Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move all base analyzer classes to zeek::analyzer namespace

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-07-01 18:21:38 -07:00
parent 87054d9d6b
commit 9400b863ea
171 changed files with 516 additions and 486 deletions
Download patch file Download diff file Expand all files Collapse all files

2
auxil/bifcl

@ -1 +1 @@
Subproject commit 20c91e27342eb1513897702bec47590ffbad5085
Subproject commit ddcb00d15cab84f1b1d0e82dffa764f278e0c69c

22
src/Conn.cc
View file

@ -411,17 +411,17 @@ const zeek::RecordValPtr& Connection::ConnVal()
return conn_val;
}
analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id)
zeek::analyzer::Analyzer* Connection::FindAnalyzer(zeek::analyzer::ID id)
{
return root_analyzer ? root_analyzer->FindChild(id) : nullptr;
}
analyzer::Analyzer* Connection::FindAnalyzer(const analyzer::Tag& tag)
zeek::analyzer::Analyzer* Connection::FindAnalyzer(const zeek::analyzer::Tag& tag)
{
return root_analyzer ? root_analyzer->FindChild(tag) : nullptr;
}
analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
zeek::analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
{
return root_analyzer->FindChild(name);
}
@ -464,7 +464,7 @@ void Connection::RemovalEvent()
EnqueueEvent(successful_connection_remove, nullptr, ConnVal());
}
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name)
{
if ( ! f )
return;
@ -475,7 +475,7 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
EnqueueEvent(f, analyzer, ConnVal());
}
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2)
void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2)
{
if ( ! f )
{
@ -495,7 +495,7 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, zeek::Va
zeek::IntrusivePtr{zeek::AdoptRef{}, v1});
}
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
{
auto args = zeek::val_list_to_args(vl);
@ -508,14 +508,14 @@ void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_l
mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
}
void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
void Connection::ConnectionEventFast(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
{
// "this" is passed as a cookie for the event
mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
a ? a->GetID() : 0, this);
}
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list* vl)
{
auto args = zeek::val_list_to_args(*vl);
delete vl;
@ -524,7 +524,7 @@ void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_l
EnqueueEvent(f, a, std::move(args));
}
void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a,
void Connection::EnqueueEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a,
zeek::Args args)
{
// "this" is passed as a cookie for the event
@ -604,7 +604,7 @@ void Connection::FlipRoles()
if ( root_analyzer )
root_analyzer->FlipRoles();
analyzer_mgr->ApplyScheduledAnalyzers(this);
zeek::analyzer_mgr->ApplyScheduledAnalyzers(this);
AddHistory('^');
}
@ -683,7 +683,7 @@ void Connection::IDString(ODesc* d) const
d->Add(ntohs(resp_port));
}
void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia)
void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia)
{
root_analyzer = analyzer;
primary_PIA = pia;

33
src/Conn.h
View file

@ -31,14 +31,15 @@ class RuleEndpointState;
class EncapsulationStack;
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(TransportLayerAnalyzer, zeek, analyzer);
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
namespace zeek {
using ValPtr = zeek::IntrusivePtr<Val>;
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
}
namespace analyzer { class TransportLayerAnalyzer; }
typedef enum {
NUL_IN_LINE,
SINGULAR_CR,
@ -62,8 +63,6 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1,
return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
}
namespace analyzer { class Analyzer; }
class Connection final : public zeek::Obj {
public:
Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnID* id,
@ -119,9 +118,9 @@ public:
void FlipRoles();
analyzer::Analyzer* FindAnalyzer(analyzer::ID id);
analyzer::Analyzer* FindAnalyzer(const analyzer::Tag& tag); // find first in tree.
analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree.
zeek::analyzer::Analyzer* FindAnalyzer(zeek::analyzer::ID id);
zeek::analyzer::Analyzer* FindAnalyzer(const zeek::analyzer::Tag& tag); // find first in tree.
zeek::analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree.
TransportProto ConnTransport() const { return proto; }
@ -192,20 +191,20 @@ public:
// given that event's first argument will be it, and it's second will be
// the connection value. If 'name' is null, then the event's first
// argument is the connection value.
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = nullptr);
void Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name = nullptr);
// If a handler exists for 'f', an event will be generated. In any case,
// 'v1' and 'v2' reference counts get decremented. The event's first
// argument is the connection value, second argument is 'v1', and if 'v2'
// is given that will be it's third argument.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2 = nullptr);
void Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2 = nullptr);
// If a handler exists for 'f', an event will be generated. In any case,
// reference count for each element in the 'vl' list are decremented. The
// arguments used for the event are whatevever is provided in 'vl'.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
void ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
val_list vl);
// Same as ConnectionEvent, except taking the event's argument list via a
@ -213,7 +212,7 @@ public:
// memory pointed to by 'vl' and also for decrementing the reference count
// of each of its elements.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead.")]]
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
void ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
val_list* vl);
// Queues an event without first checking if there's any available event
@ -225,13 +224,13 @@ public:
// it would be a waste of effort to construct all the event arguments when
// there's no handlers to consume them).
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead.")]]
void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
void ConnectionEventFast(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
val_list vl);
/**
* Enqueues an event associated with this connection and given analyzer.
*/
void EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
void EnqueueEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
zeek::Args args);
/**
@ -241,7 +240,7 @@ public:
std::enable_if_t<
std::is_convertible_v<
std::tuple_element_t<0, std::tuple<Args...>>, zeek::ValPtr>>
EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args)
EnqueueEvent(EventHandlerPtr h, zeek::analyzer::Analyzer* analyzer, Args&&... args)
{ return EnqueueEvent(h, analyzer, zeek::Args{std::forward<Args>(args)...}); }
void Weird(const char* name, const char* addl = "");
@ -305,8 +304,8 @@ public:
void DeleteTimer(double t);
// Sets the root of the analyzer tree as well as the primary PIA.
void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia);
analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia);
zeek::analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
// Sets the transport protocol in use.
@ -383,7 +382,7 @@ protected:
std::string history;
uint32_t hist_seen;
analyzer::TransportLayerAnalyzer* root_analyzer;
zeek::analyzer::TransportLayerAnalyzer* root_analyzer;
analyzer::pia::PIA* primary_PIA;
Bro::UID uid; // Globally unique connection ID.

4
src/Event.cc
View file

@ -19,7 +19,7 @@ uint64_t num_events_queued = 0;
uint64_t num_events_dispatched = 0;
Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args,
SourceID arg_src, analyzer::ID arg_aid, Obj* arg_obj)
SourceID arg_src, zeek::analyzer::ID arg_aid, Obj* arg_obj)
: handler(arg_handler),
args(std::move(arg_args)),
src(arg_src),
@ -122,7 +122,7 @@ void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list* vl,
}
void EventMgr::Enqueue(const EventHandlerPtr& h, zeek::Args vl,
SourceID src, analyzer::ID aid, Obj* obj)
SourceID src, zeek::analyzer::ID aid, Obj* obj)
{
QueueEvent(new Event(h, std::move(vl), src, aid, obj));
}

18
src/Event.h
View file

@ -17,14 +17,14 @@ class EventMgr;
class Event final : public zeek::Obj {
public:
Event(EventHandlerPtr handler, zeek::Args args,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
zeek::Obj* obj = nullptr);
void SetNext(Event* n) { next_event = n; }
Event* NextEvent() const { return next_event; }
SourceID Source() const { return src; }
analyzer::ID Analyzer() const { return aid; }
zeek::analyzer::ID Analyzer() const { return aid; }
EventHandlerPtr Handler() const { return handler; }
const zeek::Args& Args() const { return args; }
@ -40,7 +40,7 @@ protected:
EventHandlerPtr handler;
zeek::Args args;
SourceID src;
analyzer::ID aid;
zeek::analyzer::ID aid;
zeek::Obj* obj;
Event* next_event;
};
@ -63,7 +63,7 @@ public:
// arguments when there's no handlers to consume them).
[[deprecated("Remove in v4.1. Use Enqueue() instead.")]]
void QueueEventFast(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
// Queues an event if there's an event handler (or remote consumer). This
@ -74,7 +74,7 @@ public:
// existence check.
[[deprecated("Remove in v4.1. Use Enqueue() instead.")]]
void QueueEvent(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
// Same as QueueEvent, except taking the event's argument list via a
@ -83,7 +83,7 @@ public:
// each of its elements.
[[deprecated("Remove in v4.1. Use Enqueue() instead.")]]
void QueueEvent(const EventHandlerPtr &h, val_list* vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
TimerMgr* mgr = nullptr, zeek::Obj* obj = nullptr);
/**
@ -99,7 +99,7 @@ public:
* reference to until dispatching the event.
*/
void Enqueue(const EventHandlerPtr& h, zeek::Args vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
SourceID src = SOURCE_LOCAL, zeek::analyzer::ID aid = 0,
zeek::Obj* obj = nullptr);
/**
@ -124,7 +124,7 @@ public:
// Returns the ID of the analyzer which raised the last event, or 0 if
// non-analyzer event.
analyzer::ID CurrentAnalyzer() const { return current_aid; }
zeek::analyzer::ID CurrentAnalyzer() const { return current_aid; }
int Size() const
{ return num_events_queued - num_events_dispatched; }
@ -142,7 +142,7 @@ protected:
Event* head;
Event* tail;
SourceID current_src;
analyzer::ID current_aid;
zeek::analyzer::ID current_aid;
zeek::RecordVal* src_val;
bool draining;
zeek::detail::Flare queue_flare;

3
src/Reporter.cc
View file

@ -196,8 +196,7 @@ void Reporter::InternalError(const char* fmt, ...)
abort();
}
void Reporter::AnalyzerError(analyzer::Analyzer* a, const char* fmt,
...)
void Reporter::AnalyzerError(zeek::analyzer::Analyzer* a, const char* fmt, ...)
{
if ( a )
a->SetSkip(true);

4
src/Reporter.h
View file

@ -15,7 +15,7 @@
#include "BroList.h"
#include "net_util.h"
namespace analyzer { class Analyzer; }
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
namespace file_analysis { class File; }
class Connection;
class Reporter;
@ -120,7 +120,7 @@ public:
// Report an analyzer error. That analyzer will be set to not process
// any further input, but Bro otherwise continues normally.
void AnalyzerError(analyzer::Analyzer* a, const char* fmt, ...) __attribute__((format(printf, 3, 4)));;
void AnalyzerError(zeek::analyzer::Analyzer* a, const char* fmt, ...) __attribute__((format(printf, 3, 4)));;
// Toggle whether non-fatal messages should be reported through the
// scripting layer rather on standard output. Fatal errors are always

16
src/RuleAction.cc
View file

@ -49,7 +49,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer)
string str(arg_analyzer);
string::size_type pos = str.find(':');
string arg = str.substr(0, pos);
analyzer = analyzer_mgr->GetComponentTag(arg.c_str());
analyzer = zeek::analyzer_mgr->GetComponentTag(arg.c_str());
if ( ! analyzer )
reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str());
@ -57,23 +57,23 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer)
if ( pos != string::npos )
{
arg = str.substr(pos + 1);
child_analyzer = analyzer_mgr->GetComponentTag(arg.c_str());
child_analyzer = zeek::analyzer_mgr->GetComponentTag(arg.c_str());
if ( ! child_analyzer )
reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str());
}
else
child_analyzer = analyzer::Tag();
child_analyzer = zeek::analyzer::Tag();
}
void RuleActionAnalyzer::PrintDebug()
{
if ( ! child_analyzer )
fprintf(stderr, "|%s|\n", analyzer_mgr->GetComponentName(analyzer).c_str());
fprintf(stderr, "|%s|\n", zeek::analyzer_mgr->GetComponentName(analyzer).c_str());
else
fprintf(stderr, "|%s:%s|\n",
analyzer_mgr->GetComponentName(analyzer).c_str(),
analyzer_mgr->GetComponentName(child_analyzer).c_str());
zeek::analyzer_mgr->GetComponentName(analyzer).c_str(),
zeek::analyzer_mgr->GetComponentName(child_analyzer).c_str());
}
@ -82,7 +82,7 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state,
{
if ( ! ChildAnalyzer() )
{
if ( ! analyzer_mgr->IsEnabled(Analyzer()) )
if ( ! zeek::analyzer_mgr->IsEnabled(Analyzer()) )
return;
if ( state->PIA() )
@ -90,7 +90,7 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state,
}
else
{
if ( ! analyzer_mgr->IsEnabled(ChildAnalyzer()) )
if ( ! zeek::analyzer_mgr->IsEnabled(ChildAnalyzer()) )
return;
// This is ugly and works only if there exists only one

8
src/RuleAction.h
View file

@ -69,12 +69,12 @@ public:
void PrintDebug() override;
analyzer::Tag Analyzer() const { return analyzer; }
analyzer::Tag ChildAnalyzer() const { return child_analyzer; }
zeek::analyzer::Tag Analyzer() const { return analyzer; }
zeek::analyzer::Tag ChildAnalyzer() const { return child_analyzer; }
private:
analyzer::Tag analyzer;
analyzer::Tag child_analyzer;
zeek::analyzer::Tag analyzer;
zeek::analyzer::Tag child_analyzer;
};
class RuleActionEnable : public RuleActionAnalyzer {

2
src/RuleCondition.cc
View file

@ -23,7 +23,7 @@ static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
const u_char* data, int len)
{
analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer();
zeek::analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer();
if ( ! root || ! root->IsAnalyzer("TCP") )
return false;

6
src/RuleMatcher.cc
View file

@ -181,7 +181,7 @@ void RuleHdrTest::PrintDebug()
fprintf(stderr, "\n");
}
RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite,
analyzer::pia::PIA* arg_PIA)
{
@ -736,7 +736,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
return rval;
}
RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
const IP_Hdr* ip, int caplen,
RuleEndpointState* opposite,
bool from_orig, analyzer::pia::PIA* pia)
@ -1417,7 +1417,7 @@ uint32_t id_to_uint(const char* id)
return 0;
}
void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia)
{
if ( ! rule_matcher )

12
src/RuleMatcher.h
View file

@ -37,10 +37,10 @@ class RuleMatcher;
extern RuleMatcher* rule_matcher;
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
namespace analyzer {
namespace pia { class PIA; }
class Analyzer;
}
// RuleHdrTest and associated things:
@ -139,7 +139,7 @@ class RuleEndpointState {
public:
~RuleEndpointState();
analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
zeek::analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
bool IsOrig() { return is_orig; }
// For flipping roles.
@ -158,7 +158,7 @@ private:
// Constructor is private; use RuleMatcher::InitEndpoint()
// for creating an instance.
RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA);
struct Matcher {
@ -168,7 +168,7 @@ private:
using matcher_list = zeek::PList<Matcher>;
analyzer::Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
RuleEndpointState* opposite;
analyzer::pia::PIA* pia;
@ -263,7 +263,7 @@ public:
// the given packet (which should be the first packet encountered for
// this endpoint). If the matching is triggered by an PIA, a pointer to
// it needs to be given.
RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia);
// Finish matching for this stream.
@ -372,7 +372,7 @@ public:
{ delete orig_match_state; delete resp_match_state; }
// ip may be nil.
void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia = nullptr);
// bol/eol should be set to false for type Rule::PAYLOAD; they're

2
src/Sessions.cc
View file

@ -1206,7 +1206,7 @@ Connection* NetSessions::NewConn(const ConnIDKey& k, double t, const ConnID* id,
if ( flip )
conn->FlipRoles();
if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
if ( ! zeek::analyzer_mgr->BuildInitialAnalyzerTree(conn) )
{
conn->Done();
Unref(conn);

8
src/analyzer/Analyzer.cc
View file

@ -10,7 +10,7 @@
#include "../ZeekString.h"
#include "../Event.h"
namespace analyzer {
namespace zeek::analyzer {
class AnalyzerTimer final : public Timer {
public:
@ -31,9 +31,9 @@ protected:
int do_expire;
};
}
} // namespace zeek::analyzer
using namespace analyzer;
using namespace zeek::analyzer;
AnalyzerTimer::AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer,
double arg_t, int arg_do_expire, TimerType arg_type)
@ -72,7 +72,7 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer,
Ref(analyzer->Conn());
}
analyzer::ID Analyzer::id_counter = 0;
zeek::analyzer::ID Analyzer::id_counter = 0;
const char* Analyzer::GetAnalyzerName() const
{

33
src/analyzer/Analyzer.h
View file

@ -28,9 +28,11 @@ using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
}
namespace analyzer {
namespace tcp { class TCP_ApplicationAnalyzer; }
namespace pia { class PIA; }
}
namespace zeek::analyzer {
class Analyzer;
class AnalyzerTimer;
@ -629,7 +631,7 @@ protected:
friend class AnalyzerTimer;
friend class Manager;
friend class ::Connection;
friend class tcp::TCP_ApplicationAnalyzer;
friend class ::analyzer::tcp::TCP_ApplicationAnalyzer;
/**
* Return a string represantation of an analyzer, containing its name
@ -755,13 +757,13 @@ private:
* Convenience macro to add a new timer.
*/
#define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \
AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type))
AddTimer(zeek::analyzer::analyzer_timer_func(timer), (t), (do_expire), (type))
/**
* Internal convenience macro to iterate over the list of child analyzers.
*/
#define LOOP_OVER_CHILDREN(var) \
for ( analyzer::analyzer_list::iterator var = children.begin(); \
for ( zeek::analyzer::analyzer_list::iterator var = children.begin(); \
var != children.end(); var++ )
/**
@ -769,14 +771,14 @@ private:
* analyzers.
*/
#define LOOP_OVER_CONST_CHILDREN(var) \
for ( analyzer::analyzer_list::const_iterator var = children.begin(); \
for ( zeek::analyzer::analyzer_list::const_iterator var = children.begin(); \
var != children.end(); var++ )
/**
* Convenience macro to iterate over a given list of child analyzers.
*/
#define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \
for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \
for ( zeek::analyzer::analyzer_list::iterator var = the_kids.begin(); \
var != the_kids.end(); var++ )
/**
@ -784,7 +786,7 @@ private:
* analyzers.
*/
#define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \
for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \
for ( zeek::analyzer::analyzer_list::const_iterator var = the_kids.begin(); \
var != the_kids.end(); var++ )
/**
@ -934,13 +936,13 @@ public:
* transport-layer input and determine which protocol analyzer(s) to
* use for parsing it.
*/
void SetPIA(pia::PIA* arg_PIA) { pia = arg_PIA; }
void SetPIA(::analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; }
/**
* Returns the associated PIA, or null of none. Does not take
* ownership.
*/
pia::PIA* GetPIA() const { return pia; }
::analyzer::pia::PIA* GetPIA() const { return pia; }
/**
* Helper to raise a \c packet_contents event.
@ -952,7 +954,18 @@ public:
void PacketContents(const u_char* data, int len);
private:
pia::PIA* pia;
::analyzer::pia::PIA* pia;
};
} // namespace zeek::analyzer
namespace analyzer {
using Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::Analyzer instead.")]] = zeek::analyzer::Analyzer;
using AnalyzerTimer [[deprecated("Remove in v4.1. Use zeek::analyzer::AnalyzerTimer instead.")]] = zeek::analyzer::AnalyzerTimer;
using SupportAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::SupportAnalyzer instead.")]] = zeek::analyzer::SupportAnalyzer;
using OutputHandler [[deprecated("Remove in v4.1. Use zeek::analyzer::OutputHandler instead.")]] = zeek::analyzer::OutputHandler;
using TransportLayerAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::TransportLayerAnalyzer instead.")]] = zeek::analyzer::TransportLayerAnalyzer;
using analyzer_list [[deprecated("Remove in v4.1. Use zeek::analyzer::analyzer_list instead.")]] = zeek::analyzer::analyzer_list;
using ID [[deprecated("Remove in v4.1. Use zeek::analyzer::ID instead.")]] = zeek::analyzer::ID;
}

4
src/analyzer/Component.cc
View file

@ -6,7 +6,7 @@
#include "../Desc.h"
#include "../util.h"
using namespace analyzer;
using namespace zeek::analyzer;
Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial)
: zeek::plugin::Component(zeek::plugin::component::ANALYZER, name),
@ -20,7 +20,7 @@ Component::Component(const std::string& name, factory_callback arg_factory, Tag:
void Component::Initialize()
{
InitializeTag();
analyzer_mgr->RegisterComponent(this, "ANALYZER_");
zeek::analyzer_mgr->RegisterComponent(this, "ANALYZER_");
}
Component::~Component()

12
src/analyzer/Component.h
View file

@ -11,9 +11,9 @@
class Connection;
namespace analyzer {
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
class Analyzer;
namespace zeek::analyzer {
/**
* Component description for plugins providing analyzers.
@ -35,7 +35,7 @@ public:
*
* @param factory A factory function to instantiate instances of the
* analyzer's class, which must be derived directly or indirectly
* from analyzer::Analyzer. This is typically a static \c
* from zeek::analyzer::Analyzer. This is typically a static \c
* Instatiate() method inside the class that just allocates and
* returns a new instance.
*
@ -107,4 +107,8 @@ private:
bool enabled; // True if the analyzer is enabled.
};
}
} // namespace zeek::analyzer
namespace analyzer {
using Component [[deprecated("Remove in v4.1. Use zeek::analyzer::Component.")]] = zeek::analyzer::Component;
} // namespace analyzer

40
src/analyzer/Manager.cc
View file

@ -17,7 +17,7 @@
#include "protocol/tcp/events.bif.h"
using namespace analyzer;
using namespace zeek::analyzer;
Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp,
uint16_t _resp_p, uint16_t _proto)
@ -202,7 +202,7 @@ void Manager::DisableAllAnalyzers()
(*i)->SetEnabled(false);
}
analyzer::Tag Manager::GetAnalyzerTag(const char* name)
zeek::analyzer::Tag Manager::GetAnalyzerTag(const char* name)
{
return GetComponentTag(name);
}
@ -360,31 +360,31 @@ Manager::tag_set* Manager::LookupPort(zeek::PortVal* val, bool add_if_not_found)
bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{
tcp::TCP_Analyzer* tcp = nullptr;
udp::UDP_Analyzer* udp = nullptr;
icmp::ICMP_Analyzer* icmp = nullptr;
::analyzer::tcp::TCP_Analyzer* tcp = nullptr;
::analyzer::udp::UDP_Analyzer* udp = nullptr;
::analyzer::icmp::ICMP_Analyzer* icmp = nullptr;
TransportLayerAnalyzer* root = nullptr;
pia::PIA* pia = nullptr;
::analyzer::pia::PIA* pia = nullptr;
bool check_port = false;
switch ( conn->ConnTransport() ) {
case TRANSPORT_TCP:
root = tcp = new tcp::TCP_Analyzer(conn);
pia = new pia::PIA_TCP(conn);
root = tcp = new ::analyzer::tcp::TCP_Analyzer(conn);
pia = new ::analyzer::pia::PIA_TCP(conn);
check_port = true;
DBG_ANALYZER(conn, "activated TCP analyzer");
break;
case TRANSPORT_UDP:
root = udp = new udp::UDP_Analyzer(conn);
pia = new pia::PIA_UDP(conn);
root = udp = new ::analyzer::udp::UDP_Analyzer(conn);
pia = new ::analyzer::pia::PIA_UDP(conn);
check_port = true;
DBG_ANALYZER(conn, "activated UDP analyzer");
break;
case TRANSPORT_ICMP: {
root = icmp = new icmp::ICMP_Analyzer(conn);
root = icmp = new ::analyzer::icmp::ICMP_Analyzer(conn);
DBG_ANALYZER(conn, "activated ICMP analyzer");
break;
}
@ -410,14 +410,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{
for ( tag_set::const_iterator j = ports->begin(); j != ports->end(); ++j )
{
Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*j, conn);
Analyzer* analyzer = zeek::analyzer_mgr->InstantiateAnalyzer(*j, conn);
if ( ! analyzer )
continue;
root->AddChildAnalyzer(analyzer, false);
DBG_ANALYZER_ARGS(conn, "activated %s analyzer due to port %d",
analyzer_mgr->GetComponentName(*j).c_str(), resp_port);
zeek::analyzer_mgr->GetComponentName(*j).c_str(), resp_port);
}
}
}
@ -466,25 +466,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
auto src = zeek::make_intrusive<zeek::AddrVal>(conn->OrigAddr());
if ( ! stp_skip_src->FindOrDefault(src) )
tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false);
tcp->AddChildAnalyzer(new ::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
}
}
if ( IsEnabled(analyzer_tcpstats) )
// Add TCPStats analyzer. This needs to see packets so
// we cannot add it as a normal child.
tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn));
tcp->AddChildPacketAnalyzer(new ::analyzer::tcp::TCPStats_Analyzer(conn));
if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn));
tcp->AddChildPacketAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn));
}
else
{
if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn));
root->AddChildAnalyzer(new ::analyzer::conn_size::ConnSize_Analyzer(conn));
}
if ( pia )
@ -525,7 +525,7 @@ void Manager::ExpireScheduledAnalyzers()
conns.erase(i);
DBG_LOG(DBG_ANALYZER, "Expiring expected analyzer %s for connection %s",
analyzer_mgr->GetComponentName(a->analyzer).c_str(),
zeek::analyzer_mgr->GetComponentName(a->analyzer).c_str(),
fmt_conn_id(a->conn.orig, 0, a->conn.resp, a->conn.resp_p));
delete a;
@ -620,7 +620,7 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
for ( tag_set::iterator it = expected.begin(); it != expected.end(); ++it )
{
Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*it, conn);
Analyzer* analyzer = zeek::analyzer_mgr->InstantiateAnalyzer(*it, conn);
if ( ! analyzer )
continue;
@ -632,7 +632,7 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
conn->ConnVal(), it->AsVal());
DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
analyzer_mgr->GetComponentName(*it).c_str());
zeek::analyzer_mgr->GetComponentName(*it).c_str());
}
return expected.size();

13
src/analyzer/Manager.h
View file

@ -34,6 +34,7 @@
#include "analyzer/analyzer.bif.h"
namespace zeek {
namespace analyzer {
/**
@ -46,7 +47,7 @@ namespace analyzer {
* respecting well-known ports, and tracking any analyzers specifically
* scheduled for individidual connections.
*/
class Manager : public plugin::ComponentManager<Tag, Component> {
class Manager : public zeek::plugin::ComponentManager<Tag, Component> {
public:
/**
* Constructor.
@ -399,10 +400,18 @@ private:
std::vector<uint16_t> vxlan_ports;
};
}
} // namespace analyzer
extern analyzer::Manager* analyzer_mgr;
} // namespace zeek
namespace analyzer {
using Manager [[deprecated("Remove in v4.1. Use zeek::analyzer::Manager instead.")]] = zeek::analyzer::Manager;
} // namespace analyzer
extern zeek::analyzer::Manager*& analyzer_mgr [[deprecated("Remove in v4.1. Use zeek::analyzer_mgr instead.")]];
// Macros for anayzer debug logging which include the connection id into the
// message.
#ifdef DEBUG

18
src/analyzer/Tag.cc
View file

@ -3,33 +3,33 @@
#include "Tag.h"
#include "Manager.h"
const analyzer::Tag analyzer::Tag::Error;
const zeek::analyzer::Tag zeek::analyzer::Tag::Error;
analyzer::Tag::Tag(type_t type, subtype_t subtype)
: zeek::Tag(analyzer_mgr->GetTagType(), type, subtype)
zeek::analyzer::Tag::Tag(type_t type, subtype_t subtype)
: zeek::Tag(zeek::analyzer_mgr->GetTagType(), type, subtype)
{
}
analyzer::Tag& analyzer::Tag::operator=(const analyzer::Tag& other)
zeek::analyzer::Tag& zeek::analyzer::Tag::operator=(const zeek::analyzer::Tag& other)
{
zeek::Tag::operator=(other);
return *this;
}
const zeek::EnumValPtr& analyzer::Tag::AsVal() const
const zeek::EnumValPtr& zeek::analyzer::Tag::AsVal() const
{
return zeek::Tag::AsVal(analyzer_mgr->GetTagType());
return zeek::Tag::AsVal(zeek::analyzer_mgr->GetTagType());
}
zeek::EnumVal* analyzer::Tag::AsEnumVal() const
zeek::EnumVal* zeek::analyzer::Tag::AsEnumVal() const
{
return AsVal().get();
}
analyzer::Tag::Tag(zeek::EnumValPtr val)
zeek::analyzer::Tag::Tag(zeek::EnumValPtr val)
: zeek::Tag(std::move(val))
{ }
analyzer::Tag::Tag(zeek::EnumVal* val)
zeek::analyzer::Tag::Tag(zeek::EnumVal* val)
: zeek::Tag({zeek::NewRef{}, val})
{ }

12
src/analyzer/Tag.h
View file

@ -21,10 +21,10 @@ namespace plugin {
zeek::plugin::ComponentManager<T, C>;
}
namespace analyzer {
ZEEK_FORWARD_DECLARE_NAMESPACED(Manager, zeek, analyzer);
ZEEK_FORWARD_DECLARE_NAMESPACED(Component, zeek, analyzer);
class Manager;
class Component;
namespace zeek::analyzer {
/**
* Class to identify a protocol analyzer type.
@ -125,4 +125,8 @@ protected:
explicit Tag(zeek::EnumVal* val);
};
}
} // namespace zeek::analyzer
namespace analyzer {
using Tag [[deprecated("Remove in v4.1. Use zeek::analyzer::Tag")]] = zeek::analyzer::Tag;
} // namespace analyzer

14
src/analyzer/analyzer.bif
View file

@ -10,43 +10,43 @@ module Analyzer;
function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
bool result = zeek::analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
return zeek::val_mgr->Bool(result);
%}
function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
bool result = zeek::analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
return zeek::val_mgr->Bool(result);
%}
function Analyzer::__disable_all_analyzers%(%) : any
%{
analyzer_mgr->DisableAllAnalyzers();
zeek::analyzer_mgr->DisableAllAnalyzers();
return nullptr;
%}
function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
%{
bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
bool result = zeek::analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
return zeek::val_mgr->Bool(result);
%}
function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval%) : bool
%{
analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
zeek::analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
return zeek::val_mgr->True();
%}
function __name%(atype: Analyzer::Tag%) : string
%{
const auto& n = analyzer_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, atype->AsEnumVal()});
const auto& n = zeek::analyzer_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, atype->AsEnumVal()});
return zeek::make_intrusive<zeek::StringVal>(n);
%}
function __tag%(name: string%) : Analyzer::Tag
%{
analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString());
analyzer::Tag t = zeek::analyzer_mgr->GetComponentTag(name->CheckString());
return t.AsVal();
%}

4
src/analyzer/protocol/ayiya/AYIYA.h
View file

@ -4,7 +4,7 @@
namespace analyzer { namespace ayiya {
class AYIYA_Analyzer final : public analyzer::Analyzer {
class AYIYA_Analyzer final : public zeek::analyzer::Analyzer {
public:
explicit AYIYA_Analyzer(Connection* conn);
virtual ~AYIYA_Analyzer();
@ -13,7 +13,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new AYIYA_Analyzer(conn); }
protected:

2
src/analyzer/protocol/ayiya/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::AYIYA";

2
src/analyzer/protocol/bittorrent/BitTorrent.h
View file

@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrent_Analyzer(conn); }
protected:

2
src/analyzer/protocol/bittorrent/BitTorrentTracker.h
View file

@ -53,7 +53,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new BitTorrentTracker_Analyzer(conn); }
protected:

4
src/analyzer/protocol/bittorrent/Plugin.cc
View file

@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("BitTorrent", ::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("BitTorrent", ::analyzer::bittorrent::BitTorrent_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::BitTorrent";

4
src/analyzer/protocol/conn-size/ConnSize.h
View file

@ -8,7 +8,7 @@
namespace analyzer { namespace conn_size {
class ConnSize_Analyzer : public analyzer::Analyzer {
class ConnSize_Analyzer : public zeek::analyzer::Analyzer {
public:
explicit ConnSize_Analyzer(Connection* c);
~ConnSize_Analyzer() override;
@ -26,7 +26,7 @@ public:
void SetDurationThreshold(double duration);
double GetDurationThreshold() { return duration_thresh; };
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ConnSize_Analyzer(conn); }
protected:

2
src/analyzer/protocol/conn-size/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ConnSize";

28
src/analyzer/protocol/conn-size/functions.bif
View file

@ -3,13 +3,13 @@
#include "Reporter.h"
#include "Sessions.h"
static analyzer::Analyzer* GetConnsizeAnalyzer(zeek::Val* cid)
static zeek::analyzer::Analyzer* GetConnsizeAnalyzer(zeek::Val* cid)
{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
return nullptr;
analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
zeek::analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
if ( ! a )
reporter->Error("connection does not have ConnSize analyzer");
@ -33,11 +33,11 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(zeek::Val* cid)
## set_current_conn_duration_threshold get_current_conn_duration_threshold
function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return zeek::val_mgr->True();
%}
@ -57,11 +57,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
## set_current_conn_duration_threshold get_current_conn_duration_threshold
function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return zeek::val_mgr->True();
%}
@ -79,11 +79,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
## get_current_conn_duration_threshold
function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%): bool
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return zeek::val_mgr->True();
%}
@ -101,11 +101,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
## get_current_conn_duration_threshold
function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::val_mgr->Count(0);
return zeek::val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%}
## Gets the current packet threshold size for a connection.
@ -120,11 +120,11 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
## get_current_conn_bytes_threshold set_current_conn_duration_threshold get_current_conn_duration_threshold
function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::val_mgr->Count(0);
return zeek::val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
return zeek::val_mgr->Count(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%}
## Gets the current duration threshold size for a connection.
@ -137,9 +137,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
## get_current_conn_packets_threshold set_current_conn_duration_threshold
function get_current_conn_duration_threshold%(cid: conn_id%): interval
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
zeek::analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return zeek::make_intrusive<zeek::IntervalVal>(0.0);
return zeek::make_intrusive<zeek::IntervalVal>(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold());
return zeek::make_intrusive<zeek::IntervalVal>(static_cast<::analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold());
%}

2
src/analyzer/protocol/dce-rpc/DCE_RPC.h
View file

@ -24,7 +24,7 @@ public:
bool SetFileID(uint64_t fid_in)
{ interp->set_file_id(fid_in); return true; }
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DCE_RPC_Analyzer(conn); }
protected:

2
src/analyzer/protocol/dce-rpc/Plugin.cc
View file

@ -12,7 +12,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DCE_RPC";

8
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -4,8 +4,8 @@
refine connection DCE_RPC_Conn += {
%member{
analyzer::Analyzer *gssapi;
analyzer::Analyzer *ntlm;
zeek::analyzer::Analyzer *gssapi;
zeek::analyzer::Analyzer *ntlm;
%}
%init{
@ -32,13 +32,13 @@ refine connection DCE_RPC_Conn += {
{
case 0x09:
if ( ! gssapi )
gssapi = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
if ( gssapi )
gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x0a:
if ( ! ntlm )
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;

4
src/analyzer/protocol/dhcp/DHCP.h
View file

@ -6,7 +6,7 @@
namespace analyzer { namespace dhcp {
class DHCP_Analyzer final : public analyzer::Analyzer {
class DHCP_Analyzer final : public zeek::analyzer::Analyzer {
public:
explicit DHCP_Analyzer(Connection* conn);
~DHCP_Analyzer() override;
@ -15,7 +15,7 @@ public:
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DHCP_Analyzer(conn); }
protected:

2
src/analyzer/protocol/dhcp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DHCP";

2
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -113,7 +113,7 @@ bool DNP3_Base::crc_table_initialized = false;
unsigned int DNP3_Base::crc_table[256];
DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer)
DNP3_Base::DNP3_Base(zeek::analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
interp = new binpac::DNP3::DNP3_Conn(analyzer);

8
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -10,7 +10,7 @@ namespace analyzer { namespace dnp3 {
class DNP3_Base {
public:
explicit DNP3_Base(analyzer::Analyzer* analyzer);
explicit DNP3_Base(zeek::analyzer::Analyzer* analyzer);
virtual ~DNP3_Base();
binpac::DNP3::DNP3_Conn* Interpreter() { return interp; }
@ -54,7 +54,7 @@ protected:
static bool crc_table_initialized;
static unsigned int crc_table[256];
analyzer::Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
binpac::DNP3::DNP3_Conn* interp;
Endpoint orig_state;
@ -75,7 +75,7 @@ public:
{ return new DNP3_TCP_Analyzer(conn); }
};
class DNP3_UDP_Analyzer : public DNP3_Base, public analyzer::Analyzer {
class DNP3_UDP_Analyzer : public DNP3_Base, public zeek::analyzer::Analyzer {
public:
explicit DNP3_UDP_Analyzer(Connection* conn);
~DNP3_UDP_Analyzer() override;
@ -83,7 +83,7 @@ public:
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNP3_UDP_Analyzer(conn); }
};

4
src/analyzer/protocol/dnp3/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::DNP3";

4
src/analyzer/protocol/dns/DNS.cc
View file

@ -19,7 +19,7 @@
using namespace analyzer::dns;
DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
DNS_Interpreter::DNS_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
first_message = true;
@ -1334,7 +1334,7 @@ bool DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg,
}
static zeek::StringValPtr
extract_char_string(analyzer::Analyzer* analyzer,
extract_char_string(zeek::analyzer::Analyzer* analyzer,
const u_char*& data, int& len, int& rdlen)
{
if ( rdlen <= 0 )

6
src/analyzer/protocol/dns/DNS.h
View file

@ -248,7 +248,7 @@ public:
class DNS_Interpreter {
public:
explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
explicit DNS_Interpreter(zeek::analyzer::Analyzer* analyzer);
void ParseMessage(const u_char* data, int len, int is_query);
@ -343,7 +343,7 @@ protected:
zeek::String* question_name,
zeek::String* original_name);
analyzer::Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
bool first_message;
};
@ -393,7 +393,7 @@ public:
tcp::TCP_Endpoint* peer, bool gen_event) override;
void ExpireTimer(double t);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNS_Analyzer(conn); }
protected:

4
src/analyzer/protocol/dns/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("DNS", ::analyzer::dns::DNS_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("Contents_DNS", nullptr));
AddComponent(new zeek::analyzer::Component("DNS", ::analyzer::dns::DNS_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_DNS", nullptr));
zeek::plugin::Configuration config;
config.name = "Zeek::DNS";

2
src/analyzer/protocol/file/File.h
View file

@ -18,7 +18,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
// static analyzer::Analyzer* Instantiate(Connection* conn)
// static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
// { return new File_Analyzer(conn); }
protected:

4
src/analyzer/protocol/file/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("FTP_Data", ::analyzer::file::FTP_Data::Instantiate));
AddComponent(new ::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
AddComponent(new zeek::analyzer::Component("FTP_Data", ::analyzer::file::FTP_Data::Instantiate));
AddComponent(new zeek::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::File";

2
src/analyzer/protocol/finger/Finger.h
View file

@ -16,7 +16,7 @@ public:
// Line-based input.
void DeliverStream(int len, const u_char* data, bool orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Finger_Analyzer(conn); }
protected:

2
src/analyzer/protocol/finger/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Finger";

2
src/analyzer/protocol/ftp/FTP.cc
View file

@ -166,7 +166,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Server wants to proceed with an ADAT exchange and we
// know how to analyze the GSI mechanism, so attach analyzer
// to look for that.
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
{
ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true));

4
src/analyzer/protocol/ftp/FTP.h
View file

@ -15,7 +15,7 @@ public:
void Done() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new FTP_Analyzer(conn);
}
@ -34,7 +34,7 @@ protected:
* analyzer just decodes the tokens and passes them on to the parent, which must
* be an SSL analyzer instance.
*/
class FTP_ADAT_Analyzer final : public analyzer::SupportAnalyzer {
class FTP_ADAT_Analyzer final : public zeek::analyzer::SupportAnalyzer {
public:
FTP_ADAT_Analyzer(Connection* conn, bool arg_orig)
: SupportAnalyzer("FTP_ADAT", conn, arg_orig),

4
src/analyzer/protocol/ftp/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("FTP", ::analyzer::ftp::FTP_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("FTP_ADAT", nullptr));
AddComponent(new zeek::analyzer::Component("FTP", ::analyzer::ftp::FTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("FTP_ADAT", nullptr));
zeek::plugin::Configuration config;
config.name = "Zeek::FTP";

4
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -119,14 +119,14 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, ConnVal());
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
zeek::analyzer::Analyzer* a = zeek::analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
if ( a && Parent()->AddChildAnalyzer(a) )
{
if ( Parent()->IsAnalyzer("TCP") )
{
// Replay buffered data.
pia::PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia )
static_cast<pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
}

2
src/analyzer/protocol/gnutella/Gnutella.h
View file

@ -41,7 +41,7 @@ public:
void Done () override;
void DeliverStream(int len, const u_char* data, bool orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Gnutella_Analyzer(conn); }
private:

2
src/analyzer/protocol/gnutella/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("Gnutella", ::analyzer::gnutella::Gnutella_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Gnutella", ::analyzer::gnutella::Gnutella_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Gnutella";

2
src/analyzer/protocol/gssapi/GSSAPI.h
View file

@ -24,7 +24,7 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GSSAPI_Analyzer(conn); }
protected:

2
src/analyzer/protocol/gssapi/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("GSSAPI", ::analyzer::gssapi::GSSAPI_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("GSSAPI", ::analyzer::gssapi::GSSAPI_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GSSAPI";

9
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -1,8 +1,8 @@
refine connection GSSAPI_Conn += {
%member{
analyzer::Analyzer *ntlm;
analyzer::Analyzer *krb5;
zeek::analyzer::Analyzer *ntlm;
zeek::analyzer::Analyzer *krb5;
%}
%init{
@ -34,7 +34,7 @@ refine connection GSSAPI_Conn += {
{
// ntlmssp
if ( ! ntlm )
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${val.ntlm}.length(),
@ -44,7 +44,7 @@ refine connection GSSAPI_Conn += {
else if ( ${val.has_krb} )
{
if ( ! krb5 )
krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
{
@ -77,4 +77,3 @@ refine typeattr GSSAPI_NEG_TOKEN_MECH_TOKEN += &let {
refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {
proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0);
};

4
src/analyzer/protocol/gtpv1/GTPv1.h
View file

@ -4,7 +4,7 @@
namespace analyzer { namespace gtpv1 {
class GTPv1_Analyzer final : public analyzer::Analyzer {
class GTPv1_Analyzer final : public zeek::analyzer::Analyzer {
public:
explicit GTPv1_Analyzer(Connection* conn);
virtual ~GTPv1_Analyzer();
@ -13,7 +13,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GTPv1_Analyzer(conn); }
protected:

2
src/analyzer/protocol/gtpv1/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("GTPv1", ::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("GTPv1", ::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GTPv1";

4
src/analyzer/protocol/http/HTTP.cc
View file

@ -173,7 +173,7 @@ void HTTP_Entity::Deliver(int len, const char* data, bool trailing_CRLF)
DeliverBody(len, data, trailing_CRLF);
}
class HTTP_Entity::UncompressedOutput : public analyzer::OutputHandler {
class HTTP_Entity::UncompressedOutput : public zeek::analyzer::OutputHandler {
public:
UncompressedOutput(HTTP_Entity* e) { entity = e; }
void DeliverStream(int len, const u_char* data, bool orig) override
@ -1712,7 +1712,7 @@ void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p)
}
zeek::String* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end,
analyzer::Analyzer* analyzer)
zeek::analyzer::Analyzer* analyzer)
{
zeek::byte_vec decoded_URI = new u_char[line_end - line + 1];
zeek::byte_vec URI_p = decoded_URI;

4
src/analyzer/protocol/http/HTTP.h
View file

@ -195,7 +195,7 @@ public:
int GetRequestOngoing() { return request_ongoing; };
int GetReplyOngoing() { return reply_ongoing; };
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new HTTP_Analyzer(conn); }
static bool Available()
@ -282,6 +282,6 @@ extern bool is_reserved_URI_char(unsigned char ch);
extern bool is_unreserved_URI_char(unsigned char ch);
extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern zeek::String* unescape_URI(const u_char* line, const u_char* line_end,
analyzer::Analyzer* analyzer);
zeek::analyzer::Analyzer* analyzer);
} } // namespace analyzer::*

2
src/analyzer/protocol/http/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("HTTP", ::analyzer::http::HTTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("HTTP", ::analyzer::http::HTTP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::HTTP";

6
src/analyzer/protocol/http/functions.bif
View file

@ -15,12 +15,12 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
analyzer::ID id = mgr.CurrentAnalyzer();
if ( id )
{
analyzer::Analyzer* ha = c->FindAnalyzer(id);
zeek::analyzer::Analyzer* ha = c->FindAnalyzer(id);
if ( ha )
{
if ( ha->IsAnalyzer("HTTP") )
static_cast<analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
static_cast<::analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
else
reporter->Error("non-HTTP analyzer associated with connection record");
}
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len();
return zeek::make_intrusive<zeek::StringVal>(analyzer::http::unescape_URI(line, line_end, 0));
return zeek::make_intrusive<zeek::StringVal>(::analyzer::http::unescape_URI(line, line_end, 0));
%}

4
src/analyzer/protocol/icmp/ICMP.h
View file

@ -20,13 +20,13 @@ typedef enum {
// We do not have an PIA for ICMP (yet) and therefore derive from
// RuleMatcherState to perform our own matching.
class ICMP_Analyzer final : public analyzer::TransportLayerAnalyzer {
class ICMP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer {
public:
explicit ICMP_Analyzer(Connection* conn);
void UpdateConnVal(zeek::RecordVal *conn_val) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ICMP_Analyzer(conn); }
protected:

2
src/analyzer/protocol/icmp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ICMP";

2
src/analyzer/protocol/ident/Ident.h
View file

@ -14,7 +14,7 @@ public:
void DeliverStream(int length, const u_char* data, bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Ident_Analyzer(conn); }
protected:

2
src/analyzer/protocol/ident/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("Ident", ::analyzer::ident::Ident_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Ident", ::analyzer::ident::Ident_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Ident";

2
src/analyzer/protocol/imap/IMAP.cc
View file

@ -79,7 +79,7 @@ void IMAP_Analyzer::StartTLS()
// TLS datastream.
tls_active = true;
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);
}

2
src/analyzer/protocol/imap/IMAP.h
View file

@ -24,7 +24,7 @@ public:
void StartTLS();
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new IMAP_Analyzer(conn); }
protected:

2
src/analyzer/protocol/imap/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IMAP";

2
src/analyzer/protocol/irc/IRC.cc
View file

@ -1178,7 +1178,7 @@ void IRC_Analyzer::StartTLS()
RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
Analyzer* ssl = zeek::analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);

2
src/analyzer/protocol/irc/IRC.h
View file

@ -32,7 +32,7 @@ public:
*/
void DeliverStream(int len, const u_char* data, bool orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new IRC_Analyzer(conn);
}

2
src/analyzer/protocol/irc/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("IRC", ::analyzer::irc::IRC_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("IRC", ::analyzer::irc::IRC_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IRC";

4
src/analyzer/protocol/krb/KRB.h
View file

@ -12,7 +12,7 @@
namespace analyzer { namespace krb {
class KRB_Analyzer final : public analyzer::Analyzer {
class KRB_Analyzer final : public zeek::analyzer::Analyzer {
public:
explicit KRB_Analyzer(Connection* conn);
@ -22,7 +22,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal,

2
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -26,7 +26,7 @@ public:
const bro_uint_t enctype)
{ return zeek::val_mgr->EmptyString(); }
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
protected:

4
src/analyzer/protocol/krb/Plugin.cc
View file

@ -12,8 +12,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("KRB", ::analyzer::krb::KRB_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("KRB_TCP", ::analyzer::krb_tcp::KRB_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("KRB", ::analyzer::krb::KRB_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("KRB_TCP", ::analyzer::krb_tcp::KRB_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::KRB";
config.description = "Kerberos analyzer";

14
src/analyzer/protocol/login/Plugin.cc
View file

@ -14,13 +14,13 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("Telnet", ::analyzer::login::Telnet_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("Rsh", ::analyzer::login::Rsh_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("Rlogin", ::analyzer::login::Rlogin_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("NVT", nullptr));
AddComponent(new ::analyzer::Component("Login", nullptr));
AddComponent(new ::analyzer::Component("Contents_Rsh", nullptr));
AddComponent(new ::analyzer::Component("Contents_Rlogin", nullptr));
AddComponent(new zeek::analyzer::Component("Telnet", ::analyzer::login::Telnet_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rsh", ::analyzer::login::Rsh_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Rlogin", ::analyzer::login::Rlogin_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NVT", nullptr));
AddComponent(new zeek::analyzer::Component("Login", nullptr));
AddComponent(new zeek::analyzer::Component("Contents_Rsh", nullptr));
AddComponent(new zeek::analyzer::Component("Contents_Rlogin", nullptr));
zeek::plugin::Configuration config;
config.name = "Zeek::Login";

2
src/analyzer/protocol/login/RSH.h
View file

@ -48,7 +48,7 @@ public:
void ClientUserName(const char* s);
void ServerUserName(const char* s);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rsh_Analyzer(conn); }
Contents_Rsh_Analyzer* contents_orig;

2
src/analyzer/protocol/login/Rlogin.h
View file

@ -61,7 +61,7 @@ public:
void ServerUserName(const char* s);
void TerminalType(const char* s);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Rlogin_Analyzer(conn); }
};

2
src/analyzer/protocol/login/Telnet.h
View file

@ -11,7 +11,7 @@ public:
explicit Telnet_Analyzer(Connection* conn);
~Telnet_Analyzer() override {}
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Telnet_Analyzer(conn); }
};

8
src/analyzer/protocol/login/functions.bif
View file

@ -30,11 +30,11 @@ function get_login_state%(cid: conn_id%): count
if ( ! c )
return zeek::val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
zeek::analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return zeek::val_mgr->False();
return zeek::val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
return zeek::val_mgr->Count(int(static_cast<::analyzer::login::Login_Analyzer*>(la)->LoginState()));
%}
## Sets the login state of a connection with a login analyzer.
@ -54,10 +54,10 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
if ( ! c )
return zeek::val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
zeek::analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return zeek::val_mgr->False();
static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
static_cast<::analyzer::login::Login_Analyzer*>(la)->SetLoginState(::analyzer::login::login_state(new_state));
return zeek::val_mgr->True();
%}

4
src/analyzer/protocol/mime/MIME.cc
View file

@ -1154,7 +1154,7 @@ void MIME_Entity::StartDecodeBase64()
delete base64_decoder;
}
analyzer::Analyzer* analyzer = message->GetAnalyzer();
zeek::analyzer::Analyzer* analyzer = message->GetAnalyzer();
if ( ! analyzer )
{
@ -1329,7 +1329,7 @@ zeek::TableValPtr MIME_Message::ToHeaderTable(MIME_HeaderList& hlist)
return t;
}
MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, bool orig, int buf_size)
MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf_size)
: MIME_Message(mail_analyzer), md5_hash()
{
analyzer = mail_analyzer;

8
src/analyzer/protocol/mime/MIME.h
View file

@ -192,7 +192,7 @@ protected:
class MIME_Message {
public:
explicit MIME_Message(analyzer::Analyzer* arg_analyzer)
explicit MIME_Message(zeek::analyzer::Analyzer* arg_analyzer)
{
// Cannot initialize top_level entity because we do
// not know its type yet (MIME_Entity / MIME_Mail /
@ -218,7 +218,7 @@ public:
top_level->Deliver(len, data, trailing_CRLF);
}
analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
zeek::analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
// Events generated by MIME_Entity
virtual void BeginEntity(MIME_Entity*) = 0;
@ -230,7 +230,7 @@ public:
virtual void SubmitEvent(int event_type, const char* detail) = 0;
protected:
analyzer::Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
MIME_Entity* top_level;
bool finished;
@ -246,7 +246,7 @@ protected:
class MIME_Mail final : public MIME_Message {
public:
MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
MIME_Mail(zeek::analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
~MIME_Mail() override;
void Done() override;

2
src/analyzer/protocol/modbus/Modbus.h
View file

@ -16,7 +16,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new ModbusTCP_Analyzer(conn); }
protected:

2
src/analyzer/protocol/modbus/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("MODBUS", ::analyzer::modbus::ModbusTCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("MODBUS", ::analyzer::modbus::ModbusTCP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Modbus";

2
src/analyzer/protocol/mqtt/MQTT.h
View file

@ -20,7 +20,7 @@ public:
void Undelivered(uint64_t seq, int len, bool orig) override;
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
static zeek::analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new MQTT_Analyzer(conn); }
protected:

2
src/analyzer/protocol/mqtt/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("MQTT",
AddComponent(new zeek::analyzer::Component("MQTT",
::analyzer::MQTT::MQTT_Analyzer::InstantiateAnalyzer));
zeek::plugin::Configuration config;

2
src/analyzer/protocol/mysql/MySQL.h
View file

@ -24,7 +24,7 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new MySQL_Analyzer(conn); }
protected:

2
src/analyzer/protocol/mysql/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("MySQL", ::analyzer::MySQL::MySQL_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("MySQL", ::analyzer::MySQL::MySQL_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::MySQL";
config.description = "MySQL analyzer";

2
src/analyzer/protocol/ncp/NCP.cc
View file

@ -23,7 +23,7 @@ using namespace analyzer::ncp;
uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
NCP_Session::NCP_Session(analyzer::Analyzer* a)
NCP_Session::NCP_Session(zeek::analyzer::Analyzer* a)
: analyzer(a)
{
req_frame_type = 0;

6
src/analyzer/protocol/ncp/NCP.h
View file

@ -30,7 +30,7 @@ namespace analyzer { namespace ncp {
class NCP_Session {
public:
explicit NCP_Session(analyzer::Analyzer* analyzer);
explicit NCP_Session(zeek::analyzer::Analyzer* analyzer);
void Deliver(bool is_orig, int len, const u_char* data);
@ -42,7 +42,7 @@ public:
protected:
void DeliverFrame(const binpac::NCP::ncp_frame* frame);
analyzer::Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
int req_frame_type;
int req_func;
};
@ -104,7 +104,7 @@ public:
explicit NCP_Analyzer(Connection* conn);
~NCP_Analyzer() override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NCP_Analyzer(conn); }
protected:

4
src/analyzer/protocol/ncp/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("NCP", ::analyzer::ncp::NCP_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("Contents_NCP", nullptr));
AddComponent(new zeek::analyzer::Component("NCP", ::analyzer::ncp::NCP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_NCP", nullptr));
zeek::plugin::Configuration config;
config.name = "Zeek::NCP";

2
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -49,7 +49,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
}
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer)
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
//smb_session = arg_smb_session;

6
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -63,7 +63,7 @@ struct NetbiosDGM_RawMsgHdr {
class NetbiosSSN_Interpreter {
public:
explicit NetbiosSSN_Interpreter(Analyzer* analyzer);
explicit NetbiosSSN_Interpreter(zeek::analyzer::Analyzer* analyzer);
void ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, bool is_query);
@ -98,7 +98,7 @@ protected:
u_char*& xname, int& xlen);
protected:
Analyzer* analyzer;
zeek::analyzer::Analyzer* analyzer;
//SMB_Session* smb_session;
};
@ -148,7 +148,7 @@ public:
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NetbiosSSN_Analyzer(conn); }
protected:

4
src/analyzer/protocol/netbios/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("NetbiosSSN", ::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("Contents_NetbiosSSN", nullptr));
AddComponent(new zeek::analyzer::Component("NetbiosSSN", ::analyzer::netbios_ssn::NetbiosSSN_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("Contents_NetbiosSSN", nullptr));
zeek::plugin::Configuration config;
config.name = "Zeek::NetBIOS";

2
src/analyzer/protocol/ntlm/NTLM.h
View file

@ -24,7 +24,7 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTLM_Analyzer(conn); }
protected:

2
src/analyzer/protocol/ntlm/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("NTLM", ::analyzer::ntlm::NTLM_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NTLM", ::analyzer::ntlm::NTLM_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::NTLM";

2
src/analyzer/protocol/ntp/NTP.cc
View file

@ -7,7 +7,7 @@
using namespace analyzer::NTP;
NTP_Analyzer::NTP_Analyzer(Connection* c)
: analyzer::Analyzer("NTP", c)
: zeek::analyzer::Analyzer("NTP", c)
{
interp = new binpac::NTP::NTP_Conn(this);
}

4
src/analyzer/protocol/ntp/NTP.h
View file

@ -9,7 +9,7 @@
namespace analyzer { namespace NTP {
class NTP_Analyzer final : public analyzer::Analyzer {
class NTP_Analyzer final : public zeek::analyzer::Analyzer {
public:
explicit NTP_Analyzer(Connection* conn);
~NTP_Analyzer() override;
@ -19,7 +19,7 @@ public:
void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTP_Analyzer(conn); }
protected:

2
src/analyzer/protocol/ntp/Plugin.cc
View file

@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("NTP", ::analyzer::NTP::NTP_Analyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("NTP", ::analyzer::NTP::NTP_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::NTP";

18
src/analyzer/protocol/pia/PIA.cc
View file

@ -10,7 +10,7 @@
using namespace analyzer::pia;
PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer)
: state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet()
{
}
@ -71,7 +71,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig,
AddToBuffer(buffer, -1, len, data, is_orig, ip);
}
void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer)
void PIA::ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer)
{
DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size);
@ -145,7 +145,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bol, eol, clear_state);
}
void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
{
if ( pkt_buffer.state == MATCHING_ONLY )
{
@ -170,7 +170,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
if ( Parent()->HasChildAnalyzer(tag) )
return;
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a )
return;
@ -179,7 +179,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
ReplayPacketBuffer(a);
}
void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
void PIA_UDP::DeactivateAnalyzer(zeek::analyzer::Tag tag)
{
reporter->InternalError("PIA_UDP::Deact not implemented yet");
}
@ -292,7 +292,7 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
// No check for buffer overrun here. I think that's ok.
}
void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
{
if ( stream_buffer.state == MATCHING_ONLY )
{
@ -314,7 +314,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
return;
}
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
zeek::analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
if ( ! a )
return;
@ -418,12 +418,12 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
tcp->SetReassembler(reass_orig, reass_resp);
}
void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
void PIA_TCP::DeactivateAnalyzer(zeek::analyzer::Tag tag)
{
reporter->InternalError("PIA_TCP::Deact not implemented yet");
}
void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer)
void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer)
{
DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);

28
src/analyzer/protocol/pia/PIA.h
View file

@ -19,25 +19,25 @@ namespace analyzer { namespace pia {
// PIAs and then each needs its own matching-state.
class PIA : public RuleMatcherState {
public:
explicit PIA(analyzer::Analyzer* as_analyzer);
explicit PIA(zeek::analyzer::Analyzer* as_analyzer);
virtual ~PIA();
// Called when PIA wants to put an Analyzer in charge. rule is the
// signature that triggered the activitation, if any.
virtual void ActivateAnalyzer(analyzer::Tag tag,
virtual void ActivateAnalyzer(zeek::analyzer::Tag tag,
const Rule* rule = nullptr) = 0;
// Called when PIA wants to remove an Analyzer.
virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0;
void Match(Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state);
void ReplayPacketBuffer(analyzer::Analyzer* analyzer);
void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer);
// Children are also derived from Analyzer. Return this object
// as pointer to an Analyzer.
analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
zeek::analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
protected:
void PIA_Done();
@ -82,20 +82,20 @@ protected:
Buffer pkt_buffer;
private:
analyzer::Analyzer* as_analyzer;
zeek::analyzer::Analyzer* as_analyzer;
Connection* conn;
DataBlock current_packet;
};
// PIA for UDP.
class PIA_UDP : public PIA, public analyzer::Analyzer {
class PIA_UDP : public PIA, public zeek::analyzer::Analyzer {
public:
explicit PIA_UDP(Connection* conn)
: PIA(this), Analyzer("PIA_UDP", conn)
{ SetConn(conn); }
~PIA_UDP() override { }
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_UDP(conn); }
protected:
@ -112,8 +112,8 @@ protected:
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
}
void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) override;
void DeactivateAnalyzer(analyzer::Tag tag) override;
void ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
};
// PIA for TCP. Accepts both packet and stream input (and reassembles
@ -138,9 +138,9 @@ public:
// to be unnecessary overhead.)
void FirstPacket(bool is_orig, const IP_Hdr* ip);
void ReplayStreamBuffer(analyzer::Analyzer* analyzer);
void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer);
static analyzer::Analyzer* Instantiate(Connection* conn)
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new PIA_TCP(conn); }
protected:
@ -160,9 +160,9 @@ protected:
void DeliverStream(int len, const u_char* data, bool is_orig) override;
void Undelivered(uint64_t seq, int len, bool is_orig) override;
void ActivateAnalyzer(analyzer::Tag tag,
void ActivateAnalyzer(zeek::analyzer::Tag tag,
const Rule* rule = nullptr) override;
void DeactivateAnalyzer(analyzer::Tag tag) override;
void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
private:
// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.

4
src/analyzer/protocol/pia/Plugin.cc
View file

@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::analyzer::Component("PIA_TCP", ::analyzer::pia::PIA_TCP::Instantiate));
AddComponent(new ::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate));
AddComponent(new zeek::analyzer::Component("PIA_TCP", ::analyzer::pia::PIA_TCP::Instantiate));
AddComponent(new zeek::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::PIA";

Some files were not shown because too many files have changed in this diff Show more