Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move arp, tcp, udp, pia, and stepping stone analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-08-03 12:53:07 -07:00
parent f1cfd5aa2b
commit 914ffcadae
112 changed files with 520 additions and 436 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Conn.cc
View file

@ -690,7 +690,8 @@ void Connection::IDString(zeek::ODesc* d) const
d->Add(ntohs(resp_port));
}
void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia)
void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer,
zeek::analyzer::pia::PIA* pia)
{
root_analyzer = analyzer;
primary_PIA = pia;

6
src/Conn.h
View file

@ -303,9 +303,9 @@ public:
void DeleteTimer(double t);
// Sets the root of the analyzer tree as well as the primary PIA.
void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia);
void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, zeek::analyzer::pia::PIA* pia);
zeek::analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
::analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
zeek::analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
// Sets the transport protocol in use.
void SetTransport(TransportProto arg_proto) { proto = arg_proto; }
@ -382,7 +382,7 @@ protected:
uint32_t hist_seen;
zeek::analyzer::TransportLayerAnalyzer* root_analyzer;
::analyzer::pia::PIA* primary_PIA;
zeek::analyzer::pia::PIA* primary_PIA;
zeek::UID uid; // Globally unique connection ID.
zeek::detail::WeirdStateMap weird_state;

1
src/Reassem.h
View file

@ -27,7 +27,6 @@ enum ReassemblerType {
class Reassembler;
/**
* A block/segment of data for use in the reassembly process.
*/

10
src/RuleCondition.cc
View file

@ -9,15 +9,15 @@
#include "ID.h"
#include "Val.h"
static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
static inline bool is_established(const zeek::analyzer::tcp::TCP_Endpoint* e)
{
// We more or less follow Snort here: an established session
// is one for which the initial handshake has succeded (but we
// add partial connections). The connection tear-down is part
// of the connection.
return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
return e->state != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
}
namespace zeek::detail {
@ -30,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
if ( ! root || ! root->IsAnalyzer("TCP") )
return false;
::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root);
auto* ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(root);
if ( tcpstates & STATE_STATELESS )
return true;

8
src/RuleMatcher.cc
View file

@ -184,8 +184,8 @@ void RuleHdrTest::PrintDebug()
}
RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite,
::analyzer::pia::PIA* arg_PIA)
RuleEndpointState* arg_opposite,
zeek::analyzer::pia::PIA* arg_PIA)
{
payload_size = -1;
analyzer = arg_analyzer;
@ -741,7 +741,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
const zeek::IP_Hdr* ip, int caplen,
RuleEndpointState* opposite,
bool from_orig, ::analyzer::pia::PIA* pia)
bool from_orig, zeek::analyzer::pia::PIA* pia)
{
RuleEndpointState* state =
new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -1420,7 +1420,7 @@ uint32_t id_to_uint(const char* id)
}
void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, ::analyzer::pia::PIA* pia)
int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia)
{
if ( ! rule_matcher )
return;

15
src/RuleMatcher.h
View file

@ -37,10 +37,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
ZEEK_FORWARD_DECLARE_NAMESPACED(IntSet, zeek::detail);
namespace analyzer {
namespace pia { class PIA; }
}
ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia);
namespace zeek::detail {
@ -154,7 +151,7 @@ public:
// Returns -1 if no chunk has been fed yet at all.
int PayloadSize() { return payload_size; }
::analyzer::pia::PIA* PIA() const { return pia; }
zeek::analyzer::pia::PIA* PIA() const { return pia; }
private:
friend class RuleMatcher;
@ -162,7 +159,7 @@ private:
// Constructor is private; use RuleMatcher::InitEndpoint()
// for creating an instance.
RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA);
RuleEndpointState* arg_opposite, zeek::analyzer::pia::PIA* arg_PIA);
struct Matcher {
RE_Match_State* state;
@ -173,7 +170,7 @@ private:
zeek::analyzer::Analyzer* analyzer;
RuleEndpointState* opposite;
::analyzer::pia::PIA* pia;
zeek::analyzer::pia::PIA* pia;
matcher_list matchers;
rule_hdr_test_list hdr_tests;
@ -267,7 +264,7 @@ public:
// it needs to be given.
RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, RuleEndpointState* opposite, bool is_orig,
::analyzer::pia::PIA* pia);
zeek::analyzer::pia::PIA* pia);
// Finish matching for this stream.
void FinishEndpoint(RuleEndpointState* state);
@ -376,7 +373,7 @@ public:
// ip may be nil.
void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr);
int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia = nullptr);
// bol/eol should be set to false for type Rule::PAYLOAD; they're
// deduced automatically.

22
src/Sessions.cc
View file

@ -72,7 +72,7 @@ void IPTunnelTimer::Dispatch(double t, bool is_expire)
NetSessions::NetSessions()
{
if ( stp_correlate_pair )
stp_manager = new ::analyzer::stepping_stone::SteppingStoneManager();
stp_manager = new zeek::analyzer::stepping_stone::SteppingStoneManager();
else
stp_manager = nullptr;
@ -96,7 +96,7 @@ NetSessions::NetSessions()
pkt_profiler = nullptr;
if ( arp_request || arp_reply || bad_arp )
arp_analyzer = new ::analyzer::arp::ARP_Analyzer();
arp_analyzer = new zeek::analyzer::arp::ARP_Analyzer();
else
arp_analyzer = nullptr;
@ -403,9 +403,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
const struct icmp* icmpp = (const struct icmp *) data;
id.src_port = icmpp->icmp_type;
id.dst_port = ::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
icmpp->icmp_code,
id.is_one_way);
id.dst_port = zeek::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
icmpp->icmp_code,
id.is_one_way);
id.src_port = htons(id.src_port);
id.dst_port = htons(id.dst_port);
@ -419,9 +419,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
const struct icmp* icmpp = (const struct icmp *) data;
id.src_port = icmpp->icmp_type;
id.dst_port = ::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
icmpp->icmp_code,
id.is_one_way);
id.dst_port = zeek::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
icmpp->icmp_code,
id.is_one_way);
id.src_port = htons(id.src_port);
id.dst_port = htons(id.dst_port);
@ -1011,10 +1011,10 @@ void NetSessions::Remove(Connection* c)
if ( c->ConnTransport() == TRANSPORT_TCP )
{
auto ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
auto ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
assert(ta->IsAnalyzer("TCP"));
::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
zeek::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
zeek::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
tcp_stats.StateLeft(to->state, tr->state);
}

13
src/Sessions.h
View file

@ -23,9 +23,8 @@ namespace zeek { struct ConnID; }
using ConnID [[deprecated("Remove in v4.1. Use zeek::ConnID.")]] = zeek::ConnID;
ZEEK_FORWARD_DECLARE_NAMESPACED(Discarder, zeek::detail);
namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
namespace analyzer { namespace arp { class ARP_Analyzer; } }
ZEEK_FORWARD_DECLARE_NAMESPACED(SteppingStoneManager, zeek, analyzer::stepping_stone);
ZEEK_FORWARD_DECLARE_NAMESPACED(ARP_Analyzer, zeek, analyzer::arp);
namespace zeek {
@ -95,7 +94,7 @@ public:
return packet_filter;
}
::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; }
zeek::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; }
unsigned int CurrentConnections()
{
@ -172,7 +171,7 @@ public:
unsigned int ConnectionMemoryUsage();
unsigned int ConnectionMemoryUsageConnVals();
unsigned int MemoryAllocation();
::analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states
zeek::analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states
protected:
friend class ConnCompressor;
@ -235,9 +234,9 @@ protected:
using IPTunnelMap = std::map<IPPair, TunnelActivity>;
IPTunnelMap ip_tunnels;
::analyzer::arp::ARP_Analyzer* arp_analyzer;
zeek::analyzer::arp::ARP_Analyzer* arp_analyzer;
::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
zeek::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
zeek::detail::Discarder* discarder;
zeek::detail::PacketFilter* packet_filter;
uint64_t num_packets_processed;

15
src/analyzer/Analyzer.h
View file

@ -19,6 +19,8 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp);
ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
@ -29,11 +31,6 @@ using FilePtr = zeek::IntrusivePtr<File>;
using BroFile [[deprecated("Remove in v4.1. Use zeek::File.")]] = zeek::File;
using BroFilePtr [[deprecated("Remove in v4.1. Use zeek::FilePtr.")]] = zeek::FilePtr;
namespace analyzer {
namespace tcp { class TCP_ApplicationAnalyzer; }
namespace pia { class PIA; }
}
namespace zeek::analyzer {
class Analyzer;
@ -633,7 +630,7 @@ protected:
friend class AnalyzerTimer;
friend class Manager;
friend class zeek::Connection;
friend class ::analyzer::tcp::TCP_ApplicationAnalyzer;
friend class zeek::analyzer::tcp::TCP_ApplicationAnalyzer;
/**
* Return a string represantation of an analyzer, containing its name
@ -938,13 +935,13 @@ public:
* transport-layer input and determine which protocol analyzer(s) to
* use for parsing it.
*/
void SetPIA(::analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; }
void SetPIA(zeek::analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; }
/**
* Returns the associated PIA, or null of none. Does not take
* ownership.
*/
::analyzer::pia::PIA* GetPIA() const { return pia; }
zeek::analyzer::pia::PIA* GetPIA() const { return pia; }
/**
* Helper to raise a \c packet_contents event.
@ -956,7 +953,7 @@ public:
void PacketContents(const u_char* data, int len);
private:
::analyzer::pia::PIA* pia;
zeek::analyzer::pia::PIA* pia;
};
} // namespace zeek::analyzer

22
src/analyzer/Manager.cc
View file

@ -20,7 +20,7 @@
using namespace zeek::analyzer;
Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp,
uint16_t _resp_p, uint16_t _proto)
uint16_t _resp_p, uint16_t _proto)
{
if ( _orig == IPAddr::v4_unspecified )
// don't use the IPv4 mapping, use the literal unspecified address
@ -360,31 +360,29 @@ Manager::tag_set* Manager::LookupPort(zeek::PortVal* val, bool add_if_not_found)
bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{
::analyzer::tcp::TCP_Analyzer* tcp = nullptr;
::analyzer::udp::UDP_Analyzer* udp = nullptr;
::analyzer::icmp::ICMP_Analyzer* icmp = nullptr;
zeek::analyzer::tcp::TCP_Analyzer* tcp = nullptr;
TransportLayerAnalyzer* root = nullptr;
::analyzer::pia::PIA* pia = nullptr;
zeek::analyzer::pia::PIA* pia = nullptr;
bool check_port = false;
switch ( conn->ConnTransport() ) {
case TRANSPORT_TCP:
root = tcp = new ::analyzer::tcp::TCP_Analyzer(conn);
pia = new ::analyzer::pia::PIA_TCP(conn);
root = tcp = new zeek::analyzer::tcp::TCP_Analyzer(conn);
pia = new zeek::analyzer::pia::PIA_TCP(conn);
check_port = true;
DBG_ANALYZER(conn, "activated TCP analyzer");
break;
case TRANSPORT_UDP:
root = udp = new ::analyzer::udp::UDP_Analyzer(conn);
pia = new ::analyzer::pia::PIA_UDP(conn);
root = new zeek::analyzer::udp::UDP_Analyzer(conn);
pia = new zeek::analyzer::pia::PIA_UDP(conn);
check_port = true;
DBG_ANALYZER(conn, "activated UDP analyzer");
break;
case TRANSPORT_ICMP: {
root = icmp = new ::analyzer::icmp::ICMP_Analyzer(conn);
root = new zeek::analyzer::icmp::ICMP_Analyzer(conn);
DBG_ANALYZER(conn, "activated ICMP analyzer");
break;
}
@ -466,14 +464,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
auto src = zeek::make_intrusive<zeek::AddrVal>(conn->OrigAddr());
if ( ! stp_skip_src->FindOrDefault(src) )
tcp->AddChildAnalyzer(new ::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
tcp->AddChildAnalyzer(new zeek::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
}
}
if ( IsEnabled(analyzer_tcpstats) )
// Add TCPStats analyzer. This needs to see packets so
// we cannot add it as a normal child.
tcp->AddChildPacketAnalyzer(new ::analyzer::tcp::TCPStats_Analyzer(conn));
tcp->AddChildPacketAnalyzer(new zeek::analyzer::tcp::TCPStats_Analyzer(conn));
if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.

4
src/analyzer/protocol/arp/ARP.cc
View file

@ -7,7 +7,7 @@
#include "events.bif.h"
using namespace analyzer::arp;
namespace zeek::analyzer::arp {
ARP_Analyzer::ARP_Analyzer()
{
@ -240,3 +240,5 @@ zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr)
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf);
}
} // namespace zeek::analyzer::arp

8
src/analyzer/protocol/arp/ARP.h
View file

@ -30,7 +30,7 @@ extern "C" {
#include <pcap.h>
}
namespace analyzer::arp {
namespace zeek::analyzer::arp {
class ARP_Analyzer : public zeek::Obj {
public:
@ -57,4 +57,8 @@ protected:
void Corrupted(const char* string);
};
} // namespace analyzer::arp
} // namespace zeek::analyzer::arp
namespace analyer::arp {
using ARP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::arp::ARP_Analyzer.")]] = zeek::analyzer::arp::ARP_Analyzer;
}

10
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -8,7 +8,7 @@
using namespace analyzer::bittorrent;
BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
{
interp = new binpac::BitTorrent::BitTorrent_Conn(this);
stop_orig = stop_resp = false;
@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
void BitTorrent_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp;
bool& this_stop = orig ? stop_orig : stop_resp;
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// TODO: Code commented out for now. I think that shoving data that
// is definitely wrong into the parser seems like a really bad idea.
@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}

2
src/analyzer/protocol/bittorrent/BitTorrent.h
View file

@ -8,7 +8,7 @@
namespace analyzer { namespace bittorrent {
class BitTorrent_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit BitTorrent_Analyzer(zeek::Connection* conn);
~BitTorrent_Analyzer() override;

10
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -22,7 +22,7 @@ static zeek::RecordTypePtr bittorrent_benc_value;
static zeek::TableTypePtr bittorrent_benc_dir;
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
{
if ( ! bt_tracker_headers )
{
@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
void BitTorrentTracker_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
}
void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
}
void BitTorrentTracker_Analyzer::InitBencParser(void)

2
src/analyzer/protocol/bittorrent/BitTorrentTracker.h
View file

@ -43,7 +43,7 @@ enum btt_benc_states {
BENC_STATE_STR2,
};
class BitTorrentTracker_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit BitTorrentTracker_Analyzer(zeek::Connection* conn);
~BitTorrentTracker_Analyzer() override;

2
src/analyzer/protocol/dce-rpc/DCE_RPC.cc
View file

@ -13,7 +13,7 @@ using namespace std;
using namespace analyzer::dce_rpc;
DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
{
had_gap = false;
interp = new binpac::DCE_RPC::DCE_RPC_Conn(this);

2
src/analyzer/protocol/dce-rpc/DCE_RPC.h
View file

@ -11,7 +11,7 @@
namespace analyzer { namespace dce_rpc {
class DCE_RPC_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DCE_RPC_Analyzer(zeek::Connection* conn);
~DCE_RPC_Analyzer() override;

2
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -61,7 +61,7 @@ protected:
Endpoint resp_state;
};
class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer {
class DNP3_TCP_Analyzer : public DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DNP3_TCP_Analyzer(zeek::Connection* conn);
~DNP3_TCP_Analyzer() override;

15
src/analyzer/protocol/dns/DNS.cc
View file

@ -1797,7 +1797,7 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig,
DNS_Interpreter* arg_interp)
: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{
interp = arg_interp;
@ -1890,7 +1890,7 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
}
DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("DNS", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
{
interp = new DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = nullptr;
@ -1921,7 +1921,7 @@ void DNS_Analyzer::Init()
void DNS_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( Conn()->ConnTransport() == TRANSPORT_UDP )
Event(udp_session_done);
@ -1932,15 +1932,16 @@ void DNS_Analyzer::Done()
void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->ParseMessage(data, len, orig ? 1 : 0);
}
void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer,
bool gen_event)
void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer,
bool gen_event)
{
tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
assert(contents_dns_orig && contents_dns_resp);
contents_dns_orig->Flush();

8
src/analyzer/protocol/dns/DNS.h
View file

@ -369,7 +369,7 @@ typedef enum {
// Support analyzer which chunks the TCP stream into "packets".
// ### This should be merged with TCP_Contents_RPC.
class Contents_DNS final : public tcp::TCP_SupportAnalyzer {
class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_DNS(zeek::Connection* c, bool orig, DNS_Interpreter* interp);
~Contents_DNS() override;
@ -392,7 +392,7 @@ protected:
};
// Works for both TCP and UDP.
class DNS_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit DNS_Analyzer(zeek::Connection* conn);
~DNS_Analyzer() override;
@ -402,8 +402,8 @@ public:
void Init() override;
void Done() override;
void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
tcp::TCP_Endpoint* peer, bool gen_event) override;
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void ExpireTimer(double t);
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

4
src/analyzer/protocol/file/File.cc
View file

@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
int n = std::min(len, BUFFER_SIZE - buffer_len);
@ -54,7 +54,7 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
void File_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( buffer_len && buffer_len != BUFFER_SIZE )
Identify();

2
src/analyzer/protocol/file/File.h
View file

@ -8,7 +8,7 @@
namespace analyzer { namespace file {
class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
File_Analyzer(const char* name, zeek::Connection* conn);

12
src/analyzer/protocol/finger/Finger.cc
View file

@ -14,24 +14,24 @@
using namespace analyzer::finger;
Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("FINGER", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
{
did_deliver = 0;
content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig->SetIsNULSensitive(true);
content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(content_line_orig);
AddSupportAnalyzer(content_line_resp);
}
void Finger_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() )
if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
(TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text
Weird("partial_finger_request");
}

6
src/analyzer/protocol/finger/Finger.h
View file

@ -7,7 +7,7 @@
namespace analyzer { namespace finger {
class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Finger_Analyzer(zeek::Connection* conn);
~Finger_Analyzer() override {}
@ -20,8 +20,8 @@ public:
{ return new Finger_Analyzer(conn); }
protected:
tcp::ContentLine_Analyzer* content_line_orig;
tcp::ContentLine_Analyzer* content_line_resp;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
int did_deliver;
};

10
src/analyzer/protocol/ftp/FTP.cc
View file

@ -18,7 +18,7 @@
using namespace analyzer::ftp;
FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("FTP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
{
pending_reply = 0;
@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
void FTP_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( nvt_orig->HasPartialLine() &&
(TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text
Weird("partial_ftp_request");
}
@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line)
void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
return;

2
src/analyzer/protocol/ftp/FTP.h
View file

@ -8,7 +8,7 @@ namespace analyzer { namespace login { class NVT_Analyzer; }}
namespace analyzer { namespace ftp {
class FTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit FTP_Analyzer(zeek::Connection* conn);

10
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -34,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState()
Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
{
state = 0;
new_state = 0;
@ -54,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
void Gnutella_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
@ -126,9 +126,9 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
if ( Parent()->IsAnalyzer("TCP") )
{
// Replay buffered data.
pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
zeek::analyzer::pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia )
static_cast<pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
static_cast<zeek::analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
}
Parent()->RemoveChildAnalyzer(this);
@ -301,7 +301,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
ms = orig ? orig_msg_state : resp_msg_state;
ms->current_offset = 0;

2
src/analyzer/protocol/gnutella/Gnutella.h
View file

@ -33,7 +33,7 @@ public:
};
class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Gnutella_Analyzer(zeek::Connection* conn);
~Gnutella_Analyzer() override;

10
src/analyzer/protocol/gssapi/GSSAPI.cc
View file

@ -8,7 +8,7 @@
using namespace analyzer::gssapi;
GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
{
interp = new binpac::GSSAPI::GSSAPI_Conn(this);
}
@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer()
void GSSAPI_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done()
void GSSAPI_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -51,6 +51,6 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/gssapi/GSSAPI.h
View file

@ -9,7 +9,7 @@
namespace analyzer { namespace gssapi {
class GSSAPI_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit GSSAPI_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

34
src/analyzer/protocol/http/HTTP.cc
View file

@ -595,8 +595,8 @@ void HTTP_Entity::SubmitAllHeaders()
}
HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
int expect_body, int64_t init_header_length)
zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
int expect_body, int64_t init_header_length)
: MIME_Message (arg_analyzer)
{
analyzer = arg_analyzer;
@ -836,7 +836,7 @@ void HTTP_Message::Weird(const char* msg)
}
HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("HTTP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("HTTP", conn)
{
num_requests = num_replies = 0;
num_request_lines = num_reply_lines = 0;
@ -858,10 +858,10 @@ HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn)
upgrade_connection = false;
upgrade_protocol.clear();
content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(content_line_orig);
content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
content_line_resp->SetSkipPartial(true);
AddSupportAnalyzer(content_line_resp);
}
@ -871,7 +871,7 @@ void HTTP_Analyzer::Done()
if ( IsFinished() )
return;
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
RequestMade(true, "message interrupted when connection done");
ReplyMade(true, "message interrupted when connection done");
@ -897,7 +897,7 @@ void HTTP_Analyzer::Done()
void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( TCP() && TCP()->IsPartial() )
return;
@ -916,7 +916,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
const char* line = reinterpret_cast<const char*>(data);
const char* end_of_line = line + len;
tcp::ContentLine_Analyzer* content_line =
zeek::analyzer::tcp::ContentLine_Analyzer* content_line =
is_orig ? content_line_orig : content_line_resp;
if ( content_line->IsPlainDelivery() )
@ -1048,7 +1048,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{
// End of message header reached, set up
// tunnel decapsulation.
pia = new pia::PIA_TCP(Conn());
pia = new zeek::analyzer::pia::PIA_TCP(Conn());
if ( AddChildAnalyzer(pia) )
{
@ -1080,14 +1080,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
// DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length);
HTTP_Message* msg =
is_orig ? request_message : reply_message;
tcp::ContentLine_Analyzer* content_line =
zeek::analyzer::tcp::ContentLine_Analyzer* content_line =
is_orig ? content_line_orig : content_line_resp;
if ( ! content_line->IsSkippedContents(seq, len) )
@ -1123,7 +1123,7 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
void HTTP_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
// DEBUG_MSG("%.6f eof\n", network_time);
@ -1135,7 +1135,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig)
void HTTP_Analyzer::ConnectionFinished(bool half_finished)
{
tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
// DEBUG_MSG("%.6f connection finished\n", network_time);
RequestMade(true, "message ends as connection is finished");
@ -1144,7 +1144,7 @@ void HTTP_Analyzer::ConnectionFinished(bool half_finished)
void HTTP_Analyzer::ConnectionReset()
{
tcp::TCP_ApplicationAnalyzer::ConnectionReset();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset();
RequestMade(true, "message interrupted by RST");
ReplyMade(true, "message interrupted by RST");
@ -1152,7 +1152,7 @@ void HTTP_Analyzer::ConnectionReset()
void HTTP_Analyzer::PacketWithRST()
{
tcp::TCP_ApplicationAnalyzer::PacketWithRST();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST();
RequestMade(true, "message interrupted by RST");
ReplyMade(true, "message interrupted by RST");
@ -1680,8 +1680,8 @@ void HTTP_Analyzer::HTTP_MessageDone(bool is_orig, HTTP_Message* /* message */)
ReplyMade(false, "message ends normally");
}
void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
bool is_orig, int expect_body, int64_t init_header_length)
void HTTP_Analyzer::InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
bool is_orig, int expect_body, int64_t init_header_length)
{
if ( message )
{

20
src/analyzer/protocol/http/HTTP.h
View file

@ -100,8 +100,8 @@ class HTTP_Message final : public mime::MIME_Message {
friend class HTTP_Entity;
public:
HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length);
HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length);
~HTTP_Message() override;
void Done(bool interrupted, const char* msg);
void Done() override { Done(false, "message ends normally"); }
@ -129,7 +129,7 @@ public:
protected:
HTTP_Analyzer* analyzer;
tcp::ContentLine_Analyzer* content_line;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line;
bool is_orig;
char* entity_data_buffer;
@ -148,7 +148,7 @@ protected:
zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg);
};
class HTTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
HTTP_Analyzer(zeek::Connection* conn);
@ -168,7 +168,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer
void EndpointEOF(bool is_orig) override;
void ConnectionFinished(bool half_finished) override;
void ConnectionReset() override;
@ -210,8 +210,8 @@ protected:
int HTTP_RequestLine(const char* line, const char* end_of_line);
int HTTP_ReplyLine(const char* line, const char* end_of_line);
void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
int expect_body, int64_t init_header_length);
void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
int expect_body, int64_t init_header_length);
const char* PrefixMatch(const char* line, const char* end_of_line,
const char* prefix);
@ -248,7 +248,7 @@ protected:
int request_ongoing, reply_ongoing;
bool connect_request;
pia::PIA_TCP *pia;
zeek::analyzer::pia::PIA_TCP *pia;
// set to true after a connection was upgraded
bool upgraded;
// set to true when encountering an "connection" header in a reply.
@ -271,8 +271,8 @@ protected:
int reply_code;
zeek::StringValPtr reply_reason_phrase;
tcp::ContentLine_Analyzer* content_line_orig;
tcp::ContentLine_Analyzer* content_line_resp;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
HTTP_Message* request_message;
HTTP_Message* reply_message;

8
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -18,7 +18,7 @@
#include <netinet/icmp6.h>
using namespace analyzer::icmp;
namespace zeek::analyzer::icmp {
ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c)
: TransportLayerAnalyzer("ICMP", c),
@ -873,7 +873,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
return vv;
}
int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{
is_one_way = false;
@ -901,7 +901,7 @@ int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one
}
}
int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{
is_one_way = false;
@ -932,3 +932,5 @@ int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one
default: is_one_way = true; return icmp_code;
}
}
} // namespace zeek::analyzer::icmp

21
src/analyzer/protocol/icmp/ICMP.h
View file

@ -11,12 +11,12 @@ namespace zeek {
using VectorValPtr = zeek::IntrusivePtr<VectorVal>;
}
namespace analyzer { namespace icmp {
namespace zeek::analyzer::icmp {
typedef enum {
enum ICMP_EndpointState {
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
} ICMP_EndpointState;
};
// We do not have an PIA for ICMP (yet) and therefore derive from
// RuleMatcherState to perform our own matching.
@ -98,4 +98,17 @@ private:
extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
} } // namespace analyzer::*
} // namespace zeek::analyzer::icmp
namespace analyzer::icmp {
using ICMP_EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_EndpointState.")]] = zeek::analyzer::icmp::ICMP_EndpointState;
constexpr auto ICMP_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_INACTIVE.")]] = zeek::analyzer::icmp::ICMP_INACTIVE;
constexpr auto ICMP_ACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_ACTIVE.")]] = zeek::analyzer::icmp::ICMP_ACTIVE;
using ICMP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_Analyzer.")]] = zeek::analyzer::icmp::ICMP_Analyzer;
constexpr auto ICMP4_counterpart [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP4_counterpart.")]] = zeek::analyzer::icmp::ICMP4_counterpart;
constexpr auto ICMP6_counterpart [[deprecated("Remove in v6.1. Use zeek::analyzer::icmp::ICMP6_counterpart.")]] = zeek::analyzer::icmp::ICMP6_counterpart;
} // namespace analyzer::icmp

2
src/analyzer/protocol/icmp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ICMP", zeek::analyzer::icmp::ICMP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ICMP";

36
src/analyzer/protocol/ident/Ident.cc
View file

@ -14,12 +14,12 @@
using namespace analyzer::ident;
Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("IDENT", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
{
did_bad_reply = did_deliver = false;
orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000);
resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident->SetIsNULSensitive(true);
resp_ident->SetIsNULSensitive(true);
@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
void Ident_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() )
if ( (! did_deliver || orig_ident->HasPartialLine()) &&
(TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE )
(TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE )
Weird("partial_ident_request");
}
void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
int remote_port, local_port;
const char* line = (const char*) data;
const char* orig_line = line;
const char* end_of_line = line + length;
tcp::TCP_Endpoint* s = nullptr;
zeek::analyzer::tcp::TCP_Endpoint* s = nullptr;
if ( TCP() )
s = is_orig ? TCP()->Orig() : TCP()->Resp();
@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = ParsePair(line, end_of_line, remote_port, local_port);
if ( ! line )
{
if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled.
return;
@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( ! line || line == end_of_line || line[0] != ':' )
{
if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled.
return;

6
src/analyzer/protocol/ident/Ident.h
View file

@ -7,7 +7,7 @@
namespace analyzer { namespace ident {
class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit Ident_Analyzer(zeek::Connection* conn);
void Done() override;
@ -26,8 +26,8 @@ protected:
void BadRequest(int length, const char* line);
void BadReply(int length, const char* line);
tcp::ContentLine_Analyzer* orig_ident;
tcp::ContentLine_Analyzer* resp_ident;
zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident;
zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident;
bool did_deliver;
bool did_bad_reply;

10
src/analyzer/protocol/imap/IMAP.cc
View file

@ -7,7 +7,7 @@
using namespace analyzer::imap;
IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("IMAP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
{
interp = new binpac::IMAP::IMAP_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer()
void IMAP_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void IMAP_Analyzer::Done()
void IMAP_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls_active )
{
@ -67,7 +67,7 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/imap/IMAP.h
View file

@ -10,7 +10,7 @@
namespace analyzer { namespace imap {
class IMAP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit IMAP_Analyzer(zeek::Connection* conn);
~IMAP_Analyzer() override;
@ -19,7 +19,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
void StartTLS();

10
src/analyzer/protocol/irc/IRC.cc
View file

@ -13,7 +13,7 @@ using namespace analyzer::irc;
using namespace std;
IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("IRC", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
{
invalid_msg_count = 0;
invalid_msg_max_count = 20;
@ -22,15 +22,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
orig_zip_status = NO_ZIP;
resp_zip_status = NO_ZIP;
starttls = false;
cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
AddSupportAnalyzer(cl_orig);
cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(cl_resp);
}
void IRC_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
}
inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
@ -46,7 +46,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
static auto irc_join_list = zeek::id::find_type<zeek::TableType>("irc_join_list");
static auto irc_join_info = zeek::id::find_type<zeek::RecordType>("irc_join_info");
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
if ( starttls )
{

6
src/analyzer/protocol/irc/IRC.h
View file

@ -9,7 +9,7 @@ namespace analyzer { namespace irc {
/**
* \brief Main class for analyzing IRC traffic.
*/
class IRC_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
enum { WAIT_FOR_REGISTRATION, REGISTERED, };
enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
public:
@ -64,8 +64,8 @@ private:
*/
std::vector<std::string> SplitWords(const std::string& input, char split);
tcp::ContentLine_Analyzer* cl_orig;
tcp::ContentLine_Analyzer* cl_resp;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
bool starttls; // if true, connection has been upgraded to tls
};

10
src/analyzer/protocol/krb/KRB_TCP.cc
View file

@ -8,7 +8,7 @@
using namespace analyzer::krb_tcp;
KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
{
interp = new binpac::KRB_TCP::KRB_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer()
void KRB_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void KRB_Analyzer::Done()
void KRB_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -59,7 +59,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -8,7 +8,7 @@
namespace analyzer { namespace krb_tcp {
class KRB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit KRB_Analyzer(zeek::Connection* conn);
@ -18,7 +18,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal,

10
src/analyzer/protocol/login/Login.cc
View file

@ -28,7 +28,7 @@ static zeek::RE_Matcher* re_login_timeouts;
static zeek::RE_Matcher* init_RE(zeek::ListVal* l);
Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
{
state = LOGIN_STATE_AUTHENTICATE;
num_user_lines_seen = lines_scanned = 0;
@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer()
void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
char* str = new char[length+1];
@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state == LOGIN_STATE_AUTHENTICATE )
{
if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL )
if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL )
state = LOGIN_STATE_CONFUSED; // unknown login state
else
{
@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
void Login_Analyzer::EndpointEOF(bool orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
{

2
src/analyzer/protocol/login/Login.h
View file

@ -20,7 +20,7 @@ typedef enum {
// Maximum # lines look after login for failure.
#define MAX_LOGIN_LOOKAHEAD 10
class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
Login_Analyzer(const char* name, zeek::Connection* conn);
~Login_Analyzer() override;

4
src/analyzer/protocol/login/NVT.cc
View file

@ -308,7 +308,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
break;
}
static_cast<tcp::TCP_ApplicationAnalyzer*>
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>
(endp->Parent())->SetEnv(endp->IsOrig(),
var_name, var_val);
}
@ -381,7 +381,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig)
: tcp::ContentLine_Analyzer("NVT", conn, orig), options()
: zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
{
}

2
src/analyzer/protocol/login/NVT.h
View file

@ -122,7 +122,7 @@ protected:
void InconsistentOption(unsigned int type) override;
};
class NVT_Analyzer final : public tcp::ContentLine_Analyzer {
class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
NVT_Analyzer(zeek::Connection* conn, bool orig);
~NVT_Analyzer() override;

8
src/analyzer/protocol/login/RSH.cc
View file

@ -15,7 +15,7 @@ using namespace analyzer::login;
Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig,
Rsh_Analyzer* arg_analyzer)
: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
{
num_bytes_to_scan = 0;
analyzer = arg_analyzer;
@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer()
void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
{
tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) {
case RSH_FIRST_NULL:
if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == tcp::TCP_ENDPOINT_CLOSED )
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RSH_UNKNOWN;
++len, --data; // put back c and reprocess

2
src/analyzer/protocol/login/RSH.h
View file

@ -22,7 +22,7 @@ typedef enum {
class Rsh_Analyzer;
class Contents_Rsh_Analyzer final : public tcp::ContentLine_Analyzer {
class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer);
~Contents_Rsh_Analyzer() override;

12
src/analyzer/protocol/login/Rlogin.cc
View file

@ -12,7 +12,7 @@
using namespace analyzer::login;
Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
{
num_bytes_to_scan = 0;
analyzer = arg_analyzer;
@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer()
void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
{
tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
auto* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
switch ( state ) {
case RLOGIN_FIRST_NULL:
if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == tcp::TCP_ENDPOINT_CLOSED )
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess
@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
break;
case RLOGIN_SERVER_ACK:
if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
// We can be in closed if the data's due to
// a dataful FIN being the first thing we see.
endp_state == tcp::TCP_ENDPOINT_CLOSED )
endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
{
state = RLOGIN_UNKNOWN;
++len, --data; // put back c and reprocess

2
src/analyzer/protocol/login/Rlogin.h
View file

@ -30,7 +30,7 @@ typedef enum {
class Rlogin_Analyzer;
class Contents_Rlogin_Analyzer final : public tcp::ContentLine_Analyzer {
class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
public:
Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig,
Rlogin_Analyzer* analyzer);

2
src/analyzer/protocol/modbus/Modbus.h
View file

@ -5,7 +5,7 @@
namespace analyzer { namespace modbus {
class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit ModbusTCP_Analyzer(zeek::Connection* conn);
~ModbusTCP_Analyzer() override;

10
src/analyzer/protocol/mqtt/MQTT.cc
View file

@ -10,7 +10,7 @@
using namespace analyzer::MQTT;
MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("MQTT", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
{
interp = new binpac::MQTT::MQTT_Conn(this);
}
@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer()
void MQTT_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -30,13 +30,13 @@ void MQTT_Analyzer::Done()
void MQTT_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -52,6 +52,6 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

2
src/analyzer/protocol/mqtt/MQTT.h
View file

@ -9,7 +9,7 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } }
namespace analyzer { namespace MQTT {
class MQTT_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
MQTT_Analyzer(zeek::Connection* conn);

10
src/analyzer/protocol/mysql/MySQL.cc
View file

@ -8,7 +8,7 @@
using namespace analyzer::MySQL;
MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("MySQL", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
{
interp = new binpac::MySQL::MySQL_Conn(this);
had_gap = false;
@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer()
void MySQL_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -29,13 +29,13 @@ void MySQL_Analyzer::Done()
void MySQL_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -59,7 +59,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/mysql/MySQL.h
View file

@ -9,7 +9,7 @@
namespace analyzer { namespace MySQL {
class MySQL_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit MySQL_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

10
src/analyzer/protocol/ncp/NCP.cc
View file

@ -164,7 +164,7 @@ void NCP_FrameBuffer::compute_msg_length()
}
Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* arg_session)
: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
{
session = arg_session;
resync = true;
@ -177,7 +177,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
@ -185,7 +185,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
{
resync_set = true;
resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
tcp::TCP_ENDPOINT_ESTABLISHED;
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
}
if ( tcp && tcp->HadGap(orig) )
@ -238,14 +238,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
buffer.Reset();
resync = true;
}
NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("NCP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
{
session = new NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session);

4
src/analyzer/protocol/ncp/NCP.h
View file

@ -82,7 +82,7 @@ protected:
void compute_msg_length() override;
};
class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer {
class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* session);
~Contents_NCP_Analyzer() override;
@ -99,7 +99,7 @@ protected:
bool resync_set;
};
class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NCP_Analyzer(zeek::Connection* conn);
~NCP_Analyzer() override;

18
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -334,7 +334,7 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da
Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
NetbiosSSN_Interpreter* arg_interp)
: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
{
interp = arg_interp;
type = flags = msg_size = 0;
@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
if ( state == NETBIOS_SSN_TYPE )
{
@ -454,7 +454,7 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
}
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
{
//smb_session = new SMB_Session(this);
interp = new NetbiosSSN_Interpreter(this);
@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer()
void NetbiosSSN_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout();
if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done()
void NetbiosSSN_Analyzer::EndpointEOF(bool orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
(orig ? orig_netbios : resp_netbios)->Flush();
}
void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
tcp::TCP_Endpoint* peer, bool gen_event)
void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event)
{
tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
// Question: Why do we flush *both* endpoints upon connection close?
// orig_netbios->Flush();
@ -513,7 +513,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
if ( orig )
interp->ParseMessageUDP(data, len, true);

8
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -112,7 +112,7 @@ typedef enum {
} NetbiosSSN_State;
// ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
class Contents_NetbiosSSN final : public tcp::TCP_SupportAnalyzer {
class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
NetbiosSSN_Interpreter* interp);
@ -139,7 +139,7 @@ protected:
NetbiosSSN_State state;
};
class NetbiosSSN_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NetbiosSSN_Analyzer(zeek::Connection* conn);
~NetbiosSSN_Analyzer() override;
@ -152,8 +152,8 @@ public:
{ return new NetbiosSSN_Analyzer(conn); }
protected:
void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
tcp::TCP_Endpoint* peer, bool gen_event) override;
void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
void EndpointEOF(bool is_orig) override;
void ExpireTimer(double t);

10
src/analyzer/protocol/ntlm/NTLM.cc
View file

@ -8,7 +8,7 @@
using namespace analyzer::ntlm;
NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("NTLM", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
{
interp = new binpac::NTLM::NTLM_Conn(this);
}
@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer()
void NTLM_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -28,13 +28,13 @@ void NTLM_Analyzer::Done()
void NTLM_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -51,6 +51,6 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/ntlm/NTLM.h
View file

@ -9,7 +9,7 @@
namespace analyzer { namespace ntlm {
class NTLM_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit NTLM_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

10
src/analyzer/protocol/pia/PIA.cc
View file

@ -8,7 +8,7 @@
#include "analyzer/protocol/tcp/TCP_Flags.h"
#include "analyzer/protocol/tcp/TCP_Reassembler.h"
using namespace analyzer::pia;
namespace zeek::analyzer::pia {
PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer)
: state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet()
@ -193,7 +193,7 @@ PIA_TCP::~PIA_TCP()
void PIA_TCP::Init()
{
tcp::TCP_ApplicationAnalyzer::Init();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init();
if ( Parent()->IsAnalyzer("TCP") )
{
@ -253,7 +253,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( stream_buffer.state == SKIPPING )
return;
@ -283,7 +283,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( stream_buffer.state == BUFFERING )
// We use data=nil to mark an undelivered.
@ -435,3 +435,5 @@ void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer)
analyzer->NextUndelivered(b->seq, b->len, b->is_orig);
}
}
} // namespace zeek::analyzer::pia

14
src/analyzer/protocol/pia/PIA.h
View file

@ -8,7 +8,7 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
namespace analyzer { namespace pia {
namespace zeek::analyzer::pia {
// Abstract PIA class providing common functionality for both TCP and UDP.
// Accepts only packet input.
@ -118,10 +118,10 @@ protected:
// PIA for TCP. Accepts both packet and stream input (and reassembles
// packets before passing payload on to children).
class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer {
class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit PIA_TCP(zeek::Connection* conn)
: PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
: PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
{ stream_mode = false; SetConn(conn); }
~PIA_TCP() override;
@ -172,4 +172,10 @@ private:
bool stream_mode;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::pia
namespace analzyer::pia {
using PIA [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA.")]] = zeek::analyzer::pia::PIA;
using PIA_TCP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_TCP.")]] = zeek::analyzer::pia::PIA_TCP;
using PIA_UDP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_UDP.")]] = zeek::analyzer::pia::PIA_UDP;
}

4
src/analyzer/protocol/pia/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("PIA_TCP", ::analyzer::pia::PIA_TCP::Instantiate));
AddComponent(new zeek::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate));
AddComponent(new zeek::analyzer::Component("PIA_TCP", zeek::analyzer::pia::PIA_TCP::Instantiate));
AddComponent(new zeek::analyzer::Component("PIA_UDP", zeek::analyzer::pia::PIA_UDP::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::PIA";

10
src/analyzer/protocol/pop3/POP3.cc
View file

@ -27,7 +27,7 @@ static const char* pop3_cmd_word[] = {
POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("POP3", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
{
masterState = POP3_START;
subState = POP3_WOK;
@ -45,10 +45,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
mail = nullptr;
cl_orig = new tcp::ContentLine_Analyzer(conn, true);
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(cl_orig);
cl_resp = new tcp::ContentLine_Analyzer(conn, false);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
AddSupportAnalyzer(cl_resp);
}
@ -58,7 +58,7 @@ POP3_Analyzer::~POP3_Analyzer()
void POP3_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail )
EndData();
@ -67,7 +67,7 @@ void POP3_Analyzer::Done()
void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( tls )
{

6
src/analyzer/protocol/pop3/POP3.h
View file

@ -61,7 +61,7 @@ typedef enum {
POP3_WOK,
} POP3_SubState;
class POP3_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit POP3_Analyzer(zeek::Connection* conn);
~POP3_Analyzer() override;
@ -110,8 +110,8 @@ protected:
private:
bool tls;
tcp::ContentLine_Analyzer* cl_orig;
tcp::ContentLine_Analyzer* cl_resp;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
};
} } // namespace analyzer::*

12
src/analyzer/protocol/rdp/RDP.cc
View file

@ -7,7 +7,7 @@
using namespace analyzer::rdp;
RDP_Analyzer::RDP_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("RDP", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c)
{
interp = new binpac::RDP::RDP_Conn(this);
@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer()
void RDP_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -30,13 +30,13 @@ void RDP_Analyzer::Done()
void RDP_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -56,7 +56,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
if ( ! pia )
{
pia = new pia::PIA_TCP(Conn());
pia = new zeek::analyzer::pia::PIA_TCP(Conn());
if ( ! AddChildAnalyzer(pia) )
{
@ -95,7 +95,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/rdp/RDP.h
View file

@ -7,7 +7,7 @@
namespace analyzer { namespace rdp {
class RDP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit RDP_Analyzer(zeek::Connection* conn);
@ -26,7 +26,7 @@ protected:
binpac::RDP::RDP_Conn* interp;
bool had_gap;
pia::PIA_TCP *pia;
zeek::analyzer::pia::PIA_TCP *pia;
};
} } // namespace analyzer::*

10
src/analyzer/protocol/rfb/RFB.cc
View file

@ -10,7 +10,7 @@ using namespace analyzer::rfb;
RFB_Analyzer::RFB_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("RFB", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c)
{
interp = new binpac::RFB::RFB_Conn(this);
@ -25,7 +25,7 @@ RFB_Analyzer::~RFB_Analyzer()
void RFB_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -34,13 +34,13 @@ void RFB_Analyzer::Done()
void RFB_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
return;
@ -72,7 +72,7 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/rfb/RFB.h
View file

@ -9,7 +9,7 @@
namespace analyzer { namespace rfb {
class RFB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit RFB_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)

20
src/analyzer/protocol/rpc/RPC.cc
View file

@ -414,7 +414,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len)
Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
RPC_Interpreter* arg_interp)
: tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
{
interp = arg_interp;
state = WAIT_FOR_MESSAGE;
@ -426,7 +426,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
void Contents_RPC::Init()
{
tcp::TCP_SupportAnalyzer::Init();
zeek::analyzer::tcp::TCP_SupportAnalyzer::Init();
}
Contents_RPC::~Contents_RPC()
@ -435,7 +435,7 @@ Contents_RPC::~Contents_RPC()
void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
NeedResync();
}
@ -454,12 +454,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
// is fully established we are in sync (since it's the first chunk
// of data after the SYN if its not established we need to
// resync.
tcp::TCP_Analyzer* tcp =
static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
zeek::analyzer::tcp::TCP_Analyzer* tcp =
static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
assert(tcp);
if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
tcp::TCP_ENDPOINT_ESTABLISHED )
zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED )
{
NeedResync();
}
@ -621,7 +621,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
uint32_t marker;
bool last_frag;
@ -722,7 +722,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn,
RPC_Interpreter* arg_interp)
: tcp::TCP_ApplicationAnalyzer(name, conn),
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn),
interp(arg_interp), orig_rpc(), resp_rpc()
{
if ( Conn()->ConnTransport() == TRANSPORT_UDP )
@ -739,7 +739,7 @@ RPC_Analyzer::~RPC_Analyzer()
void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
len = std::min(len, caplen);
if ( orig )
@ -756,7 +756,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
void RPC_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->Timeout();
}

4
src/analyzer/protocol/rpc/RPC.h
View file

@ -184,7 +184,7 @@ protected:
};
/* Support Analyzer for reassembling RPC-over-TCP messages */
class Contents_RPC final : public tcp::TCP_SupportAnalyzer {
class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
public:
Contents_RPC(zeek::Connection* conn, bool orig, RPC_Interpreter* interp);
~Contents_RPC() override;
@ -230,7 +230,7 @@ protected:
int resync_toskip;
};
class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
RPC_Analyzer(const char* name, zeek::Connection* conn,
RPC_Interpreter* arg_interp);

10
src/analyzer/protocol/sip/SIP_TCP.cc
View file

@ -10,7 +10,7 @@
using namespace analyzer::sip_tcp;
SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
{
interp = new binpac::SIP_TCP::SIP_Conn(this);
had_gap = false;
@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer()
void SIP_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -31,13 +31,13 @@ void SIP_Analyzer::Done()
void SIP_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -61,7 +61,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/sip/SIP_TCP.h
View file

@ -11,7 +11,7 @@
namespace analyzer { namespace sip_tcp {
class SIP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SIP_Analyzer(zeek::Connection* conn);
~SIP_Analyzer() override;
@ -20,7 +20,7 @@ public:
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

2
src/analyzer/protocol/smb/SMB.cc
View file

@ -7,7 +7,7 @@ using namespace analyzer::smb;
#define SMB_MAX_LEN (1<<18)
SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("SMB", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn)
{
chunks=0;
interp = new binpac::SMB::SMB_Conn(this);

2
src/analyzer/protocol/smb/SMB.h
View file

@ -5,7 +5,7 @@
namespace analyzer { namespace smb {
class SMB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SMB_Analyzer(zeek::Connection* conn);
~SMB_Analyzer() override;

14
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -27,7 +27,7 @@ static const char* unknown_cmd = "(UNKNOWN)";
SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("SMTP", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn)
{
expect_sender = false;
expect_recver = true;
@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
line_after_gap = nullptr;
mail = nullptr;
UpdateState(first_cmd, 0, true);
cl_orig = new tcp::ContentLine_Analyzer(conn, true);
cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
cl_orig->SetIsNULSensitive(true);
cl_orig->SetSkipPartial(true);
AddSupportAnalyzer(cl_orig);
cl_resp = new tcp::ContentLine_Analyzer(conn, false);
cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
cl_resp->SetIsNULSensitive(true);
cl_resp->SetSkipPartial(true);
AddSupportAnalyzer(cl_resp);
@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
void SMTP_Analyzer::ConnectionFinished(bool half_finished)
{
tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
if ( ! half_finished && mail )
EndData();
@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer()
void SMTP_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
if ( mail )
EndData();
@ -80,7 +80,7 @@ void SMTP_Analyzer::Done()
void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
if ( len <= 0 )
return;
@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
// If an TLS transaction has been initiated, forward to child and abort.
if ( state == SMTP_IN_TLS )

6
src/analyzer/protocol/smtp/SMTP.h
View file

@ -35,7 +35,7 @@ typedef enum {
} SMTP_State;
class SMTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SMTP_Analyzer(zeek::Connection* conn);
~SMTP_Analyzer() override;
@ -90,8 +90,8 @@ protected:
mime::MIME_Mail* mail;
private:
tcp::ContentLine_Analyzer* cl_orig;
tcp::ContentLine_Analyzer* cl_resp;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
};
} } // namespace analyzer::*

12
src/analyzer/protocol/socks/SOCKS.cc
View file

@ -7,7 +7,7 @@
using namespace analyzer::socks;
SOCKS_Analyzer::SOCKS_Analyzer(zeek::Connection* conn)
: tcp::TCP_ApplicationAnalyzer("SOCKS", conn)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn)
{
interp = new binpac::SOCKS::SOCKS_Conn(this);
orig_done = resp_done = false;
@ -29,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig)
void SOCKS_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -37,13 +37,13 @@ void SOCKS_Analyzer::Done()
void SOCKS_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
@ -60,7 +60,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
// are done with their part of the SOCKS protocol.
if ( ! pia )
{
pia = new pia::PIA_TCP(Conn());
pia = new zeek::analyzer::pia::PIA_TCP(Conn());
if ( AddChildAnalyzer(pia) )
{
pia->FirstPacket(true, nullptr);
@ -87,6 +87,6 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void SOCKS_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/socks/SOCKS.h
View file

@ -13,7 +13,7 @@ namespace binpac {
namespace analyzer { namespace socks {
class SOCKS_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SOCKS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SOCKS_Analyzer(zeek::Connection* conn);
~SOCKS_Analyzer() override;
@ -33,7 +33,7 @@ protected:
bool orig_done;
bool resp_done;
pia::PIA_TCP *pia;
zeek::analyzer::pia::PIA_TCP *pia;
binpac::SOCKS::SOCKS_Conn* interp;
};

10
src/analyzer/protocol/ssh/SSH.cc
View file

@ -12,7 +12,7 @@
using namespace analyzer::SSH;
SSH_Analyzer::SSH_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("SSH", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c)
{
interp = new binpac::SSH::SSH_Conn(this);
had_gap = false;
@ -30,7 +30,7 @@ SSH_Analyzer::~SSH_Analyzer()
void SSH_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -38,13 +38,13 @@ void SSH_Analyzer::Done()
void SSH_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -83,7 +83,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/ssh/SSH.h
View file

@ -9,7 +9,7 @@
namespace analyzer {
namespace SSH {
class SSH_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SSH_Analyzer(zeek::Connection* conn);
@ -20,7 +20,7 @@ namespace analyzer {
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

10
src/analyzer/protocol/ssl/SSL.cc
View file

@ -11,7 +11,7 @@
using namespace analyzer::ssl;
SSL_Analyzer::SSL_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("SSL", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c)
{
interp = new binpac::SSL::SSL_Conn(this);
handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this);
@ -26,7 +26,7 @@ SSL_Analyzer::~SSL_Analyzer()
void SSL_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
@ -36,7 +36,7 @@ void SSL_Analyzer::Done()
void SSL_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
handshake_interp->FlowEOF(is_orig);
}
@ -50,7 +50,7 @@ void SSL_Analyzer::StartEncryption()
void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
if ( TCP()->IsPartial() )
@ -86,7 +86,7 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin,
void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}

4
src/analyzer/protocol/ssl/SSL.h
View file

@ -10,7 +10,7 @@ namespace binpac { namespace TLSHandshake { class Handshake_Conn; } }
namespace analyzer { namespace ssl {
class SSL_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
class SSL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SSL_Analyzer(zeek::Connection* conn);
~SSL_Analyzer() override;
@ -25,7 +25,7 @@ public:
// Tell the analyzer that encryption has started.
void StartEncryption();
// Overriden from tcp::TCP_ApplicationAnalyzer.
// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)

2
src/analyzer/protocol/stepping-stone/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("SteppingStone", ::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::SteppingStone";

26
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -13,9 +13,9 @@
#include "util.h"
#include "events.bif.h"
using namespace analyzer::stepping_stone;
namespace zeek::analyzer::stepping_stone {
SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m)
SteppingStoneEndpoint::SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m)
{
endp = e;
stp_max_top_seq = 0;
@ -61,8 +61,8 @@ void SteppingStoneEndpoint::Done()
}
bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen,
const u_char* data, const zeek::IP_Hdr* /* ip */,
const struct tcphdr* tp)
const u_char* data, const zeek::IP_Hdr* /* ip */,
const struct tcphdr* tp)
{
if ( caplen < len )
len = caplen;
@ -153,7 +153,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
}
SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c)
: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
{
stp_manager = zeek::sessions->GetSTPManager();
@ -163,7 +163,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c)
void SteppingStone_Analyzer::Init()
{
tcp::TCP_ApplicationAnalyzer::Init();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init();
assert(TCP());
orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager);
@ -171,11 +171,11 @@ void SteppingStone_Analyzer::Init()
}
void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq,
const zeek::IP_Hdr* ip, int caplen)
bool is_orig, uint64_t seq,
const zeek::IP_Hdr* ip, int caplen)
{
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
ip, caplen);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
ip, caplen);
if ( is_orig )
orig_endp->DataSent(network_time, seq, len, caplen, data, nullptr, nullptr);
@ -186,7 +186,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( is_orig )
{
@ -205,7 +205,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
void SteppingStone_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
orig_endp->Done();
resp_endp->Done();
@ -213,3 +213,5 @@ void SteppingStone_Analyzer::Done()
Unref(orig_endp);
Unref(resp_endp);
}
} // namespace zeek::analyzer::stepping_stone

18
src/analyzer/protocol/stepping-stone/SteppingStone.h
View file

@ -7,25 +7,25 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(NetSessions, zeek);
namespace analyzer::stepping_stone {
namespace zeek::analyzer::stepping_stone {
class SteppingStoneEndpoint;
class SteppingStoneManager;
class SteppingStoneEndpoint : public zeek::Obj {
public:
SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m);
SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m);
~SteppingStoneEndpoint() override;
void Done();
bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
const zeek::IP_Hdr* ip, const struct tcphdr* tp);
const zeek::IP_Hdr* ip, const struct tcphdr* tp);
protected:
void Event(zeek::EventHandlerPtr f, int id1, int id2 = -1);
void CreateEndpEvent(bool is_orig);
tcp::TCP_Endpoint* endp;
zeek::analyzer::tcp::TCP_Endpoint* endp;
uint64_t stp_max_top_seq;
double stp_last_time;
double stp_resume_time;
@ -40,7 +40,7 @@ protected:
std::map<int, SteppingStoneEndpoint*> stp_outbound_endps;
};
class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class SteppingStone_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
public:
explicit SteppingStone_Analyzer(zeek::Connection* c);
~SteppingStone_Analyzer() override {};
@ -55,7 +55,7 @@ protected:
// We support both packet and stream input and can be put in place even
// if the TCP analyzer is not yet reassebmling.
void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void DeliverStream(int len, const u_char* data, bool is_orig) override;
int orig_stream_pos;
@ -82,3 +82,9 @@ protected:
};
} // namespace analyzer::stepping_stone
namespace analyzer::stepping_stone {
using SteppingStoneEndpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneEndpoint.")]] = zeek::analyzer::stepping_stone::SteppingStoneEndpoint;
using SteppingStone_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStone_Analyzer.")]] = zeek::analyzer::stepping_stone::SteppingStone_Analyzer;
using SteppingStoneManager [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneManager.")]] = zeek::analyzer::stepping_stone::SteppingStoneManager;
} // namespace analyzer::stepping_stone

10
src/analyzer/protocol/syslog/Syslog.cc
View file

@ -50,7 +50,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
// }
//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(zeek::Connection* conn)
//: tcp::TCP_ApplicationAnalyzer(conn)
//: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(conn)
// {
// interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this);
// }
@ -62,7 +62,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
//void Syslog_tcp::TCP_Analyzer::Done()
// {
// tcp::TCP_ApplicationAnalyzer::Done();
// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
//
// interp->FlowEOF(true);
// interp->FlowEOF(false);
@ -70,14 +70,14 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
//void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp)
// {
// tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp);
// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp);
// interp->FlowEOF(endp->IsOrig());
// }
//void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data,
// bool orig)
// {
// tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
//
// assert(TCP());
//
@ -90,6 +90,6 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
//void Syslog_tcp::TCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
// {
// tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// interp->NewGap(orig, len);
// }

2
src/analyzer/protocol/syslog/Syslog.h
View file

@ -28,7 +28,7 @@ protected:
// #include "Syslog_tcp_pac.h"
//
//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
//class Syslog_tcp::TCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
//public:
// Syslog_tcp::TCP_Analyzer(zeek::Connection* conn);
// virtual ~Syslog_tcp::TCP_Analyzer();

4
src/analyzer/protocol/tcp/ContentLine.cc
View file

@ -4,7 +4,7 @@
#include "events.bif.h"
using namespace analyzer::tcp;
namespace zeek::analyzer::tcp {
ContentLine_Analyzer::ContentLine_Analyzer(zeek::Connection* conn, bool orig, int max_line_length)
: TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length)
@ -338,3 +338,5 @@ void ContentLine_Analyzer::SkipBytes(int64_t length)
skip_pending = 0;
seq_to_skip = SeqDelivered() + length;
}
} // namespace zeek::analyzer::tcp

10
src/analyzer/protocol/tcp/ContentLine.h
View file

@ -4,13 +4,13 @@
#include "analyzer/protocol/tcp/TCP.h"
namespace analyzer { namespace tcp {
namespace zeek::analyzer::tcp {
#define CR_as_EOL 1
#define LF_as_EOL 2
// Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M.
#define DEFAULT_MAX_LINE_LENGTH 16 * 1024 * 1024 - 100
constexpr auto DEFAULT_MAX_LINE_LENGTH = 16 * 1024 * 1024 - 100;
class ContentLine_Analyzer : public TCP_SupportAnalyzer {
public:
@ -114,4 +114,8 @@ protected:
bool skip_partial;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::tcp
namespace analyzer::tcp {
using ContentLine_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::ContentLine_Analyzer.")]] = zeek::analyzer::tcp::ContentLine_Analyzer;
}

4
src/analyzer/protocol/tcp/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::analyzer::Component("TCP", ::analyzer::tcp::TCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("TCPStats", ::analyzer::tcp::TCPStats_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("TCP", zeek::analyzer::tcp::TCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("TCPStats", zeek::analyzer::tcp::TCPStats_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("CONTENTLINE", nullptr));
AddComponent(new zeek::analyzer::Component("Contents", nullptr));

4
src/analyzer/protocol/tcp/Stats.cc
View file

@ -4,7 +4,7 @@
#include "events.bif.h"
using namespace analyzer::tcp;
namespace zeek::analyzer::tcp {
TCPStateStats::TCPStateStats()
{
@ -81,3 +81,5 @@ void TCPStateStats::PrintStats(zeek::File* file, const char* prefix)
file->Write("\n");
}
}
} // namespace zeek::analyzer::tcp

8
src/analyzer/protocol/tcp/Stats.h
View file

@ -3,7 +3,7 @@
#include "TCP_Endpoint.h"
namespace analyzer { namespace tcp {
namespace zeek::analyzer::tcp {
// A TCPStateStats object tracks the distribution of TCP states for
// the currently active connections.
@ -65,4 +65,8 @@ private:
unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1];
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::tcp
namespace analyzer::tcp {
using TCPStateStats [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStateStats.")]] = zeek::analyzer::tcp::TCPStateStats;
}

15
src/analyzer/protocol/tcp/TCP.cc
View file

@ -19,13 +19,13 @@
#include "events.bif.h"
#include "types.bif.h"
using namespace analyzer::tcp;
namespace { // local namespace
const bool DEBUG_tcp_data_sent = false;
const bool DEBUG_tcp_connection_close = false;
}
namespace zeek::analyzer::tcp {
// The following are not included in all systems' tcp.h.
#ifndef TH_ECE
@ -36,7 +36,6 @@ namespace { // local namespace
#define TH_CWR 0x80
#endif
#define TOO_LARGE_SEQ_DELTA 1048576
static const int ORIG = 1;
@ -822,7 +821,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
{
if ( is_orig && ! (first_packet_seen & ORIG) )
{
pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
auto* pia = static_cast<zeek::analyzer::pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
if ( pia )
pia->FirstPacket(is_orig, ip);
first_packet_seen |= ORIG;
@ -830,7 +829,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
if ( ! is_orig && ! (first_packet_seen & RESP) )
{
pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
auto* pia = static_cast<zeek::analyzer::pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
if ( pia )
pia->FirstPacket(is_orig, ip);
first_packet_seen |= RESP;
@ -838,8 +837,8 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
}
uint64_t TCP_Analyzer::get_relative_seq(const TCP_Endpoint* endpoint,
uint32_t cur_base, uint32_t last,
uint32_t wraps, bool* underflow)
uint32_t cur_base, uint32_t last,
uint32_t wraps, bool* underflow)
{
int32_t delta = seq_delta(cur_base, last);
@ -2133,3 +2132,5 @@ void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
else
resp_stats->DataSent(network_time, seq, len, caplen, data, ip, nullptr);
}
} // namespace zeek::analyzer::tcp

22
src/analyzer/protocol/tcp/TCP.h
View file

@ -13,13 +13,13 @@
// - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a
// protocol running on top of TCP.
//
namespace analyzer { namespace pia { class PIA_TCP; } };
namespace analyzer { namespace tcp {
ZEEK_FORWARD_DECLARE_NAMESPACED(PIA_TCP, zeek, analyzer::pia);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Endpoint, zeek, analyzer::tcp);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp);
class TCP_Endpoint;
class TCP_ApplicationAnalyzer;
class TCP_Reassembler;
namespace zeek::analyzer::tcp {
class TCP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer {
public:
@ -74,7 +74,7 @@ public:
protected:
friend class TCP_ApplicationAnalyzer;
friend class TCP_Reassembler;
friend class analyzer::pia::PIA_TCP;
friend class zeek::analyzer::pia::PIA_TCP;
// Analyzer interface.
void Init() override;
@ -302,4 +302,12 @@ protected:
TCPStats_Endpoint* resp_stats;
};
} } // namespace analyzer::*
} // namespace zeek::analyzer::tcp
namespace analyzer::tcp {
using TCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Analyzer.")]] = zeek::analyzer::tcp::TCP_Analyzer;
using TCP_ApplicationAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ApplicationAnalyzer.")]] = zeek::analyzer::tcp::TCP_ApplicationAnalyzer;
using TCP_SupportAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_SupportAnalyzer.")]] = zeek::analyzer::tcp::TCP_SupportAnalyzer;
using TCPStats_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Endpoint.")]] = zeek::analyzer::tcp::TCPStats_Endpoint;
using TCPStats_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Analyzer.")]] = zeek::analyzer::tcp::TCPStats_Analyzer;
}

4
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -14,7 +14,7 @@
#include "events.bif.h"
using namespace analyzer::tcp;
namespace zeek::analyzer::tcp {
TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, bool arg_is_orig)
{
@ -319,3 +319,5 @@ void TCP_Endpoint::Gap(uint64_t seq, uint64_t len)
gap_cnt, gap_thresh) )
Conn()->HistoryThresholdEvent(tcp_multiple_gap, IsOrig(), t);
}
} // namespace zeek::analyzer::tcp

28
src/analyzer/protocol/tcp/TCP_Endpoint.h
View file

@ -7,13 +7,12 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Analyzer, zeek, analyzer::tcp);
ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp);
namespace analyzer { namespace tcp {
namespace zeek::analyzer::tcp {
class TCP_Analyzer;
class TCP_Reassembler;
typedef enum {
enum EndpointState {
TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side
TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack
TCP_ENDPOINT_SYN_ACK_SENT, // SYN ack seen, no initial SYN
@ -22,7 +21,7 @@ typedef enum {
// sent by responder)
TCP_ENDPOINT_CLOSED, // FIN seen
TCP_ENDPOINT_RESET // RST seen
} EndpointState;
};
// One endpoint of a TCP connection.
class TCP_Endpoint {
@ -253,4 +252,19 @@ protected:
#define ENDIAN_BIG 2
#define ENDIAN_CONFUSED 3
} } // namespace analyzer::*
} // namespace zeek::analyzer::tcp
namespace analyzer::tcp {
using EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::EndpointState.")]] = zeek::analyzer::tcp::EndpointState;
constexpr auto TCP_ENDPOINT_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE;
constexpr auto TCP_ENDPOINT_SYN_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT;
constexpr auto TCP_ENDPOINT_SYN_ACK_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
constexpr auto TCP_ENDPOINT_PARTIAL [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL;
constexpr auto TCP_ENDPOINT_ESTABLISHED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
constexpr auto TCP_ENDPOINT_CLOSED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED;
constexpr auto TCP_ENDPOINT_RESET [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_RESET.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_RESET;
using TCP_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Endpoint.")]] = zeek::analyzer::tcp::TCP_Endpoint;
} // namespace analyzer::tcp

Some files were not shown because too many files have changed in this diff Show more