Remove variable content from weird names

This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
2025-10-02 14:48:21 +00:00 · 2019-04-01 18:27:53 -07:00 · 2019-04-01 18:27:53 -07:00 · 995368e68c
commit 995368e68c
parent 956674745b
47 changed files with 289 additions and 152 deletions
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -13,6 +13,7 @@
 #include "Tag.h"
 #include "AnalyzerSet.h"
 #include "BroString.h"
+#include "WeirdState.h"

 namespace file_analysis {

@ -192,6 +193,13 @@ public:
 	 */
 	bool SetMime(const string& mime_type);

+	/**
+	 * Whether to permit a weird to carry on through the full reporter/weird
+	 * framework.
+	 */
+	bool PermitWeird(const char* name, uint64 threshold, uint64 rate,
+	                 double duration);
+
 protected:
 	friend class Manager;
 	friend class FileReassembler;
@ -325,6 +333,8 @@ protected:
 		BroString::CVec chunks;
 	} bof_buffer;              /**< Beginning of file buffer. */

+	WeirdStateMap weird_state;
+
 	static int id_idx;
 	static int parent_id_idx;
 	static int source_idx;