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn) void Ident_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || orig_ident->HasPartialLine()) && - (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) && - TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL && - TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL && - TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE && - TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE ) + (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) && + TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && + TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL && + TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE && + TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ) Weird("partial_ident_request"); } void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); int remote_port, local_port; const char* line = (const char*) data; const char* orig_line = line; const char* end_of_line = line + length; - tcp::TCP_Endpoint* s = nullptr; + zeek::analyzer::tcp::TCP_Endpoint* s = nullptr; if ( TCP() ) s = is_orig ? TCP()->Orig() : TCP()->Resp(); @@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = ParsePair(line, end_of_line, remote_port, local_port); if ( ! line ) { - if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && - (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || - s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( ! line || line == end_of_line || line[0] != ':' ) { - if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && - (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || - s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; diff --git a/src/analyzer/protocol/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h index 7ff44d3474..0fd7f3ce5c 100644 --- a/src/analyzer/protocol/ident/Ident.h +++ b/src/analyzer/protocol/ident/Ident.h @@ -7,7 +7,7 @@ namespace analyzer { namespace ident { -class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit Ident_Analyzer(zeek::Connection* conn); void Done() override; @@ -26,8 +26,8 @@ protected: void BadRequest(int length, const char* line); void BadReply(int length, const char* line); - tcp::ContentLine_Analyzer* orig_ident; - tcp::ContentLine_Analyzer* resp_ident; + zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident; + zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident; bool did_deliver; bool did_bad_reply; diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc index 54965c429c..caaaf1b4e5 100644 --- a/src/analyzer/protocol/imap/IMAP.cc +++ b/src/analyzer/protocol/imap/IMAP.cc @@ -7,7 +7,7 @@ using namespace analyzer::imap; IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn) - : tcp::TCP_ApplicationAnalyzer("IMAP", conn) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn) { interp = new binpac::IMAP::IMAP_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer() void IMAP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void IMAP_Analyzer::Done() void IMAP_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls_active ) { @@ -67,7 +67,7 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h index e37a0df5d9..e1b03b157a 100644 --- a/src/analyzer/protocol/imap/IMAP.h +++ b/src/analyzer/protocol/imap/IMAP.h @@ -10,7 +10,7 @@ namespace analyzer { namespace imap { -class IMAP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit IMAP_Analyzer(zeek::Connection* conn); ~IMAP_Analyzer() override; @@ -19,7 +19,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; void StartTLS(); diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index 5e4bc35703..a5fb44c720 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -13,7 +13,7 @@ using namespace analyzer::irc; using namespace std; IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("IRC", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; @@ -22,15 +22,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn) orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; starttls = false; - cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000); + cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000); AddSupportAnalyzer(cl_orig); - cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000); + cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(cl_resp); } void IRC_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); } inline void IRC_Analyzer::SkipLeadingWhitespace(string& str) @@ -46,7 +46,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { static auto irc_join_list = zeek::id::find_type("irc_join_list"); static auto irc_join_info = zeek::id::find_type("irc_join_info"); - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); if ( starttls ) { diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h index 1af05b64fd..db6544ec6f 100644 --- a/src/analyzer/protocol/irc/IRC.h +++ b/src/analyzer/protocol/irc/IRC.h @@ -9,7 +9,7 @@ namespace analyzer { namespace irc { /** * \brief Main class for analyzing IRC traffic. */ -class IRC_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; public: @@ -64,8 +64,8 @@ private: */ std::vector SplitWords(const std::string& input, char split); - tcp::ContentLine_Analyzer* cl_orig; - tcp::ContentLine_Analyzer* cl_resp; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; bool starttls; // if true, connection has been upgraded to tls }; diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc index 270993c807..23a40dcadd 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.cc +++ b/src/analyzer/protocol/krb/KRB_TCP.cc @@ -8,7 +8,7 @@ using namespace analyzer::krb_tcp; KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn) - : tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn) { interp = new binpac::KRB_TCP::KRB_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer() void KRB_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void KRB_Analyzer::Done() void KRB_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -59,7 +59,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h index 6b55eec0ca..7b7a4ac3d7 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.h +++ b/src/analyzer/protocol/krb/KRB_TCP.h @@ -8,7 +8,7 @@ namespace analyzer { namespace krb_tcp { -class KRB_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit KRB_Analyzer(zeek::Connection* conn); @@ -18,7 +18,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal, diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc index 5e6a9b2077..c786695593 100644 --- a/src/analyzer/protocol/login/Login.cc +++ b/src/analyzer/protocol/login/Login.cc @@ -28,7 +28,7 @@ static zeek::RE_Matcher* re_login_timeouts; static zeek::RE_Matcher* init_RE(zeek::ListVal* l); Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn) - : tcp::TCP_ApplicationAnalyzer(name, conn), user_text() + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text() { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; @@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer() void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); char* str = new char[length+1]; @@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state == LOGIN_STATE_AUTHENTICATE ) { - if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL || - TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL ) + if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || + TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ) state = LOGIN_STATE_CONFUSED; // unknown login state else { @@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) void Login_Analyzer::EndpointEOF(bool orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) { diff --git a/src/analyzer/protocol/login/Login.h b/src/analyzer/protocol/login/Login.h index 169df850e6..48c9f641d3 100644 --- a/src/analyzer/protocol/login/Login.h +++ b/src/analyzer/protocol/login/Login.h @@ -20,7 +20,7 @@ typedef enum { // Maximum # lines look after login for failure. #define MAX_LOGIN_LOOKAHEAD 10 -class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: Login_Analyzer(const char* name, zeek::Connection* conn); ~Login_Analyzer() override; diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index d515239d82..be5d6d608b 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -308,7 +308,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len) break; } - static_cast + static_cast (endp->Parent())->SetEnv(endp->IsOrig(), var_name, var_val); } @@ -381,7 +381,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig) - : tcp::ContentLine_Analyzer("NVT", conn, orig), options() + : zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options() { } diff --git a/src/analyzer/protocol/login/NVT.h b/src/analyzer/protocol/login/NVT.h index b0bfb5aa6f..4b5da50e44 100644 --- a/src/analyzer/protocol/login/NVT.h +++ b/src/analyzer/protocol/login/NVT.h @@ -122,7 +122,7 @@ protected: void InconsistentOption(unsigned int type) override; }; -class NVT_Analyzer final : public tcp::ContentLine_Analyzer { +class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: NVT_Analyzer(zeek::Connection* conn, bool orig); ~NVT_Analyzer() override; diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 031db4cec3..3815f9f10a 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -15,7 +15,7 @@ using namespace analyzer::login; Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) + : zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer() void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) { - tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RSH_FIRST_NULL: - if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == tcp::TCP_ENDPOINT_CLOSED ) + endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RSH_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocol/login/RSH.h b/src/analyzer/protocol/login/RSH.h index 1b71b5d17f..dfe8e30d3c 100644 --- a/src/analyzer/protocol/login/RSH.h +++ b/src/analyzer/protocol/login/RSH.h @@ -22,7 +22,7 @@ typedef enum { class Rsh_Analyzer; -class Contents_Rsh_Analyzer final : public tcp::ContentLine_Analyzer { +class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer); ~Contents_Rsh_Analyzer() override; diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 68b4bdad3d..5579530658 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -12,7 +12,7 @@ using namespace analyzer::login; Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) + : zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer() void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) { - tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + auto* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RLOGIN_FIRST_NULL: - if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == tcp::TCP_ENDPOINT_CLOSED ) + endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; case RLOGIN_SERVER_ACK: - if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || + if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == tcp::TCP_ENDPOINT_CLOSED ) + endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocol/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h index c7ba428cf7..9d9dcd0f34 100644 --- a/src/analyzer/protocol/login/Rlogin.h +++ b/src/analyzer/protocol/login/Rlogin.h @@ -30,7 +30,7 @@ typedef enum { class Rlogin_Analyzer; -class Contents_Rlogin_Analyzer final : public tcp::ContentLine_Analyzer { +class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer { public: Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* analyzer); diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h index c94bfc5d16..eb8b16af63 100644 --- a/src/analyzer/protocol/modbus/Modbus.h +++ b/src/analyzer/protocol/modbus/Modbus.h @@ -5,7 +5,7 @@ namespace analyzer { namespace modbus { -class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit ModbusTCP_Analyzer(zeek::Connection* conn); ~ModbusTCP_Analyzer() override; diff --git a/src/analyzer/protocol/mqtt/MQTT.cc b/src/analyzer/protocol/mqtt/MQTT.cc index b5f94d3660..5fcb859f6b 100644 --- a/src/analyzer/protocol/mqtt/MQTT.cc +++ b/src/analyzer/protocol/mqtt/MQTT.cc @@ -10,7 +10,7 @@ using namespace analyzer::MQTT; MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("MQTT", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c) { interp = new binpac::MQTT::MQTT_Conn(this); } @@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer() void MQTT_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -30,13 +30,13 @@ void MQTT_Analyzer::Done() void MQTT_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -52,6 +52,6 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/mqtt/MQTT.h b/src/analyzer/protocol/mqtt/MQTT.h index d84885406f..828e62fa23 100644 --- a/src/analyzer/protocol/mqtt/MQTT.h +++ b/src/analyzer/protocol/mqtt/MQTT.h @@ -9,7 +9,7 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } } namespace analyzer { namespace MQTT { -class MQTT_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: MQTT_Analyzer(zeek::Connection* conn); diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc index 7714906b02..2c18803bbf 100644 --- a/src/analyzer/protocol/mysql/MySQL.cc +++ b/src/analyzer/protocol/mysql/MySQL.cc @@ -8,7 +8,7 @@ using namespace analyzer::MySQL; MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("MySQL", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c) { interp = new binpac::MySQL::MySQL_Conn(this); had_gap = false; @@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer() void MySQL_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,13 +29,13 @@ void MySQL_Analyzer::Done() void MySQL_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -59,7 +59,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/mysql/MySQL.h b/src/analyzer/protocol/mysql/MySQL.h index af4ad2ef52..a438470024 100644 --- a/src/analyzer/protocol/mysql/MySQL.h +++ b/src/analyzer/protocol/mysql/MySQL.h @@ -9,7 +9,7 @@ namespace analyzer { namespace MySQL { -class MySQL_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit MySQL_Analyzer(zeek::Connection* conn); @@ -21,7 +21,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index 604dc246d0..3dec999fb2 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -164,7 +164,7 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* arg_session) -: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) +: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; @@ -177,7 +177,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer() void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); auto tcp = static_cast(Parent())->TCP(); @@ -185,7 +185,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig { resync_set = true; resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - tcp::TCP_ENDPOINT_ESTABLISHED; + zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED; } if ( tcp && tcp->HadGap(orig) ) @@ -238,14 +238,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); buffer.Reset(); resync = true; } NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("NCP", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h index 287de6d606..89d6c6ec72 100644 --- a/src/analyzer/protocol/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -82,7 +82,7 @@ protected: void compute_msg_length() override; }; -class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer { +class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* session); ~Contents_NCP_Analyzer() override; @@ -99,7 +99,7 @@ protected: bool resync_set; }; -class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit NCP_Analyzer(zeek::Connection* conn); ~NCP_Analyzer() override; diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 669d6993ec..da789952c4 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -334,7 +334,7 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) +: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( state == NETBIOS_SSN_TYPE ) { @@ -454,7 +454,7 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn) { //smb_session = new SMB_Session(this); interp = new NetbiosSSN_Interpreter(this); @@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer() void NetbiosSSN_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) @@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::EndpointEOF(bool orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); (orig ? orig_netbios : resp_netbios)->Flush(); } -void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, - tcp::TCP_Endpoint* peer, bool gen_event) +void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, + zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) { - tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); // Question: Why do we flush *both* endpoints upon connection close? // orig_netbios->Flush(); @@ -513,7 +513,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { - tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) interp->ParseMessageUDP(data, len, true); diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h index 1cac17cd73..a42b9dcc60 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -112,7 +112,7 @@ typedef enum { } NetbiosSSN_State; // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. -class Contents_NetbiosSSN final : public tcp::TCP_SupportAnalyzer { +class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: Contents_NetbiosSSN(zeek::Connection* conn, bool orig, NetbiosSSN_Interpreter* interp); @@ -139,7 +139,7 @@ protected: NetbiosSSN_State state; }; -class NetbiosSSN_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit NetbiosSSN_Analyzer(zeek::Connection* conn); ~NetbiosSSN_Analyzer() override; @@ -152,8 +152,8 @@ public: { return new NetbiosSSN_Analyzer(conn); } protected: - void ConnectionClosed(tcp::TCP_Endpoint* endpoint, - tcp::TCP_Endpoint* peer, bool gen_event) override; + void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint, + zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override; void EndpointEOF(bool is_orig) override; void ExpireTimer(double t); diff --git a/src/analyzer/protocol/ntlm/NTLM.cc b/src/analyzer/protocol/ntlm/NTLM.cc index b76de6a59f..a521fc8c94 100644 --- a/src/analyzer/protocol/ntlm/NTLM.cc +++ b/src/analyzer/protocol/ntlm/NTLM.cc @@ -8,7 +8,7 @@ using namespace analyzer::ntlm; NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("NTLM", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c) { interp = new binpac::NTLM::NTLM_Conn(this); } @@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer() void NTLM_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void NTLM_Analyzer::Done() void NTLM_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -51,6 +51,6 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/ntlm/NTLM.h b/src/analyzer/protocol/ntlm/NTLM.h index 60f0067af6..53d168528d 100644 --- a/src/analyzer/protocol/ntlm/NTLM.h +++ b/src/analyzer/protocol/ntlm/NTLM.h @@ -9,7 +9,7 @@ namespace analyzer { namespace ntlm { -class NTLM_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit NTLM_Analyzer(zeek::Connection* conn); @@ -21,7 +21,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc index 6af523f416..8392997152 100644 --- a/src/analyzer/protocol/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -8,7 +8,7 @@ #include "analyzer/protocol/tcp/TCP_Flags.h" #include "analyzer/protocol/tcp/TCP_Reassembler.h" -using namespace analyzer::pia; +namespace zeek::analyzer::pia { PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer) : state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet() @@ -193,7 +193,7 @@ PIA_TCP::~PIA_TCP() void PIA_TCP::Init() { - tcp::TCP_ApplicationAnalyzer::Init(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init(); if ( Parent()->IsAnalyzer("TCP") ) { @@ -253,7 +253,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( stream_buffer.state == SKIPPING ) return; @@ -283,7 +283,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( stream_buffer.state == BUFFERING ) // We use data=nil to mark an undelivered. @@ -435,3 +435,5 @@ void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer) analyzer->NextUndelivered(b->seq, b->len, b->is_orig); } } + +} // namespace zeek::analyzer::pia diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h index 97865144e1..f62105a862 100644 --- a/src/analyzer/protocol/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -8,7 +8,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail); -namespace analyzer { namespace pia { +namespace zeek::analyzer::pia { // Abstract PIA class providing common functionality for both TCP and UDP. // Accepts only packet input. @@ -118,10 +118,10 @@ protected: // PIA for TCP. Accepts both packet and stream input (and reassembles // packets before passing payload on to children). -class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer { +class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit PIA_TCP(zeek::Connection* conn) - : PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) + : PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } ~PIA_TCP() override; @@ -172,4 +172,10 @@ private: bool stream_mode; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::pia + +namespace analzyer::pia { + using PIA [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA.")]] = zeek::analyzer::pia::PIA; + using PIA_TCP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_TCP.")]] = zeek::analyzer::pia::PIA_TCP; + using PIA_UDP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_UDP.")]] = zeek::analyzer::pia::PIA_UDP; +} diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc index 90d444bd96..d06498c4bf 100644 --- a/src/analyzer/protocol/pia/Plugin.cc +++ b/src/analyzer/protocol/pia/Plugin.cc @@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("PIA_TCP", ::analyzer::pia::PIA_TCP::Instantiate)); - AddComponent(new zeek::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate)); + AddComponent(new zeek::analyzer::Component("PIA_TCP", zeek::analyzer::pia::PIA_TCP::Instantiate)); + AddComponent(new zeek::analyzer::Component("PIA_UDP", zeek::analyzer::pia::PIA_UDP::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::PIA"; diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 52ae99b5c2..32aa2adf7a 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -27,7 +27,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("POP3", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; @@ -45,10 +45,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn) mail = nullptr; - cl_orig = new tcp::ContentLine_Analyzer(conn, true); + cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(cl_orig); - cl_resp = new tcp::ContentLine_Analyzer(conn, false); + cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); AddSupportAnalyzer(cl_resp); } @@ -58,7 +58,7 @@ POP3_Analyzer::~POP3_Analyzer() void POP3_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -67,7 +67,7 @@ void POP3_Analyzer::Done() void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls ) { diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index f59a35d111..52d376f762 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -61,7 +61,7 @@ typedef enum { POP3_WOK, } POP3_SubState; -class POP3_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit POP3_Analyzer(zeek::Connection* conn); ~POP3_Analyzer() override; @@ -110,8 +110,8 @@ protected: private: bool tls; - tcp::ContentLine_Analyzer* cl_orig; - tcp::ContentLine_Analyzer* cl_resp; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index 5691eaf439..9df3af7b98 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -7,7 +7,7 @@ using namespace analyzer::rdp; RDP_Analyzer::RDP_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("RDP", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c) { interp = new binpac::RDP::RDP_Conn(this); @@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer() void RDP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -30,13 +30,13 @@ void RDP_Analyzer::Done() void RDP_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -56,7 +56,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { if ( ! pia ) { - pia = new pia::PIA_TCP(Conn()); + pia = new zeek::analyzer::pia::PIA_TCP(Conn()); if ( ! AddChildAnalyzer(pia) ) { @@ -95,7 +95,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/rdp/RDP.h b/src/analyzer/protocol/rdp/RDP.h index 6b6d90cee9..bfb5d01a9b 100644 --- a/src/analyzer/protocol/rdp/RDP.h +++ b/src/analyzer/protocol/rdp/RDP.h @@ -7,7 +7,7 @@ namespace analyzer { namespace rdp { -class RDP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit RDP_Analyzer(zeek::Connection* conn); @@ -26,7 +26,7 @@ protected: binpac::RDP::RDP_Conn* interp; bool had_gap; - pia::PIA_TCP *pia; + zeek::analyzer::pia::PIA_TCP *pia; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc index 52d8699fa7..f77f64a864 100644 --- a/src/analyzer/protocol/rfb/RFB.cc +++ b/src/analyzer/protocol/rfb/RFB.cc @@ -10,7 +10,7 @@ using namespace analyzer::rfb; RFB_Analyzer::RFB_Analyzer(zeek::Connection* c) -: tcp::TCP_ApplicationAnalyzer("RFB", c) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c) { interp = new binpac::RFB::RFB_Conn(this); @@ -25,7 +25,7 @@ RFB_Analyzer::~RFB_Analyzer() void RFB_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -34,13 +34,13 @@ void RFB_Analyzer::Done() void RFB_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) return; @@ -72,7 +72,7 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h index 148c1ee35e..c2db6b31ee 100644 --- a/src/analyzer/protocol/rfb/RFB.h +++ b/src/analyzer/protocol/rfb/RFB.h @@ -9,7 +9,7 @@ namespace analyzer { namespace rfb { -class RFB_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit RFB_Analyzer(zeek::Connection* conn); @@ -21,7 +21,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index acdd7811b3..93a61e0a69 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -414,7 +414,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) + : zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -426,7 +426,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig, void Contents_RPC::Init() { - tcp::TCP_SupportAnalyzer::Init(); + zeek::analyzer::tcp::TCP_SupportAnalyzer::Init(); } Contents_RPC::~Contents_RPC() @@ -435,7 +435,7 @@ Contents_RPC::~Contents_RPC() void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); NeedResync(); } @@ -454,12 +454,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // is fully established we are in sync (since it's the first chunk // of data after the SYN if its not established we need to // resync. - tcp::TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + zeek::analyzer::tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); assert(tcp); if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - tcp::TCP_ENDPOINT_ESTABLISHED ) + zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED ) { NeedResync(); } @@ -621,7 +621,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); uint32_t marker; bool last_frag; @@ -722,7 +722,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn, RPC_Interpreter* arg_interp) - : tcp::TCP_ApplicationAnalyzer(name, conn), + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), interp(arg_interp), orig_rpc(), resp_rpc() { if ( Conn()->ConnTransport() == TRANSPORT_UDP ) @@ -739,7 +739,7 @@ RPC_Analyzer::~RPC_Analyzer() void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { - tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = std::min(len, caplen); if ( orig ) @@ -756,7 +756,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); } diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index cb5eb1d272..bd71e2087f 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -184,7 +184,7 @@ protected: }; /* Support Analyzer for reassembling RPC-over-TCP messages */ -class Contents_RPC final : public tcp::TCP_SupportAnalyzer { +class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: Contents_RPC(zeek::Connection* conn, bool orig, RPC_Interpreter* interp); ~Contents_RPC() override; @@ -230,7 +230,7 @@ protected: int resync_toskip; }; -class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: RPC_Analyzer(const char* name, zeek::Connection* conn, RPC_Interpreter* arg_interp); diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc index a7ab9a5ffc..e3e9e2e9c0 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.cc +++ b/src/analyzer/protocol/sip/SIP_TCP.cc @@ -10,7 +10,7 @@ using namespace analyzer::sip_tcp; SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn) - : tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn) { interp = new binpac::SIP_TCP::SIP_Conn(this); had_gap = false; @@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer() void SIP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -31,13 +31,13 @@ void SIP_Analyzer::Done() void SIP_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -61,7 +61,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/sip/SIP_TCP.h b/src/analyzer/protocol/sip/SIP_TCP.h index 84d6d22166..3e64bf07a9 100644 --- a/src/analyzer/protocol/sip/SIP_TCP.h +++ b/src/analyzer/protocol/sip/SIP_TCP.h @@ -11,7 +11,7 @@ namespace analyzer { namespace sip_tcp { -class SIP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SIP_Analyzer(zeek::Connection* conn); ~SIP_Analyzer() override; @@ -20,7 +20,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index eff26b9b9a..0dfbc4ebf8 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -7,7 +7,7 @@ using namespace analyzer::smb; #define SMB_MAX_LEN (1<<18) SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("SMB", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn) { chunks=0; interp = new binpac::SMB::SMB_Conn(this); diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h index a8c406ba9d..28037a7e18 100644 --- a/src/analyzer/protocol/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -5,7 +5,7 @@ namespace analyzer { namespace smb { -class SMB_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SMB_Analyzer(zeek::Connection* conn); ~SMB_Analyzer() override; diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index 91c0ff996b..c5a7b2ef09 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -27,7 +27,7 @@ static const char* unknown_cmd = "(UNKNOWN)"; SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("SMTP", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = false; expect_recver = true; @@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) line_after_gap = nullptr; mail = nullptr; UpdateState(first_cmd, 0, true); - cl_orig = new tcp::ContentLine_Analyzer(conn, true); + cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true); cl_orig->SetIsNULSensitive(true); cl_orig->SetSkipPartial(true); AddSupportAnalyzer(cl_orig); - cl_resp = new tcp::ContentLine_Analyzer(conn, false); + cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false); cl_resp->SetIsNULSensitive(true); cl_resp->SetSkipPartial(true); AddSupportAnalyzer(cl_resp); @@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn) void SMTP_Analyzer::ConnectionFinished(bool half_finished) { - tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); if ( ! half_finished && mail ) EndData(); @@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer() void SMTP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -80,7 +80,7 @@ void SMTP_Analyzer::Done() void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( len <= 0 ) return; @@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // If an TLS transaction has been initiated, forward to child and abort. if ( state == SMTP_IN_TLS ) diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h index 9d67b16588..08d9ff9430 100644 --- a/src/analyzer/protocol/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -35,7 +35,7 @@ typedef enum { } SMTP_State; -class SMTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SMTP_Analyzer(zeek::Connection* conn); ~SMTP_Analyzer() override; @@ -90,8 +90,8 @@ protected: mime::MIME_Mail* mail; private: - tcp::ContentLine_Analyzer* cl_orig; - tcp::ContentLine_Analyzer* cl_resp; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig; + zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc index b203495335..cf894238d6 100644 --- a/src/analyzer/protocol/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -7,7 +7,7 @@ using namespace analyzer::socks; SOCKS_Analyzer::SOCKS_Analyzer(zeek::Connection* conn) -: tcp::TCP_ApplicationAnalyzer("SOCKS", conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; @@ -29,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig) void SOCKS_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -37,13 +37,13 @@ void SOCKS_Analyzer::Done() void SOCKS_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -60,7 +60,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) // are done with their part of the SOCKS protocol. if ( ! pia ) { - pia = new pia::PIA_TCP(Conn()); + pia = new zeek::analyzer::pia::PIA_TCP(Conn()); if ( AddChildAnalyzer(pia) ) { pia->FirstPacket(true, nullptr); @@ -87,6 +87,6 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SOCKS_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h index 7dcddcc82c..ac5e215f77 100644 --- a/src/analyzer/protocol/socks/SOCKS.h +++ b/src/analyzer/protocol/socks/SOCKS.h @@ -13,7 +13,7 @@ namespace binpac { namespace analyzer { namespace socks { -class SOCKS_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class SOCKS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SOCKS_Analyzer(zeek::Connection* conn); ~SOCKS_Analyzer() override; @@ -33,7 +33,7 @@ protected: bool orig_done; bool resp_done; - pia::PIA_TCP *pia; + zeek::analyzer::pia::PIA_TCP *pia; binpac::SOCKS::SOCKS_Conn* interp; }; diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index c301e4eb2a..6219847390 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -12,7 +12,7 @@ using namespace analyzer::SSH; SSH_Analyzer::SSH_Analyzer(zeek::Connection* c) - : tcp::TCP_ApplicationAnalyzer("SSH", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c) { interp = new binpac::SSH::SSH_Conn(this); had_gap = false; @@ -30,7 +30,7 @@ SSH_Analyzer::~SSH_Analyzer() void SSH_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -38,13 +38,13 @@ void SSH_Analyzer::Done() void SSH_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -83,7 +83,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h index 78788df91b..12ffcf88f1 100644 --- a/src/analyzer/protocol/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -9,7 +9,7 @@ namespace analyzer { namespace SSH { - class SSH_Analyzer final : public tcp::TCP_ApplicationAnalyzer { + class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SSH_Analyzer(zeek::Connection* conn); @@ -20,7 +20,7 @@ namespace analyzer { void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 8c78062d56..a502b2959f 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -11,7 +11,7 @@ using namespace analyzer::ssl; SSL_Analyzer::SSL_Analyzer(zeek::Connection* c) -: tcp::TCP_ApplicationAnalyzer("SSL", c) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); @@ -26,7 +26,7 @@ SSL_Analyzer::~SSL_Analyzer() void SSL_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -36,7 +36,7 @@ void SSL_Analyzer::Done() void SSL_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); handshake_interp->FlowEOF(is_orig); } @@ -50,7 +50,7 @@ void SSL_Analyzer::StartEncryption() void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -86,7 +86,7 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin, void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 51a5f6d53b..1201373bec 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -10,7 +10,7 @@ namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace analyzer { namespace ssl { -class SSL_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class SSL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SSL_Analyzer(zeek::Connection* conn); ~SSL_Analyzer() override; @@ -25,7 +25,7 @@ public: // Tell the analyzer that encryption has started. void StartEncryption(); - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn) diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc index 2cd972932a..a9bc5c1ed4 100644 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ b/src/analyzer/protocol/stepping-stone/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("SteppingStone", ::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::SteppingStone"; diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc index a367ee25c4..fd2c06c150 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -13,9 +13,9 @@ #include "util.h" #include "events.bif.h" -using namespace analyzer::stepping_stone; +namespace zeek::analyzer::stepping_stone { -SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m) +SteppingStoneEndpoint::SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; stp_max_top_seq = 0; @@ -61,8 +61,8 @@ void SteppingStoneEndpoint::Done() } bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen, - const u_char* data, const zeek::IP_Hdr* /* ip */, - const struct tcphdr* tp) + const u_char* data, const zeek::IP_Hdr* /* ip */, + const struct tcphdr* tp) { if ( caplen < len ) len = caplen; @@ -153,7 +153,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c) -: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = zeek::sessions->GetSTPManager(); @@ -163,7 +163,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c) void SteppingStone_Analyzer::Init() { - tcp::TCP_ApplicationAnalyzer::Init(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); @@ -171,11 +171,11 @@ void SteppingStone_Analyzer::Init() } void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, - bool is_orig, uint64_t seq, - const zeek::IP_Hdr* ip, int caplen) + bool is_orig, uint64_t seq, + const zeek::IP_Hdr* ip, int caplen) { - tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, - ip, caplen); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, + ip, caplen); if ( is_orig ) orig_endp->DataSent(network_time, seq, len, caplen, data, nullptr, nullptr); @@ -186,7 +186,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -205,7 +205,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, void SteppingStone_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); orig_endp->Done(); resp_endp->Done(); @@ -213,3 +213,5 @@ void SteppingStone_Analyzer::Done() Unref(orig_endp); Unref(resp_endp); } + +} // namespace zeek::analyzer::stepping_stone diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h index 3824dc77e9..2665b100dd 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h @@ -7,25 +7,25 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(NetSessions, zeek); -namespace analyzer::stepping_stone { +namespace zeek::analyzer::stepping_stone { class SteppingStoneEndpoint; class SteppingStoneManager; class SteppingStoneEndpoint : public zeek::Obj { public: - SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m); + SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m); ~SteppingStoneEndpoint() override; void Done(); bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const zeek::IP_Hdr* ip, const struct tcphdr* tp); + const zeek::IP_Hdr* ip, const struct tcphdr* tp); protected: void Event(zeek::EventHandlerPtr f, int id1, int id2 = -1); void CreateEndpEvent(bool is_orig); - tcp::TCP_Endpoint* endp; + zeek::analyzer::tcp::TCP_Endpoint* endp; uint64_t stp_max_top_seq; double stp_last_time; double stp_resume_time; @@ -40,7 +40,7 @@ protected: std::map stp_outbound_endps; }; -class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class SteppingStone_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit SteppingStone_Analyzer(zeek::Connection* c); ~SteppingStone_Analyzer() override {}; @@ -55,7 +55,7 @@ protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassebmling. void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; + uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override; void DeliverStream(int len, const u_char* data, bool is_orig) override; int orig_stream_pos; @@ -82,3 +82,9 @@ protected: }; } // namespace analyzer::stepping_stone + +namespace analyzer::stepping_stone { + using SteppingStoneEndpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneEndpoint.")]] = zeek::analyzer::stepping_stone::SteppingStoneEndpoint; + using SteppingStone_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStone_Analyzer.")]] = zeek::analyzer::stepping_stone::SteppingStone_Analyzer; + using SteppingStoneManager [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneManager.")]] = zeek::analyzer::stepping_stone::SteppingStoneManager; +} // namespace analyzer::stepping_stone diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc index 01541c5087..5ecb7ee042 100644 --- a/src/analyzer/protocol/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/Syslog.cc @@ -50,7 +50,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint // } //Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(zeek::Connection* conn) -//: tcp::TCP_ApplicationAnalyzer(conn) +//: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } @@ -62,7 +62,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::Done() // { -// tcp::TCP_ApplicationAnalyzer::Done(); +// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); // // interp->FlowEOF(true); // interp->FlowEOF(false); @@ -70,14 +70,14 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp) // { -// tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); +// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } //void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { -// tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); +// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // // assert(TCP()); // @@ -90,6 +90,6 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint //void Syslog_tcp::TCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) // { -// tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); +// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h index 6e36f90f4c..c45c6bd27c 100644 --- a/src/analyzer/protocol/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/Syslog.h @@ -28,7 +28,7 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { +//class Syslog_tcp::TCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { //public: // Syslog_tcp::TCP_Analyzer(zeek::Connection* conn); // virtual ~Syslog_tcp::TCP_Analyzer(); diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index f8fcef337c..a8d88d4ded 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::tcp; +namespace zeek::analyzer::tcp { ContentLine_Analyzer::ContentLine_Analyzer(zeek::Connection* conn, bool orig, int max_line_length) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length) @@ -338,3 +338,5 @@ void ContentLine_Analyzer::SkipBytes(int64_t length) skip_pending = 0; seq_to_skip = SeqDelivered() + length; } + +} // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h index b9d1837a73..ede9bbc255 100644 --- a/src/analyzer/protocol/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -4,13 +4,13 @@ #include "analyzer/protocol/tcp/TCP.h" -namespace analyzer { namespace tcp { +namespace zeek::analyzer::tcp { #define CR_as_EOL 1 #define LF_as_EOL 2 // Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M. -#define DEFAULT_MAX_LINE_LENGTH 16 * 1024 * 1024 - 100 +constexpr auto DEFAULT_MAX_LINE_LENGTH = 16 * 1024 * 1024 - 100; class ContentLine_Analyzer : public TCP_SupportAnalyzer { public: @@ -114,4 +114,8 @@ protected: bool skip_partial; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::tcp + +namespace analyzer::tcp { + using ContentLine_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::ContentLine_Analyzer.")]] = zeek::analyzer::tcp::ContentLine_Analyzer; +} diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc index be35d2a45f..d7b5b1572f 100644 --- a/src/analyzer/protocol/tcp/Plugin.cc +++ b/src/analyzer/protocol/tcp/Plugin.cc @@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("TCP", ::analyzer::tcp::TCP_Analyzer::Instantiate)); - AddComponent(new zeek::analyzer::Component("TCPStats", ::analyzer::tcp::TCPStats_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("TCP", zeek::analyzer::tcp::TCP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("TCPStats", zeek::analyzer::tcp::TCPStats_Analyzer::Instantiate)); AddComponent(new zeek::analyzer::Component("CONTENTLINE", nullptr)); AddComponent(new zeek::analyzer::Component("Contents", nullptr)); diff --git a/src/analyzer/protocol/tcp/Stats.cc b/src/analyzer/protocol/tcp/Stats.cc index 5ed6b8de23..c4b7e6cd07 100644 --- a/src/analyzer/protocol/tcp/Stats.cc +++ b/src/analyzer/protocol/tcp/Stats.cc @@ -4,7 +4,7 @@ #include "events.bif.h" -using namespace analyzer::tcp; +namespace zeek::analyzer::tcp { TCPStateStats::TCPStateStats() { @@ -81,3 +81,5 @@ void TCPStateStats::PrintStats(zeek::File* file, const char* prefix) file->Write("\n"); } } + +} // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/Stats.h b/src/analyzer/protocol/tcp/Stats.h index 3e358d9d71..5d124e8b16 100644 --- a/src/analyzer/protocol/tcp/Stats.h +++ b/src/analyzer/protocol/tcp/Stats.h @@ -3,7 +3,7 @@ #include "TCP_Endpoint.h" -namespace analyzer { namespace tcp { +namespace zeek::analyzer::tcp { // A TCPStateStats object tracks the distribution of TCP states for // the currently active connections. @@ -65,4 +65,8 @@ private: unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::tcp + +namespace analyzer::tcp { + using TCPStateStats [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStateStats.")]] = zeek::analyzer::tcp::TCPStateStats; +} diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 8ec00cf130..6d55d3454c 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -19,13 +19,13 @@ #include "events.bif.h" #include "types.bif.h" -using namespace analyzer::tcp; - namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; } +namespace zeek::analyzer::tcp { + // The following are not included in all systems' tcp.h. #ifndef TH_ECE @@ -36,7 +36,6 @@ namespace { // local namespace #define TH_CWR 0x80 #endif - #define TOO_LARGE_SEQ_DELTA 1048576 static const int ORIG = 1; @@ -822,7 +821,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) { if ( is_orig && ! (first_packet_seen & ORIG) ) { - pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + auto* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= ORIG; @@ -830,7 +829,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) if ( ! is_orig && ! (first_packet_seen & RESP) ) { - pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + auto* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= RESP; @@ -838,8 +837,8 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip) } uint64_t TCP_Analyzer::get_relative_seq(const TCP_Endpoint* endpoint, - uint32_t cur_base, uint32_t last, - uint32_t wraps, bool* underflow) + uint32_t cur_base, uint32_t last, + uint32_t wraps, bool* underflow) { int32_t delta = seq_delta(cur_base, last); @@ -2133,3 +2132,5 @@ void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, else resp_stats->DataSent(network_time, seq, len, caplen, data, ip, nullptr); } + +} // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 96ce110c34..adadb3f43e 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -13,13 +13,13 @@ // - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a // protocol running on top of TCP. // -namespace analyzer { namespace pia { class PIA_TCP; } }; -namespace analyzer { namespace tcp { +ZEEK_FORWARD_DECLARE_NAMESPACED(PIA_TCP, zeek, analyzer::pia); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Endpoint, zeek, analyzer::tcp); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp); -class TCP_Endpoint; -class TCP_ApplicationAnalyzer; -class TCP_Reassembler; +namespace zeek::analyzer::tcp { class TCP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { public: @@ -74,7 +74,7 @@ public: protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; - friend class analyzer::pia::PIA_TCP; + friend class zeek::analyzer::pia::PIA_TCP; // Analyzer interface. void Init() override; @@ -302,4 +302,12 @@ protected: TCPStats_Endpoint* resp_stats; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::tcp + +namespace analyzer::tcp { + using TCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Analyzer.")]] = zeek::analyzer::tcp::TCP_Analyzer; + using TCP_ApplicationAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ApplicationAnalyzer.")]] = zeek::analyzer::tcp::TCP_ApplicationAnalyzer; + using TCP_SupportAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_SupportAnalyzer.")]] = zeek::analyzer::tcp::TCP_SupportAnalyzer; + using TCPStats_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Endpoint.")]] = zeek::analyzer::tcp::TCPStats_Endpoint; + using TCPStats_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Analyzer.")]] = zeek::analyzer::tcp::TCPStats_Analyzer; +} diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index e16624620f..93c21eec78 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -14,7 +14,7 @@ #include "events.bif.h" -using namespace analyzer::tcp; +namespace zeek::analyzer::tcp { TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, bool arg_is_orig) { @@ -319,3 +319,5 @@ void TCP_Endpoint::Gap(uint64_t seq, uint64_t len) gap_cnt, gap_thresh) ) Conn()->HistoryThresholdEvent(tcp_multiple_gap, IsOrig(), t); } + +} // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index f55b01b566..b63d477afe 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -7,13 +7,12 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Analyzer, zeek, analyzer::tcp); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp); -namespace analyzer { namespace tcp { +namespace zeek::analyzer::tcp { -class TCP_Analyzer; -class TCP_Reassembler; - -typedef enum { +enum EndpointState { TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack TCP_ENDPOINT_SYN_ACK_SENT, // SYN ack seen, no initial SYN @@ -22,7 +21,7 @@ typedef enum { // sent by responder) TCP_ENDPOINT_CLOSED, // FIN seen TCP_ENDPOINT_RESET // RST seen -} EndpointState; +}; // One endpoint of a TCP connection. class TCP_Endpoint { @@ -253,4 +252,19 @@ protected: #define ENDIAN_BIG 2 #define ENDIAN_CONFUSED 3 -} } // namespace analyzer::* +} // namespace zeek::analyzer::tcp + +namespace analyzer::tcp { + + using EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::EndpointState.")]] = zeek::analyzer::tcp::EndpointState; + constexpr auto TCP_ENDPOINT_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE; + constexpr auto TCP_ENDPOINT_SYN_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT; + constexpr auto TCP_ENDPOINT_SYN_ACK_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; + constexpr auto TCP_ENDPOINT_PARTIAL [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL; + constexpr auto TCP_ENDPOINT_ESTABLISHED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED; + constexpr auto TCP_ENDPOINT_CLOSED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED; + constexpr auto TCP_ENDPOINT_RESET [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_RESET.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_RESET; + + using TCP_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Endpoint.")]] = zeek::analyzer::tcp::TCP_Endpoint; + +} // namespace analyzer::tcp diff --git a/src/analyzer/protocol/tcp/TCP_Flags.h b/src/analyzer/protocol/tcp/TCP_Flags.h index d15bbe5468..48030628f0 100644 --- a/src/analyzer/protocol/tcp/TCP_Flags.h +++ b/src/analyzer/protocol/tcp/TCP_Flags.h @@ -1,6 +1,6 @@ #pragma once -namespace analyzer { namespace tcp { +namespace zeek::analyzer::tcp { class TCP_Flags { public: @@ -48,5 +48,6 @@ inline std::string TCP_Flags::AsString() const } } - +namespace analyzer::tcp { + using TCP_Flags [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Flags.")]] = zeek::analyzer::tcp::TCP_Flags; } diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 23e4c90dc2..440efb2ff6 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -11,13 +11,13 @@ #include -using namespace analyzer::tcp; +namespace zeek::analyzer::tcp { // Note, sequence numbers are relative. I.e., they start with 1. -const bool DEBUG_tcp_contents = false; -const bool DEBUG_tcp_connection_close = false; -const bool DEBUG_tcp_match_undelivered = false; +constexpr bool DEBUG_tcp_contents = false; +constexpr bool DEBUG_tcp_connection_close = false; +constexpr bool DEBUG_tcp_match_undelivered = false; TCP_Reassembler::TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, @@ -680,3 +680,5 @@ bool TCP_Reassembler::DataPending() const return false; } + +} // namespace zeek::analyzer::tcp diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h index 4993ea431b..126e494cd8 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h @@ -7,10 +7,9 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer); +ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Analyzer, zeek, analyzer::tcp); -namespace analyzer::tcp { - -class TCP_Analyzer; +namespace zeek::analyzer::tcp { class TCP_Reassembler final : public zeek::Reassembler { public: @@ -114,4 +113,8 @@ private: Type type; }; -} // namespace analyzer::tcp +} // namespace zeek::analyzer::tcp + +namespace analyzer::tcp { + using TCP_Reassembler [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Reassembler.")]] = zeek::analyzer::tcp::TCP_Reassembler; +} diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif index 194da778b2..1d367be61c 100644 --- a/src/analyzer/protocol/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -27,7 +27,7 @@ function get_orig_seq%(cid: conn_id%): count zeek::analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return zeek::val_mgr->Count(static_cast<::analyzer::tcp::TCP_Analyzer*>(tc)->OrigSeq()); + return zeek::val_mgr->Count(static_cast(tc)->OrigSeq()); else { reporter->Error("connection does not have TCP analyzer"); @@ -56,7 +56,7 @@ function get_resp_seq%(cid: conn_id%): count zeek::analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return zeek::val_mgr->Count(static_cast<::analyzer::tcp::TCP_Analyzer*>(tc)->RespSeq()); + return zeek::val_mgr->Count(static_cast(tc)->RespSeq()); else { reporter->Error("connection does not have TCP analyzer"); diff --git a/src/analyzer/protocol/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc index 7117f8cffc..a427436418 100644 --- a/src/analyzer/protocol/udp/Plugin.cc +++ b/src/analyzer/protocol/udp/Plugin.cc @@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new zeek::analyzer::Component("UDP", ::analyzer::udp::UDP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("UDP", zeek::analyzer::udp::UDP_Analyzer::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::UDP"; diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 8626c7ff1b..150bb49648 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -13,10 +13,10 @@ #include "events.bif.h" -using namespace analyzer::udp; +namespace zeek::analyzer::udp { UDP_Analyzer::UDP_Analyzer(zeek::Connection* conn) -: TransportLayerAnalyzer("UDP", conn) + : zeek::analyzer::TransportLayerAnalyzer("UDP", conn) { conn->EnableStatusUpdateTimer(); conn->SetInactivityTimeout(udp_inactivity_timeout); @@ -279,3 +279,5 @@ bool UDP_Analyzer::ValidateChecksum(const zeek::IP_Hdr* ip, const udphdr* up, in return sum == 0xffff; } + +} // namespace zeek::analyzer::udp diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h index 211478b129..d26b2175fd 100644 --- a/src/analyzer/protocol/udp/UDP.h +++ b/src/analyzer/protocol/udp/UDP.h @@ -5,14 +5,14 @@ #include "analyzer/Analyzer.h" #include -namespace analyzer { namespace udp { +namespace zeek::analyzer::udp { -typedef enum { +enum UDP_EndpointState { UDP_INACTIVE, // no packet seen UDP_ACTIVE, // packets seen -} UDP_EndpointState; +}; - class UDP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { +class UDP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer { public: explicit UDP_Analyzer(zeek::Connection* conn); ~UDP_Analyzer() override; @@ -51,4 +51,14 @@ private: uint32_t rep_chk_cnt, rep_chk_thresh; }; -} } // namespace analyzer::* +} // namespace zeek::analyzer::udp + +namespace analyzer::udp { + + using UDP_EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::udp::UDP_EndpointState.")]] = zeek::analyzer::udp::UDP_EndpointState; + constexpr auto UDP_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::udp::UDP_INACTIVE.")]] = zeek::analyzer::udp::UDP_INACTIVE; + constexpr auto UDP_ACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::udp::UDP_ACTIVE.")]] = zeek::analyzer::udp::UDP_ACTIVE; + + using UDP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::udp::UDP_Analyzer.")]] = zeek::analyzer::udp::UDP_Analyzer; + +} // namespace analyzer::udp diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc index 3969d8efaf..cf64e85b89 100644 --- a/src/analyzer/protocol/xmpp/XMPP.cc +++ b/src/analyzer/protocol/xmpp/XMPP.cc @@ -7,7 +7,7 @@ using namespace analyzer::xmpp; XMPP_Analyzer::XMPP_Analyzer(zeek::Connection* conn) - : tcp::TCP_ApplicationAnalyzer("XMPP", conn) + : zeek::analyzer::tcp::TCP_ApplicationAnalyzer("XMPP", conn) { interp = unique_ptr(new binpac::XMPP::XMPP_Conn(this)); had_gap = false; @@ -20,7 +20,7 @@ XMPP_Analyzer::~XMPP_Analyzer() void XMPP_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -28,13 +28,13 @@ void XMPP_Analyzer::Done() void XMPP_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( tls_active ) { @@ -66,7 +66,7 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void XMPP_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h index b5b32cfea2..bc829efcd9 100644 --- a/src/analyzer/protocol/xmpp/XMPP.h +++ b/src/analyzer/protocol/xmpp/XMPP.h @@ -8,7 +8,7 @@ namespace analyzer { namespace xmpp { -class XMPP_Analyzer final : public tcp::TCP_ApplicationAnalyzer { +class XMPP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: explicit XMPP_Analyzer(zeek::Connection* conn); ~XMPP_Analyzer() override; @@ -17,7 +17,7 @@ public: void DeliverStream(int len, const u_char* data, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override; - // Overriden from tcp::TCP_ApplicationAnalyzer. + // Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; void StartTLS(); diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc index cea4ab2066..0c3fb1ead9 100644 --- a/src/analyzer/protocol/zip/ZIP.cc +++ b/src/analyzer/protocol/zip/ZIP.cc @@ -5,7 +5,7 @@ using namespace analyzer::zip; ZIP_Analyzer::ZIP_Analyzer(zeek::Connection* conn, bool orig, Method arg_method) -: tcp::TCP_SupportAnalyzer("ZIP", conn, orig) +: zeek::analyzer::tcp::TCP_SupportAnalyzer("ZIP", conn, orig) { zip = nullptr; zip_status = Z_OK; @@ -45,7 +45,7 @@ void ZIP_Analyzer::Done() void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( ! len || zip_status != Z_OK ) return; diff --git a/src/analyzer/protocol/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h index ab075c7a14..2ea31878a7 100644 --- a/src/analyzer/protocol/zip/ZIP.h +++ b/src/analyzer/protocol/zip/ZIP.h @@ -9,7 +9,7 @@ namespace analyzer { namespace zip { -class ZIP_Analyzer final : public tcp::TCP_SupportAnalyzer { +class ZIP_Analyzer final : public zeek::analyzer::tcp::TCP_SupportAnalyzer { public: enum Method { GZIP, DEFLATE }; diff --git a/src/fuzzers/pop3-fuzzer.cc b/src/fuzzers/pop3-fuzzer.cc index cbba377722..bb53982bc7 100644 --- a/src/fuzzers/pop3-fuzzer.cc +++ b/src/fuzzers/pop3-fuzzer.cc @@ -34,8 +34,8 @@ static zeek::Connection* add_connection() static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn) { - analyzer::tcp::TCP_Analyzer* tcp = new analyzer::tcp::TCP_Analyzer(conn); - analyzer::pia::PIA* pia = new analyzer::pia::PIA_TCP(conn); + auto* tcp = new zeek::analyzer::tcp::TCP_Analyzer(conn); + auto* pia = new zeek::analyzer::pia::PIA_TCP(conn); auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn); tcp->AddChildAnalyzer(a); tcp->AddChildAnalyzer(pia->AsAnalyzer());